Amiga.org
Amiga computer related discussion => General chat about Amiga topics => Topic started by: stopthegop on September 08, 2007, 03:16:09 PM
-
I've seen on ebay and elsewhere sellers requesting payment via bank wire or "direct bank deposit". Then they openly publish:
1. The name of their bank.
2. The country in which they live.
3. The IBN routing number of the bank (which is easy to obtain if you know the name of the bank..).
4. Their account number!
5. Their first name and second initial.
Anyone see a potential problem with this??? Let me put it this way: Just as easily as money can be "direct deposited" into an account, so can money be directly withdrawn from an account. A dirty little secret of online banking is that numbers are usually all that are compared for verification purposes (birthdays, zip codes, etc..). Names are frequently not used because they are inconsistent (Mike, Michael, Mikey, Mick, Miguel...etc). So, as in this example (http://cgi.ebay.com/AMIGA-Developers-Reference-Guide-RARE-Amiga-Book_W0QQitemZ140152975251QQihZ004QQcategoryZ4598QQssPageNameZWDVWQQrdZ1QQcmdZViewItem
), the seller has basically given the entire world carte blanche to his money. In short, do not ever, ever, ever disclose your bank account number and especially not in conjunction with the bank's name or IBN number! Some people must learn the hard way..
-
Sorry mate but your talking sh1t. I cant even be bothered to explain why
-
@stopthegop
Just as easily as money can be "direct deposited" into an account, so can money be directly withdrawn from an account.
That is nonsense.
I challenge anyone to withdraw money from my account which is 517220-52770. Bank is Kotkan Seudun Osuuspankki - Karhulan konttori, IBAN FI50 5172 2050 0027 70.
Just because US banking sector is a fragmented mess doesn't mean that rest of the world has the same. Quick hint: IBAN account details are only useful for transferring funds into bank accounts. And no, no-one uses checks anymore. Last time I saw a checkbook was over 20 years ago.
To recap: There is no need to keep your IBAN secret (at least the EU). In countries with developed banking system (such as USA), you're obviously better off by staying paranoid.
-
@ piru
thanks for doing what I couldnt be bothered to do, because im p1ssed watching the rugby world cup :-D
-
I didn't know that, thanks for the info.
-
I challenge anyone to withdraw money from my account which is 517220-52770. Bank is Kotkan Seudun Osuuspankki - Karhulan konttori, IBAN FI50 5172 2050 0027 70.
Thanks Piru! Now I can steal your millions earned with first class amiga programs.
-
Sorry, but you are both wrong. I can't even be bothered to explain why.
But if I'm wrong, then why don't you go ahead and tell us all where you bank and what your bank account number is? Its 100% safe, right?
edit: you have balls, piru. I'll give you that. :)
-
I just did.
Well? When are you going to transfer my money out? I'm waiting...
-
I'm not going to do that. Its illegal. But its a leap of faith to say it can't be done
-
It is a known fact that you can perform a cheque-con in the USA by just knowing the account number and personal details.
This does not work in the EU (and pretty much rest of the world).
-
Just because US banking sector is a fragmented mess doesn't mean that rest of the world has the same.
I'll say. A few years ago I noticed in the news that my bank's system had been broken into and sensitive information was accessed. And of course my bank didn't bother notifying me. A couple of days later I'm trying to check out at the grocery store and my card gets rejected.
I get home and find my account cleaned out because of a charge for over $1,500 to some jewelry store in Thailand. The bank returned the money, but if I didn't have other means available, I'd have been hungry for a while.
-
Here's some information about IBAN:
http://www.ecbs.org/Download/LFL9204V4.pdf
Just to make this absolutely clear: IBAN, even when combined with any personal information (even your SSN), is not enough to withdraw money from your account.
However, this doesn't mean you should be giving out your SSN, it is still used for some rudimentary authentication elsewhere.
