11

After an investigation on their part, the bank simply states that if someone accessed my accounts via internet banking, (and a simswap) I was the one who didn't secure my login and password info.

I do not have it written down anywhere and didn't click on any suspicious links on any emails that might have been spammed at me. The only way I noticed something was wrong is because of my cellphone, (which never left my side) suddenly giving me a sim error. I contacted my service provider immediately and they apologized grumpily and corrected the error. Knowing the risks, I immediately contacted my bank. this all happened in the space of one hour, but by them it was too late.

Now the bank says it had to have been me, because they don't have my login and password info. My phone is used for verification when I add or change a beneficiary, which is why they needed it to get the money out, but my login and password wasn't on the phone so even if they did do the swap, how did they get my info?

MKr
  • 111
  • 3
  • 1
    Welcome to security SE. I believe has possibly been asked before and covered by [Is my bank storing my password in plain text?](http://security.stackexchange.com/questions/10938/is-my-bank-storing-my-password-in-plain-text) from a technical standpoint. –  Oct 10 '12 at 10:55
  • What I'm looking for is a definite yes and not something they can squirm out of. If they keep it on a secure sever somewhere else that some other company is in charge of, then any security breach is possibly not the banks fault, if they employ the it technicians who are in charge of maintaining it, then I hold them responsible for any internal security breach. – MKr Oct 10 '12 at 12:01
  • 1
    Are you saying that whoever did this to you also took over control of your cell phone number in order to receive a phone call from your bank to your cell phone number to verbally confirm the change that was made to your bank account? – HeatfanJohn Oct 10 '12 at 13:59
  • 1
    Your password does not exist in the bank's system. There is no way someone could get your password from your bank. However, if there is a flaw in the bank's security it's possible that someone could log in as you without knowing your details. Also possible is that someone got hold of your password. It's not uncommon for hackers to exploit security flaws in for example phpBB to insert malicious scripts in pages that doesn't seem suspicious to you. What browser are you using? – MatsT Oct 10 '12 at 14:07
  • 2
    @MatsT - Your statement could be false. His bank could be storing his account's password as plain text although its unlikely and likely stored in a secure hashed format instead. At the end of the day it sounds like YOU leaked the username and password that cause the compromise. – Ramhound Oct 10 '12 at 14:12
  • @HeatfanJohn - Indeed. If the bank did try to contact me in the space of that hour to report sudden and suspicious movement on my account, the call would've gone to the person in control of my simcard at that time. So too would any OTP (one time pin) verification sms'. – MKr Oct 11 '12 at 14:06
  • @MKr Have you reported this to your country's equivalent of the US FBI? Another question you should post is can someone take control of your mobile telephone number to receive inbound voice calls and SMS text messages. In the old days of analogue cell phone, that answer was yes, but today with SIM cards I am not aware of how that can happen. – HeatfanJohn Oct 11 '12 at 15:00
  • It has been reported to both the bank's fraud department and the police, yes. They do simswaps all the time. It's what they do when you've lost your physical phone or if you want to change cellphone networks, but you want to keep your old number. You buy a new simcard and then the service provider swaps the info from your old simcard to the new one. The cell phone provider has your details on their network, so they simply register the new simcard to your account and delete the old one. You don't even have to have the old simcard just the new one you want to replace it with. – MKr Oct 11 '12 at 15:42
  • Note that, as far as the law is concerned in the USA, the banks are *perceived* to be invulnerable to attack, and thus are not required to perform any log analysis or any form of check on their end. Yes, it's stupid, and it leaves consumers in a crappy position. Thankfully, the UK has a different approach: the ICO and FSA can kick their arses if they try to fob you off like this. – Polynomial Oct 11 '12 at 19:38

5 Answers5

11

Your bank probably don't have access to your plain text password but it isn't as simple as that.

It is unlikely that your bank store your password in plain text, so it would be a non-trivial task for them to look up your username and password and then login.

However, there are many other potential causes that could lead to an illegitimate transfer from your account - anything from vulnerable systems to rogue bank employees.

If your bank is claiming that they witnessed a login using your username and password that led to the transfer then the question of who's responsible will depend on your bank's fraud policy and the laws of the country you live in.

However, it does sound like you are describing a possible breach of your security so you should take immediate steps to fix this.

Andy Smith
  • 2,742
  • 18
  • 24
5

You don't say in what country this took place, but in the UK, Phantom Withdrawals have been an endemic problem. The UK banks have used any "security systems" in place to shift blame on to the customer, rather than look into any possible internal problems.

Bruce Ediger
  • 4,552
  • 2
  • 25
  • 26
3

Modern databases do not store passwords directly in plain text. Instead, they take your password, and run an algorithm called a 'digest' on it, like SHA-1, or (the now deprecated) MD5. The idea is that if you supply the correct password, the result of the calculation will be the same as the one they have stored. That way, they don't have to store your password, but they know if you've entered the correct one.

They certainly have your username. That has to be stored in plain text. If you use your phone for bank transactions, and enter your username and password that way, it's possible that keylogging software on your phone could have gleaned the username and password. You stated you haven't clicked any shady links, but there have been reports of phone market places, such as Android's Google Play, occasionally holding malware.

However, it doesn't really sound like that's what you're hitting here. You mention a 'SIM error'. This sounds more like someone at the mobile phone company made an error which may have caused your SIM chip to become disassociated with your phone. If this is the case, your banking information isn't actually compromised. Have you checked to see if any unauthorized transactions have occurred? You haven't specified if something actually went wrong or if you're just asking this academically, because your bank told you 'if this ever happens, you're screwed'.

