Someone tried to take £33,000 from my account

[RedTomato]

Hello guys.

Just had an interesting phone call with Santander, a UK bank. Someone tried to transfer £33,000 (about $50,000) from my bank account on the 26th January.



Luckily the bank caught it and blocked the transfer. (I have nowhere near that much in the account!) After speaking with the Fraud Dept, it appears that someone was able to copy my internet banking logon, logged onto my account and tried to do the transfer to another UK account.

I only log onto my internet banking on my laptop, via an up to date Chrome, and only at home or work. The password details are kept in 1password.

So how did whoever it was get my details? (ps I never click on a Santander link in an email)

[SilentPanda]

There have been java exploits for the past several months off and on. But there's really no way to know the culprit. At least your bank caught it so you don't have to deal with being broke while they figure it out.

[daneoni]

Could be an inside job or key-logging software.

[Zombie Acorn]

There must be some rich people who don't miss 50k when it comes out of their bank, not sure why they would try for such a large amount

[Shrink]

Quote:

Originally Posted by RedTomato

Hello guys.

Just had an interesting phone call with Santander, a UK bank. Someone tried to transfer £33,000 (about $50,000) from my bank account on the 26th January.



Luckily the bank caught it and blocked the transfer. (I have nowhere near that much in the account!) After speaking with the Fraud Dept, it appears that someone was able to copy my internet banking logon, logged onto my account and tried to do the transfer to another UK account.

I only log onto my internet banking on my laptop, via an up to date Chrome, and only at home or work. The password details are kept in 1password.

So how did whoever it was get my details? (ps I never click on a Santander link in an email)

Now, about that loan I've been seeking...

[tekno]

Santander are a Spanish bank.

[Mercer]

They are a spanish bank but they also have banks in England..

[Macky-Mac]

Quote:

Originally Posted by Zombie Acorn

There must be some rich people who don't miss 50k when it comes out of their bank, not sure why they would try for such a large amount

probably the crooks expect to get the money transferred, withdrawn the cash and then disappear before the money is missed

[twietee]

Don't you need some sort of additional and unique Tan number (not sure how you call it) or other pin to confirm any transaction?

[shinji]

Quote:

Originally Posted by RedTomato

Hello guys.

Just had an interesting phone call with Santander, a UK bank. Someone tried to transfer £33,000 (about $50,000) from my bank account on the 26th January.



Luckily the bank caught it and blocked the transfer. (I have nowhere near that much in the account!) After speaking with the Fraud Dept, it appears that someone was able to copy my internet banking logon, logged onto my account and tried to do the transfer to another UK account.

I only log onto my internet banking on my laptop, via an up to date Chrome, and only at home or work. The password details are kept in 1password.

So how did whoever it was get my details? (ps I never click on a Santander link in an email)

Anyone else have physical access to your laptop at home or work?

[Dagless]

I've had the opposite problem. Tried to buy 2 return tickets to LA and an EOS 60D camera in the same month. Had both declined and my card cancelled, had to get a new card!
(I have a debit card, don't know if the rules are different)

But I'd rather that happen than someone else taking my money.

[Demonface]

The people who tried to take your money probably tried it on more than one account and they probably got through with one of them .

[RedTomato]

Quote:

Originally Posted by SilentPanda

There have been java exploits for the past several months off and on. But there's really no way to know the culprit. At least your bank caught it so you don't have to deal with being broke while they figure it out.

Santander website doesn't use java. Chrome is set for all plug-ins to ask for a click to run (does wonders for disabling annoying adverts).

I never bothered to install java 7 for Mountain Lion. (upgraded to Mountain Lion 2 months ago)

Thanks for the hint though - I just now tested for java. No pref-panel, no java utility. After a search, seems I still have java 6 left over from Snow Leopard (never installed Lion). As far as I know, java 6 does not run in Mountain Lion without a bit of tweaking (which I haven't done). Tested in browsers and downloaded a couple of .jar apps. No functionality here.

Quote:

Originally Posted by daneoni

Could be an inside job or key-logging software.

Inside.. hmm. Key-logging - not sure how on OSX - my macbook is pw-protected.

Quote:

Originally Posted by Mercer

They are a spanish bank but they also have banks in England..

Santander took over a british bank, Abbey, a few years ago. I had an account with Abbey, which then became a Santander account.

Quote:

Originally Posted by twietee

Don't you need some sort of additional and unique Tan number (not sure how you call it) or other pin to confirm any transaction?

Yup, a OTP, One Time Password. If I transfer money via the website, it texts my phone with a passcode, which I need to enter on the website. Thanks for reminding me. I didn't get any passcode text linked to this fraudulent transfer. I'll bring that up next time I talk to them, if I get a chance.

Quote:

Originally Posted by shinji

Anyone else have physical access to your laptop at home or work?

Nope. It's my baby and only I use it Belongs to me, not to work. Has a login password and a wake from sleep password (if sleep for more than 1 hour)

Quote:

Originally Posted by Demonface

The people who tried to take your money probably tried it on more than one account and they probably got through with one of them .

if they had bothered to try a transfer for an amount that I actually had, they might have succeeded. Not sure how without activating an OTP request though.

