Print

popotla07:12 UTC17 Aug 2013

I received an Email saying that on a particular finance-related site I use, certain of my banking details had been amended. I was asked to log in, in order to see whether the changes were correct.

Because I had requested no changes, this seemed odd. Thinking that some change might have been made without my knowledge (fraud??), I logged in. On the "Account>Settings" page I'd been asked to check, there is, in fact, nothing about bank details. The bank details are on another part of the "Account" page, and there had been no changes.

I have contacted the company to ask whether they, in fact, sent the mail.

My question: is it possible for a criminal to remotely log the password/log-in details that a user keys in? Are such details secure or is this just an illusion? I am not in an internet café, not on an "open network" such as a Wi-Fi hotspot, but at home on my own computer.

Edited by: Popotla

popotla07:46 UTC17 Aug 2013

Since posting my question, I've answered it myself, having started to find out about keyboard-logging software. It's frightening. If this stuff is on my computer, then no personal financial sites are safe to visit and although I can change passwords, the new password can be immediately known.

textibule08:10 UTC17 Aug 2013

Welcome to the big bad internet. You owe it to yourself to read up on all the commonest scams and frauds and learn the basic ways to protect yourself against some of them at least.

gussieg10:44 UTC17 Aug 2013

It is my understanding that the way these emails usually work is that they purport to be from your bank, and contain a link within the email for you to click on to 'log in' and confirm your details. The link takes you to a fraudulent site masquerading as your own bank's site, from which your login details are captured as you enter them.
Provided you have decent security software on your computer and haven't actually downloaded any malicious keyloggers, you should be fine providing you log in using your banks official website, and not via any email links.
Different story using internet cafes, which can be full of nasty stuff.
If you're still concerned, you can enter your login details using a 'virtual keyboard' such as Neo's SafeKeys.

phimeow12:42 UTC17 Aug 2013

Firstly, never click on any links within an email. ALWAYS go to your own bank's web page to do so.

Secondly, if your bank supports 2 factor authentication for logging in then request this service. Various forms of 2 factor authentications are in use such as an SMS of a single use code to your mobile number; an application on the smartphone that generates a passcode (or token) which is time-synch'd to your bank's passcode server, or a special hardware device that generates a passcode.

Some banks also provide, on the login screen, a virtual keyboard that randomises the position of the letters and numbers so that keyloggers can't read what you type.

Hopefully no harm done to your bank account but you should contact your bank by telephone anyway and change your password (or have them generate a new one), to be safe.

Good luck!

cyberia12:19 UTC25 Aug 2013

You have found a phising scam.

If a bank or other financial institution wants to contact you, they will do it by letter. They will not ask for your personal details in an email.

Check out the scambusters site to find out how people want to steal money from you.

http://www.scambusters.org/

justin2306:38 UTC26 Aug 2013

OK if you clicked on a link in the email to go to your bank website, they have now got your login and password. Contact your bank and get it changed immediately. If you went through your browser and typed it or a saved link on your browser everything is ok. It sounds like you did the latter because you could see your account details and balance etc.

It has nothing to do with keylogging at all in this situation. Keyloggers are used to get details off machines at places like internet cafes. They can be installed by malicious software also, but its much harder to get the information off a computer in that instance than a cafe where the thieves just log on and copy the file :-)

The idea of the email is to get you to enter the details into a fake website. the fake website records the details and then they use it to log on and transfer money out etc. I know my bank doesn't allow transfers to other parties without mobile phone acknowledgement. They send a pin to my mobile i enter it to approve the new person/company i'm transferring money to.

Logging in to a site: possible fraud Interest forums / Travel Tech
popotla07:12 UTC17 Aug 2013	I received an Email saying that on a particular finance-related site I use, certain of my banking details had been amended. I was asked to log in, in order to see whether the changes were correct. Because I had requested no changes, this seemed odd. Thinking that some change might have been made without my knowledge (fraud??), I logged in. On the "Account>Settings" page I'd been asked to check, there is, in fact, nothing about bank details. The bank details are on another part of the "Account" page, and there had been no changes. I have contacted the company to ask whether they, in fact, sent the mail. My question: is it possible for a criminal to remotely log the password/log-in details that a user keys in? Are such details secure or is this just an illusion? I am not in an internet café, not on an "open network" such as a Wi-Fi hotspot, but at home on my own computer. Edited by: Popotla
popotla07:46 UTC17 Aug 2013	Since posting my question, I've answered it myself, having started to find out about keyboard-logging software. It's frightening. If this stuff is on my computer, then no personal financial sites are safe to visit and although I can change passwords, the new password can be immediately known.	1
textibule08:10 UTC17 Aug 2013	Welcome to the big bad internet. You owe it to yourself to read up on all the commonest scams and frauds and learn the basic ways to protect yourself against some of them at least.	2
gussieg10:44 UTC17 Aug 2013	It is my understanding that the way these emails usually work is that they purport to be from your bank, and contain a link within the email for you to click on to 'log in' and confirm your details. The link takes you to a fraudulent site masquerading as your own bank's site, from which your login details are captured as you enter them. Provided you have decent security software on your computer and haven't actually downloaded any malicious keyloggers, you should be fine providing you log in using your banks official website, and not via any email links. Different story using internet cafes, which can be full of nasty stuff. If you're still concerned, you can enter your login details using a 'virtual keyboard' such as Neo's SafeKeys.	3
phimeow12:42 UTC17 Aug 2013	Firstly, never click on any links within an email. ALWAYS go to your own bank's web page to do so. Secondly, if your bank supports 2 factor authentication for logging in then request this service. Various forms of 2 factor authentications are in use such as an SMS of a single use code to your mobile number; an application on the smartphone that generates a passcode (or token) which is time-synch'd to your bank's passcode server, or a special hardware device that generates a passcode. Some banks also provide, on the login screen, a virtual keyboard that randomises the position of the letters and numbers so that keyloggers can't read what you type. Hopefully no harm done to your bank account but you should contact your bank by telephone anyway and change your password (or have them generate a new one), to be safe. Good luck!	4
cyberia12:19 UTC25 Aug 2013	You have found a phising scam. If a bank or other financial institution wants to contact you, they will do it by letter. They will not ask for your personal details in an email. Check out the scambusters site to find out how people want to steal money from you. http://www.scambusters.org/ .	5
justin2306:38 UTC26 Aug 2013	OK if you clicked on a link in the email to go to your bank website, they have now got your login and password. Contact your bank and get it changed immediately. If you went through your browser and typed it or a saved link on your browser everything is ok. It sounds like you did the latter because you could see your account details and balance etc. It has nothing to do with keylogging at all in this situation. Keyloggers are used to get details off machines at places like internet cafes. They can be installed by malicious software also, but its much harder to get the information off a computer in that instance than a cafe where the thieves just log on and copy the file :-) The idea of the email is to get you to enter the details into a fake website. the fake website records the details and then they use it to log on and transfer money out etc. I know my bank doesn't allow transfers to other parties without mobile phone acknowledgement. They send a pin to my mobile i enter it to approve the new person/company i'm transferring money to.	6

Logging in to a site: possible fraud