Ask HN: Credential Security
TL;DR; My internet banking credentials were compromised. I want to know how to better mitigate risk.
I use a KeePassX database as my password manager with a strong master password. It's synced to my laptop via syncthing, so it's not stored in the cloud. All my passwords are randomly generated, strong, and different. I use the official client on Solus Linux, and the Keepass2Android client on Android (Pixel 2).
My bank has not yet given me the official version of events. In fact, I do not trust them to provide the correct and actual version of events including details, as I have been given contradicting information from different sources at the company.
They believe the compromise occurred by a keylogger, or other method of stealing credentials, leading to a successful login. This was identified as suspicious, and my online account was suspended (good result). Although the resulting action taken by my bank is good, their communication of the issue is horrendous and I am going to lodge a complaint.
Now I do know that RSA is not infallible, however they would have needed my credentials + valid RSA token value to login successfully. This concerns me, and I will be asking my bank whether the token was used and is likely compromised.
I have changed all critical account passwords (bank, Google, socials, PayPal,etc) and also changed the password of my password database.
From my (limited) cyber sec knowledge I can think of the following ways the attackers could have gotten my creds.
1. Keylogger is present on one of my devices.
2. Hacked password store master password (unlikely unless keylogger).
3. Clipboard sniffing (I used to copy+paste from password manager to input fields,now I don't).
4. Social engineering (bank).
5. Brute force
6. Insider job (bank employee)
I want to be able to use internet banking and other critical payment services on my phone/laptop without risk of compromise. Can you provide any tips?
EDIT: Bank has indicated that there were coordinated logon attempts but no actual logon. So RSA was not compromised, just user + pass. Also about 60 customers were affected from what they say is the same attack.
2 comments
[ 5.7 ms ] story [ 19.5 ms ] threadI've dealt with people in your situation. In one instance the victim may have used their bank card in one of those payment apps which were then compromised.
For financially gained low sophistication crooks,they just want as much from your checking account as they can so getting your cc#,payment app login and similar access is good enough. No need to actually login to your bank.
That said,even with 2FA turned on,if you can reset it via email then they probably gained access to your email (again,phish) saw emails from your bank,reset 2FA ,delete email trail and login.
If you dont have 2FA on your email, see if you've gotten push notifications from your bank elsewhere.
If you're on windows my money is on banking trojan but email compromise is also likely. If not, I'e check your phone.