-
It sounds like the system in the US is badly broken then. I have had money stolen from one account using not even that much information. When they cleaned that account out the bank automatically transfered more money out of my savings for them to steal. Needless to say I have made some changes since then, and in the end I did get all of my money back.
Jeff
-
Maybe I should explain how "online banking" works here in Finland.
In order to get access to my account you'd need to know my user id. It is no way related to my account number or any personal information.
Second, you'd need to know my password. It is no way related to my account number or any personal information.
Once you've logged in, in order to do any transaction you'd need to know challenge-response number from a key list (say, "enter security ID #75"). Needless to say, the lists are totally random and I have the only copy. One number is used only once. Once all the numbers are used I can order a new list (and the numbers on that particular list are only activated at that time). Note that the list itself is useless unless if you know the user id and password, too.
If the challenge is ok then you're able to perform the transaction. This is the only way international transaction can be initiated, other than physically walking into the bank (and this involves ID with picture etc).
All of those three different identification numbers are totally unrelated to each other, and to any personal information. The connection to the bank website is protected with TLS.
So could someone please explain how in earth you could somehow transfer money out of my account?
-
Piru:
Well it sounds like Finland has its act together in that regard. Much more so than here in the US, which is what I was writing about since that is where I live (and bank). Just for argument's sake, lets say you (or anyone) went and initiated a wire from a website that is, shall we say, less secure than the website run by your bank in Finland. Moneygram, for example. Maybe Western Union..
On Moneygram, you can wire anyone (even yourself)cash using a checking account, which is considered "verified" if you have the account number and IBN number. They also require that you provide a credit card as a "backup funding source". But what if the credit card belongs to someone else, and the checking account to yet a third person? I know for a fact that they don't verify the name you give them against the name on record with the bank or the credit card company. See how they cover their own *ss by making you (or someone) essentially "pay" twice, but otherwise they play fast and loose by not even checking to see if the person requesting the wire is the same name associated with the checking account and is the same name of the person on file with the credit card company?
But then again, lets say you're really in a pinch and you need to wire some cash electronically, AND everything is 100% legit? What then? Would your bank in Finland allow the wire? How would it know the difference between these two transfer requests - one legit, the other complete bullsh1t (wrong name, but valid account numbers, etc) and initiated from a website (or even over the phone) by a company that isn't your bank?
Like I said, if you can wire money in, its probably not that hard to wire it out.
-
@stopthegop
The party initiating (say perhaps I have two accounts, one in two different banks) the transaction uses similar system to log in, that is the only way. There are no third parties involved, the transaction is between banks, or even within the same bank.
Thus, it is always secure.
No-one can remotely draw any money from my account. Only I myself can initiate transfers (exception is the contract where certain reoccuring bills, such as electricity, water, inet are paid automagic, but even in this case I have initiated the draw, by setting up the contract).
Considering this system has been up even before the EU in the current form was formed, and that EU itself is far less integrated than United States, it's quite weird US hasn't been able to set up similar system. Perhaps there are profits involved, and thus resistance against change?
-
I think you can say that the European Union has it's act together!
IBAN has been put in place by the European Union to transfer money quickly and save. It's my number one choice to send money.
-
The US banks are definitely making money of of fraud somewhere. All you have to do to know that is look at how heavily they push the "Check Cards". Check cards are basically credit cards that automatically withdraw the money every charge immediately after use.
Here in the US, they even run ads that show how difficult it is to use a check when you don't have any ID, and that with a Check Card, you can just swipe the card and and go. They are even advertising how you don't even need to sign a receipt now.
It amazes me how many people that I would have thought were mentally capable, happily accept these cards from their banks.
-
back in the 60s and 70s here in the states banks started getting automatic check processing equipment and people liked having a definite hard copy of transactions.
in europe checks were pretty much fazed out along time ago. many here dont use checks either, like me. others like my mother dont use cards at all.
if your card is stolen call the bank and they will freeze it and you wont be responsible for charges made to it.
