How Hackers can Steal Money from your Bank Account

Perry McCarney's image for:
"How Hackers can Steal Money from your Bank Account"
Image by: 

The easiest way for any hacker to steal money from anyone's bank account(s) is to sign onto that person's bank's Internet banking website(s) using that person's account code and password. Once they have access, all they need to do is make an automatic payment from our account to a temporary one they have set up to receive it, and then transfer it on to hide it from potential recovery. That first step is identical to what anyone would do to pay a bill, make a purchase or provide payment to someone we owe money. In effect, what every normal person readily does as a typical financial procedure in everyday life.

Whether or not they can do this easily, and is therefore considered worth their time and effort, depends on the security you have on your computer and the security procedures your bank uses to protect their Internet banking clientèle. And, of course, if you actually use Internet banking at all.

If your bank accounts are not set up to enable Internet banking, they are not vulnerable to this. But even if you have never applied for or set up Internet banking on your accounts, you should verify with your bank that they have not, in fact, automatically set up this facility for you, without you realizing.

On the security issue, let's consider your bank's security first. If they only require an access code and password, then access to your accounts is far more vulnerable than it should be these days. More security conscious banks now use question/answer security in addition to access code/password security. The primary reason for this is the potential insecurity of the computer being used by their customer using Internet banking.

The primary method hackers use to obtain userids, access codes and passwords is a type of spyware called a keylogger. As the name suggests, this software records a log of your keystrokes, the keys you press on your keyboard, whether that keyboard is physical or virtual. Keyloggers are very good at hiding on computers. They can either be installed on your computer by a hacker that successfully bypasses your security and gets access to your computer, or by hiding amongst the information you download from a webpage you access during your Internet browsing, where it has previously been secretly installed by a hacker. The website you've accessed is often a completely innocent and unaware participant. The more so the better from the point of view of the hacker.

As access codes and passwords are directly typed in, they will be logged by a keylogger, and can therefore be ascertained by the hacker who installed the keylogger. Question/answer security is set up by you. If you are uncertain about the security of your personal computer at the time you are doing so, it may be best to go into your bank and do it there. Any security conscious and customer service orientated bank should be ready and willing to provide you with the ability to do so.

You specify a question and supply the answer to it. It is best if the answer is not actually correct for the question, but the question is adequate to remind you of the answer you supplied for it. For example, the question you supply might be “What is my dog's name?” While the answer you supply might be the name of your first dog, when you were a child, rather than the name of your current dog. You should set up several question/answer options, at least three to provide variety and complexity.

When you sign on to your bank account through the Internet, you will first specify your access code and password. If those are correct, you should then be presented with one of your questions, followed by a number of squares corresponding with the number of letters and/or numbers in the answer you supplied and below that the letters of the alphabet and the numbers from 0 to 9.

Depending on your bank's security procedure, two or three of the squares representing your answer should be open while all the rest are shaded. You then click on the appropriate letter or number listed below for each open square and then click submit. As long as those are correct, you will be passed through to your account, enabling you to use it in all the ways permitted by your bank.

Because you are clicking on their displayed letters and numbers, rather than typing in the appropriate ones, any keylogger on the computer you are using is unable to record what letters or numbers are correct for those spaces. While this is not 100% secure, it is very close to it. Please remember though, it does require you to provide questions and particularly answers that are not too obvious.

Now let's consider the security of your own computer, since it is the only one you should be using for Internet banking or any other financial transaction. These types of Internet activities should never be done using a public computer, such as provided at an Internet cafe.

Keyloggers are very difficult to either detect or stop from penetrating our computer. The best we can usually do is prevent them from reporting back. To cause us harm, they have to transmit the information they have recorded back to the hacker who created them or, more often, set up their reporting parameters if they obtained them from someone else. Keyloggers are sophisticated software; the more typical, less skilled hacker is more likely to obtain rather than write theirs.

The only security software that can stop a keylogger reporting is a firewall. It must be a firewall that can block outbound traffic, some firewalls are only designed to be able to block inbound traffic, so make sure yours can. It MUST be properly installed and set up, so study the technical guide you get with yours very carefully. For more information on firewalls please see the articles under Helium's titles “The basics of firewalls” and “What are the best personal firewalls”.

However, if the keylogger has been installed by a hacker who has penetrated your computer's security, they will have also installed a Trojan that will not only allow them to easily re-access your PC when they wish but enable the keylogger to transmit out. It's possible that de-installing and re-installing your firewall or de-installing your firewall and installing a different firewall may break the Trojan's penetration, but it is hard to guarantee this. It tends to be dependent on the specific situation and the skill level of the hacker.

As long as your bank's Internet security is set up to include question/answer security as described above, your Internet banking transaction will almost certainly be secure even if your personal computer's security is compromised.

It needs to be mentioned here that hackers, or more accurately crackers (criminal hackers), while the most notorious of Internet misusers are not the only criminals that threaten our financial security through the Internet. Computer literate confidence tricksters using techniques such as the “Nigerian scams”, which are in no way limited to citizens of Nigeria, are becoming increasingly more common.

Perhaps the most common of these is the con email with associated fake website. You receive an email expressing urgency regarding some aspect of of your banking or finances that includes a link to a website that imitates your banking website closely. If you use that link you are asked for details that you would never be asked for by your legitimate bank or finance company.

If you ever receive such an email, no matter how legitimate it appears, never use the enclosed link. Access the bank or finance company it is supposedly from by your normal process instead and use their inquiry process to confirm its legitimacy. Better yet, phone your bank and get a verbal confirmation before doing anything else at all, no matter how urgent the email tries to imply the situation is!

More about this author: Perry McCarney

From Around the Web