Charles

Your comments worry me intensely. I use internet banking a lot, have firewalls, virus scanners, spyware detectors, etc - the lot basically.

Yet, your previous article about root kits and this one makes me wonder if I am living in a fool's paradise.

It's not this item in itself, it's about the length people will go to break & enter into individual bank accounts. Clearly internet is seen as a soft target among criminals - a terrible perception to have. Lack of persecution is also hindering that. How about a Cuban camp for the offenders?

Charles,

German banks have an additional layer of security for internet transactions that appears to offer very good protection against hijacking of your account, whilst still having a pretty low overhead from the bank's perspective.

It works like this. Every on-line banking customer receives a confidential envelope for each account they opperate. (The envelope is similar to the type commonly given to an employee at each pay period - tamperproof with type printed on the inside of the envelope).
This envelope contains a large number of alpha numeric blocks of characters (from memory around 100 blocks, each of about 6 characters).
Every online transaction made by the customer must be validated by one of these blocks of characters. If the bank does not recieve a valid character string the transaction does not go through, and each string can only be used once.
When you're heading towards the end of your collection of validation strings, the bank sends you a new batch in a new tamperproof envelope.

I don't understand why Australian banks don't adopt a similiar strategy. Given the fraud it is likely to eliminate it must be a cost positive business case.

don't they have anything better to do that getting money out of other peaples account?
anyway my bank bendigo bank got a seculity token that 6 munbers chainges every time you use it.
and i use that when i log in and i use that when i do my transactions. thats sort of better than nothing i reccon.
so now i'm using the Linux Live CD to do my transaction for my banking.
its a bit of hassle but its another way to secure my self form the bugs in my computer.

I use nab's payment authentication and I think it is safe - chances of someone getting your password and mobile phone at the same time are pretty slim - unless of course you are a victim of identity theft, then you are pretty much in a bigger league of problems.

http://www.national.com.au/Internet_Banking/0,,65535,00.html

I also use NAB's SMS security on my internet banking.
What NAB don't tell you is that if you DON'T use SMS security your daily transaction limit is halved.

NAB also offers password locking, when activated the internet banking site will not allow your Id / password to be used. To unlock you have to make a phone call & use a different pin number (6-8 digits) to unlock it.

My only complaint with NAB's security is the maximum limit on password length (8 characters) & you can't use symbols (!@#$%^&*). I normally use 10-12 character passwords & all character types.

I guess you can change your password every time you access your online bank account,inconvenient and paranoid but at least do something other than worry.

Captain Kirk,
This is exactly the security procedure that the Commonwealth Bank had back in the 1990s. I think it was called Phone Bank. They posted out a slip of paper that had a couple of columns of random 4 digit single use transaction authorisation numbers. It used computer generated voice prompts and the user entered digits using the phone keypad. To finalise the transaction you entered the next 4 digit code.
Once familair with it, it was fast, easy, and convenient. Once the WWW become more widely known, they scrapped Phone Bank.
The only security problem I ever heard mentioned in the media was, sometimes a user would hang up or be disconnected by the phone system without logging out, but the next person dialling into the system would connect to the previous users session. They could query the previous users account, but because they didn't have the previous users transaction numbers thay couldn't transfer any funds.