@jeff if your bank accounts are linked the bank will take all the money from your second acount so that you dont overdraw the account. usually you have to sign up for linked accounts. is that what happend?
i like cash
-
The banks would rather write off the fraud losses than fix the problem because its simply cheaper and makes more money to just write off the fraud than it is to introduce security and loose money on people not liking the procedure and not going for impulse purchases.
-
One big problem with our system is with online "verification" when using a debit or credit card. You go to all the trouble of filling in these stupid forms that are supposedly "secure" and it turns out you can enter totally randon bullsh1t for "name", "address", "email", "province", and "occupation". No comparison is done on any of these fields to verify the initiator is the actual owner of the account. At most the software might check the zip code against the one on file -- only because its easy. This isn't true of all merchants' websites, but a damn lot of them. The banks know this, too. They have just declared fraud a fixed expense (like rent) and raised fees to hide it from shareholders.
How about this scenario? You setup a credit card to be paid automatically every month from your checking account. All the data you enter is valid (name, address, ssn, phone number, work, etc..). When you enter the bank acct. you accidently make a typo and inadvertantly enter the wrong account number. Since their crappy software doesn't even check the name you enter with the name on the acct, something like that could easily happen! And probably has. IMO, US banks get exactly what they deserve with so-called "identity theft" cases.
-
What Mr. Piru means is that his bank does not allow him to purchase things online. Piru is banished from the entire world internet economy.
What the various US posters mean is that they are allowed to purchase things online using their bank account.
Everything has advantages and disadvantages.
-
@JosephC
What Mr. Piru means is that his bank does not allow him to purchase things online. Piru is banished from the entire world internet economy.
I didn't say CC wasn't available.
It has absolutely nothing to do with my account number, however.
-
@StoptheGap : that's a US and caraiban island problem.
@Piru : can you give all the details on your credit card ? (just the long number, the exp date, and the last 3 numbers at back) :lol:
For a bank transfert in France, you need to go to your "guichet" and show of proof of identity. You can't steal the money the way you describe. You need a "manuscrit" authorization signed by the account owner with a proof of identity of him and you.
Since the Dark Age, we use and still use a lot "cheque" ;-) and there were very few problems.
Because Bank transfert is quite taxed.
3.5e for the transfert (if is inland or in europe in a partner bank or the same bank !)
5.10e for the "treatment" (if is in europe not in a partner bank or if 1 information is missing or wrong !)
and some more bank fees depending the amount :-o
Add 8e more if it's not in Europe ... :-o
For the CreditCard transfert, you need just the long number, the exp date, and the last 3 numbers at back.
And the top of the top, some banks take fees if you use your card more than 5 time in a month to take cash in an another bank.
-
Belial6 wrote:
The US banks are definitely making money of of fraud somewhere. All you have to do to know that is look at how heavily they push the "Check Cards". Check cards are basically credit cards that automatically withdraw the money every charge immediately after use.
Here in the US, they even run ads that show how difficult it is to use a check when you don't have any ID, and that with a Check Card, you can just swipe the card and and go. They are even advertising how you don't even need to sign a receipt now.
It amazes me how many people that I would have thought were mentally capable, happily accept these cards from their banks.
In Norway, and most places in Europe AFAIK, we have PIN codes on these cards...
No/Wrong PIN = No money
(unless you yank out the phone line from the card terminal, in which case you'll have to sign the receipt and show ID).
Correct PIN basically serves as the signature.
Oh, and btw: My bank has no fees whatsoever, except a 30 EUR yearly fee for the Debit/VISA card.
Usage of the card is free, so is paying your bills, transferring money, etc...
Cheques are only used by old people every now and then, debit cards have been common since the early 90's
-
(unless you yank out the phone line from the card terminal, in which case you'll have to sign the receipt and show ID)
You still need the correct pin code... If not, the card will decline the purchase. Even when the phone line is unplugged...
In norway, at least... That i know for sure...
About security:
I was buying some airsoft equipment from japan, using visa.
The total amount of money was about, 1400 USD...