[SilentPanda]

Quote:

Originally Posted by RedTomato

Santander website doesn't use java. Chrome is set for all plug-ins to ask for a click to run (does wonders for disabling annoying adverts).

I'm still not blaming Java but both Java 7 and 6 had recent security holes. Just because Santander doesn't use Java doesn't mean another site you visited wasn't and then installed something which monitored your logins on other sites.

[Renzatic]

Quote:

Originally Posted by RedTomato

I only log onto my internet banking on my laptop, via an up to date Chrome, and only at home or work. The password details are kept in 1password.

So how did whoever it was get my details? (ps I never click on a Santander link in an email)

How complicated is your password? If it's something relatively simple, whoever did it could've brute forced it by trying to log in once or twice a day over a month or two. Just hitting it up enough to keep the failed logins to a bare minimum so as not to raise suspicion.

[Demonface]

Quote:

Originally Posted by RedTomato

Santander website doesn't use java. Chrome is set for all plug-ins to ask for a click to run (does wonders for disabling annoying adverts).

I never bothered to install java 7 for Mountain Lion. (upgraded to Mountain Lion 2 months ago)

Thanks for the hint though - I just now tested for java. No pref-panel, no java utility. After a search, seems I still have java 6 left over from Snow Leopard (never installed Lion). As far as I know, java 6 does not run in Mountain Lion without a bit of tweaking (which I haven't done). Tested in browsers and downloaded a couple of .jar apps. No functionality here.



Inside.. hmm. Key-logging - not sure how on OSX - my macbook is pw-protected.



Santander took over a british bank, Abbey, a few years ago. I had an account with Abbey, which then became a Santander account.



Yup, a OTP, One Time Password. If I transfer money via the website, it texts my phone with a passcode, which I need to enter on the website. Thanks for reminding me. I didn't get any passcode text linked to this fraudulent transfer. I'll bring that up next time I talk to them, if I get a chance.



Nope. It's my baby and only I use it Belongs to me, not to work. Has a login password and a wake from sleep password (if sleep for more than 1 hour)



if they had bothered to try a transfer for an amount that I actually had, they might have succeeded. Not sure how without activating an OTP request though.

They probably hacked the banks system also. Who knows what they did ?

[RedTomato]

Quote:

Originally Posted by SilentPanda

I'm still not blaming Java but both Java 7 and 6 had recent security holes. Just because Santander doesn't use Java doesn't mean another site you visited wasn't and then installed something which monitored your logins on other sites.

Java isn't working on my laptop. You cut out this bit :

Quote:

never bothered to install java 7 for Mountain Lion. (upgraded to Mountain Lion 2 months ago)

Thanks for the hint though - I just now tested for java. No pref-panel, no java utility. After a search, seems I still have java 6 left over from Snow Leopard (never installed Lion). As far as I know, java 6 does not run in Mountain Lion without a bit of tweaking (which I haven't done). Tested in browsers and downloaded a couple of .jar apps. No functionality here.

However they could have captured the login from back when I had Mountain Lion & functioning Java, then not used it for a month or two.

Quote:

Originally Posted by Renzatic

How complicated is your password? If it's something relatively simple, whoever did it could've brute forced it by trying to log in once or twice a day over a month or two. Just hitting it up enough to keep the failed logins to a bare minimum so as not to raise suspicion.

It's more like three passwords. First page - a personal ID which is user definable, alphanumberic. If I understand the code (I don't really), the ID is sent in the clear, but the page itself is sent over HTTPS.

Code:

https://retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto?dse_operationName=LOGON

<form method="post" action="ChannelDriver.ssobto?dse_operationName=LOGON" name="formCustomerID_1" id="formCustomerID_1">

Get this wrong, and you never see the second page, so it's a bit hard to cycle through password attempts. The second page requires two passwords (?), both sent encrypted. (I won't post code from the second page).

The guy from Santander Fraud suggested I might have entered Santander in Google then clicked on whatever came up and thus gone through a man-in-the-middle attack. I try to avoid doing this but it is possible I might have gone through Google in a distracted moment. Both Chrome and Google have their own malicious website blacklist but it's possible I got taken in in that span between setting up a MITM attack and having it blacklisted.

[Macky-Mac]

If you said, I missed it, but have you ever logged on to your bank from somewhere other than your own secure wifi? A friend had a password hijacked when he was using public wifi while on a trip

[snberk103]

Check the phone# listed on your account that they send the OTP to. If it is correct then the bank itself was hacked and/or it's an internal job.

You said you needed an OTP to transfer these kinds of funds. If the bank intercepted the transfer, it means someone had the OTP. And if it wasn't actually sent to you then it was internal. And if it was internal then there was nothing you could have done to prevent it.

A bank will never admit it was internally compromised. Which means that they have to make you believe it was something to do with you, without maybe ever actually accusing you of negligence. But if someone got your OTP, then it was internal.

I assume the bank will send an email to you when it detects a change in your security settings? One of those "If you did this, then you need do nothing - and if you didn't do this then someone else has on your behalf..." Then you sign in to check the security settings *not* using the link provided of course.