Many banks have an identity theft service. Many countries have laws about how these things are to be held. We're not lawyers, so you would have to investigate there and you should keep legal council if needed.

It should be also noted that a bank does not need your login information to change things in your account. They can make changes as they see fit. Your login information is only so you can manage your account remotely. They're free to charge things, move money, and tweak features in the system without needing your password, as they have direct access to the databases through their programs at the bank. If the changes were linked to a particular login, that's one thing. If changes just 'happened', that's another.

An additional angle to consider is if your password/sim stopped working, it may not be that your password ever was compromised. It may have been a social engineering attempt where an attacker convinced a banker that he or she was you, and then got them to reset your password because they 'forgot it'. This, unfortunately, is not that difficult. You can read about how this sort of attack can go down here: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/ This one wasn't a banking compromise, but it was severe and in a similar style to what I mention.

Your bank cannot claim a complete lack of liability without knowing precisely how the attacker got control of your account. 'Not knowing the username and password' is not a blanket excuse that holds under all angles of scrutiny. Don't get me wrong, however. You can't blame them for the error without knowing what happened, either, and they have the most information, since their systems would the ones logging actions.

Update As one of the commentators pointed out, my statement about databases 'not storing passwords directly in plain text' is a simplification. A database will store whatever you tell it to. Programmers working with financial information are expected to have the sense, however, to store digests instead of plain text. You can expect that your password is not stored.

Kelketek
  • 147
  • 2
  • 1
    Databases themselves don't typically have the faintest idea whether or not the data being stored is a password or not. And I would guess that, unfortunately, the vast majority of developers store passwords either directly, or use cryptography so poorly as to make it virtually ineffective. – Stephen Touset Oct 10 '12 at 20:38
  • This answer has a great deal of noise, and nothing that is being said, answers the user's question. – Ramhound Oct 11 '12 at 13:45
  • I suppose that's what is even more upsetting than the loss of the money. The fact that they expect you to prove that the breach didn't happen on your side - but they are sitting with all the information about when where and who. – MKr Oct 11 '12 at 14:35
  • @Ramhound , How do you figure? It covers a broad base of possibilities based on the (rather vague) initial question, and tries to hit each interpretation. I'm not sure which part you think is unanswered. – Kelketek Oct 11 '12 at 17:13
  • A lot of possibilities, exactly. Too many in my opinion for the bank to just say sorry it's your fault. – MKr Oct 11 '12 at 17:31
1

Just a supplemental to the other great answers.

I work at a credit union in the US (a much friendlier version of a bank :), and we do not have access to passwords even if we wanted to. Not only is this system driven with automatic hashing, but this is also in our policies and procedures for member/customer protection for exact reason of "rogue employees" after being terminated. We get many frustrated responses from our members when we are unable to retreive a requested password. To illustrate the this extent, not even our top level executives are able to retreive passwords.

From my understanding, this is best practice used by most institutions and usually a requiremnet for legal and compliance reasons. And there are usually audit trails for EVERYTHING. Still, it mostly depends on the how much access/surface area is left open for access, especially systems built in house.

It's also worth knowing if your bank provides an app of mobile banking, or just web access. It's much harder to control what goes in and out of web browser versus an in house or vendor app for your phone.

Chad Harrison
  • 185
  • 6
1

I think all answers focus way too much on how the bank stores the password. Hashing is irrelevant here, and already covered in this question. If it was stored in plain text, the database admin could have looked it up and used it. But then how do you explain the cell phone thing?

The problem with this question is that we have way too little info. @MKr, much as I would like to believe you, there is no way to actually prove you didn't click on any suspicious links. It also doesn't need to have been recently, though it's more likely. However, even with your login credentials, an attacker shouldn't have been able to do anything.

Weirdest of all is the cellphone giving an error. If this happened at the same time as when your bank account was emptied, the odds are big it is related (though still not 100%). You should go to the bank and explain it to them. Repeat the story as long as it takes, and demand to talk to someone technical. Same for the mobile operator, they probably have a breach too. (The only other explanation being your phone being hacked over Bluetooth or so.) This must not have been possible.

We as community can do very little but try to hype the case to front-page news so that the bank and operator pick up on it. We can't look in logfiles or test the bank's or phone's security. Your bank and operator can.

Actually you might want to talk to a lawyer to see if there are any legal options. I don't know how much money is involved, but an entire bank account may have been a lot.

Community
  • 1
Luc
  • 31,973
  • 8
  • 71
  • 135
  • 1
    Exactly my problem. Even if I did use a fraudulent link or have a Malware infection. And even if they did get my entire password over time. (the bank doesn't ask for your whole password, only certain characters each time you log in). My internet banking in linked to my phone. I get instant updates every time there's movement on my accounts. That's why they needed my phone to gain access and they did that by doing a simswap. I physically had to phone my cellphone service provider to get it swapped back (from a landline) She acknowledged that the swap had been a mistake and corrected it. – MKr Oct 11 '12 at 14:20
  • Now my internet banking might be linked to my phone, but none of the login and password info is stored on it or my sim. So taking control of my phone only allowed them to make changes to my account but they would've had my password by then. You can swap a sim without physically having the phone, but you would need the phone number, and that isn't required when you log into your internet banking. The bank has my name and number linked to my account so my question remains - do they also have my password? Cause if they do, well then... – MKr Oct 11 '12 at 14:29
  • Ps - I don't use the phone itself for internet banking, only for verification. – MKr Oct 11 '12 at 14:36