I got a phone call from VISA Norway asking if the transfer really was legit... That surprised me...
-
pyrre wrote:
(unless you yank out the phone line from the card terminal, in which case you'll have to sign the receipt and show ID)
You still need the correct pin code... If not, the card will decline the purchase. Even when the phone line is unplugged...
In norway, at least... That i know for sure...
About security:
I was buying some airsoft equipment from japan, using visa.
The total amount of money was about, 1400 USD...
I got a phone call from VISA Norway asking if the transfer really was legit... That surprised me...
Doesn't surprise me, $1,400.00 is a hell of a lot of money for toy guns dude. What did you do, buy a few for every kid in your neighborhood?
-
Piru wrote:
Maybe I should explain how "online banking" works here in Finland.
In order to get access to my account you'd need to know my user id. It is no way related to my account number or any personal information.
Second, you'd need to know my password. It is no way related to my account number or any personal information.
Once you've logged in, in order to do any transaction you'd need to know challenge-response number from a key list (say, "enter security ID #75"). Needless to say, the lists are totally random and I have the only copy. One number is used only once. Once all the numbers are used I can order a new list (and the numbers on that particular list are only activated at that time). Note that the list itself is useless unless if you know the user id and password, too.
My bank in Turkey started something similar in these lines. Whenever I do a transaction online, they send a confirmation number to my cell phone by SMS. The transaction doesn't take place unless I enter the confirmation number in 15 minutes.
and no, you can't change the cell phone number on file without personal application (to the bank).
Now, although this feels quite secure, it rendered online banking totally useless for me, cause my cell phone doesn't work here in japan :headwall: :headwall: :headwall: (Turkey uses GSM like most of europe while japan has CDMA, no possibility of roaming)
-
If you know enough personal details and some basic bank account details it really shouldn't be too hard to steal someone's money.
Just ring the bank and tell them you have forgotten your internet username/password. After a series of questions about 'you' they will reset the password.
So I would agree that putting part of the bank details in public view is not a good idea.
-
If I stuck a gun in somebody's face, I bet I could get all their money and I wouldn't even need the codes!
-
No bank (where I'm from) will do such a thing by the phone.
Piru's bank sounds similar to mine. When I log in to my bank, I have to state my birthdate+social security number (DDMMYYYYxxxxx), my personal password and the current validation code from the bank (four digits, changes for every login). These codes are either snailmailed to you, or generated using your credit card and a hardware dongle.
Then, when you're about to commit a transaction, you have to punch in another validation code from the bank.
I think your odds are better looking for an exploit of some sort.
-
If I stuck a gun in somebody's face, I bet I could get all their money and I wouldn't even need the codes!
And people carry so much cash on themselves these days!
-
Piru's bank sounds similar to mine. When I log in to my bank, I have to state my birthdate+social security number (DDMMYYYYxxxxx), my personal password and the current validation code from the bank (four digits, changes for every login).
Changes every log in? Holy crap that sounds a bit over the top. There does become a point were more security is not a good thing.
Assuming you know a 'current' address. It is easy to also state on the phone that you have changed address.
-
Not with any of my banks in the uk.
You need to know your Intenet Banking ID. Plus a six digit security code, DOB .
-
You need to know your Intenet Banking ID. Plus a six digit security code, DOB .
It is not uncommon for people to lose/forget there ID/sec codes. How sure are you that someone knowing enough basic details about you; couldn't get on the phone and convince the person on the other end that they are 'you'. Change your mailing address and get a new codes.
I was surprised with the ease I was able to get a new internet password all just over the phone.
-
@nBit7
Changes every log in? Holy crap that sounds a bit over the top.
That's the whole point of the challenge-response system. Even if your login and password leaks, that final lock is still at place preventing abuse.
It'll take that any day compared to losing money.
There does become a point were more security is not a good thing.
Sure. This isn't one of those cases however.
-
@nBit7
How sure are you that someone knowing enough basic details about you; couldn't get on the phone and convince the person on the other end that they are 'you'. Change your mailing address and get a new codes.
