— T_theft .. scam, fraud in addition to “hacked”
- .. also used in open blog
— kidnapScam .. I find this tag name striking, memorable albeit imprecise
- show-off
- high profile
- attracting unwanted attention like hostility or kidnap, or targeted scam
Category: T_theft
https://tanbinvest.dreamhosters.com/17194/t_theft_t_kidnapscam/
scam>>authorized transfer
“If you authorize a transfer or send money to a scammer, there’s often little we can do to help get your money back.” — Bofa warning.
When someone stole money from my credit US/Sg cards, it was easier to get the money bank. I think law-enforcement was on my side. Those educational experiences, like an inactivated virus, served as a vaccination.
- — unauthorized fund transfer
- someone peeking at your 9dot pattern
- someone guessing your password
- wifi snooping of your credentials
##2FA fund transfer #SCB
BOC, DBS and OC required hardware token when adding payee. For other banks, consider moneyLock
— SCB is more streamlined.
In most cases,
- the user needs nothing beside username/password to log in on a computer
- when she initiates a transfer, her phone would show a pop-up button,
even if she doesn’t enter any password on the phone - when she hits the pop-up Approve button. For small amounts, the transfer takes place without further checks.
- ^^ in summary, the imposter needs nothing but your username/password + your physical phone to transfer
However, to add payee, there’s an additional, 3rd layer of protection — the phone app would ask for a 6-digit pin.
In view of the streamlined procedure at SCB, here are a few safety habits
- good habit: change the password to something less “common”
- good habit: limit on third-party transfer: reduce to $1 in normal times. Temporary increase when needed.
- good habit: remove unused payees. Add them again when needed
##ePay limits ranked #Nets,Giro
dollar limits ranked from high to low:
- $50k local transfers[FAST..], $50k PayNow, $25k bill payment .. login required
- $2000 ATM/Nets .. PIN-protected
- GIRO .. Payment limit (fine-grained) configured for each payee. GIRO institutions are usually reputable because the bank itself maintains a short list of (roughly) 100 institutions only.
- $[20->50-100] debit card per-transaction limit.. usable by whoever holding the card, without password!
Note PayNow is slightly safer since payee name is shown.
— debitCard .. usable via payWave or swipe
Also limited by #104 balance.
$500 is the lowest in self-service eBanking, but I don’t like $500, so I had it call hotline to set $50 limit, visible in online banking AvailableLimit
If debit card charged by theft, then police (based on police report) need to run all the relevant cameras.
Q:!!way2protect against remote brute-force hacker#wifi,download,hints
New Special Protection — money-lock i.e. disable remote access. Hackers can’t impersonate you physically at a branch.
See also
- https://btv-open.dreamhosters.com/64579/passwd-site-traits/
widespread myth — even if you are 100% with passwords, devices,,, hackers can still break into your bank accounts.
.. reality — SPF has no confirmed case of money lost to brute-force remote hacking.
However, many of us do use free wifi, and download various software, so we aren’t 100% careful.
— Brute-force remote hacking .. by definition requires numerous repetitions of trial-n-error attempts.
Scenario 1: Suppose your password is weak in a financial_account without 2FA. A remote hacker is simply unable to impersonate you by trial-n-error, because every remote authentication system has a “kill counter” to detect log-in “retries” and lock down.
Scenario 3a: Suppose you save your FULL password in an encrypted file, and it is leaked. A remote hacker can indeed pay for a powerful compute farm (no trailing “r”) to crack file encryption. Once she gets your password, she can log in to your many financial_accounts without trial-n-error.
Tip: in your personal backup files, never save your entire password as is … better use hints. This way, a brute-force hacker can only see hints and need to try many times and get into Senario 1.
Scenario 3b: suppose your password transmission is encrypted but leaked due to eavesdropping… same result as 3a, but this is a widespread risk affecting millions of remote authentications every day. I trust financial institutions in their technical assessment and their encryption technology.
Tip: avoid using the same password across financial_accounts unless protected by 2FA
Tip: Periodically update passwords en-masse for ALL non-trivial financial_accounts. Usually up to 9 such sites.
— Q1: If brute-force remote hacking is so easy, then what (confirmed) case count would be a reasonable number?
A: Imagine a naive authentication scheme that converts every credential into a short “password” like a single byte. It’s like a cheap key that can open 10% of the lockers in an entire school. Chance break-in would be frequent. That’s a first scenario.
A: For a second , more sophisticated, scenario, suppose computing power improves enough to let any serious student easily crack 2FA by brute force, then banks would shut down all remote access, and require clients to always visit branches. Remote authentication would be phased out across all industries.
Remote authentication was accepted progressively across industries as system security strengthened demonstrably. When this trend reverses, each enterprise would have to find ways and retreat to earlier, /usable/ systems. Such “retreats” are not so rare — when air travel was considered unsafe during covid pandemic, the industry closed down.
A: for another, more realistic, scenario, suppose in a poor country, a bank physical vault is also easy to hack, then people would just put money under their pillow, rather than saving in the bank. However, under-the-pillow is also easy to hack in this poor country. So private posession would be impractical. We would return to a world without walls or fences, doors or windows.
A: Look at corporate bank accounts. They have many millions in balance and they are accessible through inet banking. If brute-force remote hacking is so easy, then these corporations would disable remote access.
— Q1b (related question): If car/bicycle locks are so easy to hack by anyone learning from youtube, then what (confirmed) case count is a reasonable number?
A: I would say half the cars would be hacked every year. I think brute-force car hacking is harder than that.
My conclusion as of 2024 — Admittedly, a determined brute-force hacker can use advanced technology to break into any layman’s account but it is not worth hacker’s effort. You CAN protect your money. Your good habits will deter remote hackers, and make their attempts unprofitable.
— bccy
How about crypto wallets and crypto trading accounts. If asset is stolen, law enforcements would offer limited assistance. However, most crypto trading accounts appear relatively safe.
Cold wallet is safer, somewhat comparable to money-lock. Vlad.T said bulk of the assets would be in cold wallet.
I perceive a big advantage of fiat currency account — fund transfer is usually traceable. Bank account or trading account opening process follows regulated, audited procedure. Recipient identity is usually known esp. for large transfers.
==== vulnerabilities
— cpf after 55 ..
— citi.NA