Resetting the password requires physical visit to the bank (at least here). Also, they'll never send the login/pass over mail (except the initial login/pass when you create the account).
Only thing you get via email are the challenge/response lists (which are useless without the login/pass).
Believe me, they have thought these things over.
-
Once you've logged in, in order to do any transaction you'd need to know challenge-response number from a key list (say, "enter security ID #75"). Needless to say, the lists are totally random and I have the only copy.
Of course that doesn't stop people from creating scam sites, where front page looks exactly like the banks official site (with a slightly different address)
Then it asks you to "confirm" all your personal information, including "10 next keycodes" (which should be more than enough to empty your account)
And yes, too many people still fall for that. Luckily some people created software, that will fill those scam sites with random information, thus making it harder to locate the details of real people.
Personally I don't consider this a security problem, rather some users being way too stupid. But I guess it was becouse of that, that my bank started asking the codes in random order.
-
Belial6 wrote:
The US banks are definitely making money of of fraud somewhere. All you have to do to know that is look at how heavily they push the "Check Cards". Check cards are basically credit cards that automatically withdraw the money every charge immediately after use.
Here in the US, they even run ads that show how difficult it is to use a check when you don't have any ID, and that with a Check Card, you can just swipe the card and and go. They are even advertising how you don't even need to sign a receipt now.
It amazes me how many people that I would have thought were mentally capable, happily accept these cards from their banks.
The banks don't make money off fraud, but Visa and MasterCard make money off merchant fees (or at least flat merchant terminal fees) for accepting debit and credit transactions. Shifting more transactions to plastic from cash makes the service more valuable -- imagine running a cash-only restaurant these days -- and encourages more merchants to sign on.
As to the (in)security of direct transfers, my understanding of the problem is that the system which has become commonplace originated as a 'hack' to get around exorbitant wire fees by using the ACH (automated clearinghouse) network built for clearing checks between banks bidirectionally.
The security is via "limited" access to the ACH network, meaning PayPal and its predecessor services (payroll direct-deposit providers, etc) had to somehow get authorized to participate. Presumably you have to be 'sort of a bank.' But when any 'sort of a bank' lets anyone plug in any account details and start making transfers...
The safeguards on the new RFID credit and debit cards (PayPass, etc) are apparently the same: "limited" access to the merchant network, meaning a fair chunk of the safety is in authentication of the merchant terminal and crypto between the merchant terminal and the bank. As far as I can tell, they are trying to confuse matters by talking about the TLS-type crypto between the terminal and the bank as if it applies to the terminal<->tag communication; apparently some of the cards are just using a dumb transponder with the equivalent of magstripe information.
Of course, now you don't need to sign a slip for credit-network purchases under $25, either.
Further, in the US we apparently have a new federal statute that might as well be called the Phishing Enablement Act -- one of my banks now requires me to enter my full card and PIN number (along with username and password) to obtain a cookie 'authenticating' the machine I'm connecting from; another opts for a slightly more sane challenge/response "Security Questions" scheme, but with fixed questions that entail static personal information: "What is your grandfather's name?" "Where were you born?" "What was your first car?"
The problems here are so awful that I don't even know where to begin. I need to find the actual law and see what it actually requires, but these systems seem to benefit:
- Advertisers, who benefit when more users are forced to accept cookies; and
- Banks, who don't benefit from phishing, but do benefit in fees every time an inconvenienced user doesn't check his balance because of the new hoops and overdraws his account.
Apparently overdraft fees compensate the risk of fraud, especially since they *are* lucrative for the banks and the banks' insurers probably cover the costs of fraud (or the banks' own profits do, giving them the complacency to whine about the problem without doing anything concrete about it).
-
Apparently overdraft fees compensate the risk of fraud, especially since they *are* lucrative for the banks and the banks' insurers probably cover the costs of fraud (or the banks' own profits do, giving them the complacency to whine about the problem without doing anything concrete about it).
Precisely