To transfer money to someone via on-line bank service, there are three codes and a password I must know:
my user ID;
my password;
the number of my code card;
a code from my code card.
Now, I understand that a Trojan can spy out the first three, but how can a hacker possibly know a code from my code card, when there are 35 codes in my code card and each time I make a money transfer, a new code is required. Besides after all the codes are used, I have to get a new code card.
So, my question is:
How, someone could possibly hack my bank account and make a money transfer to his/her account?
A man-in-the-middle attack or just phishing could get you. The hacker tricks you into using one of your codes for some reason, but no actual transaction is done. The hacker then has an unused code to buy his robot (a GIRL robot!) with.
Just imagine the website where you’re entering your banking information does not belong to your bank, but it is instead created by a malicious hacker. They just copy the bank website, display it to you and forward the information you enter (e.g. your PIN) to your bank. So they can show you exactly the same thing as your bank shows you (except for the URL, in most cases). Just when you enter the final information that they need to perform some transaction in your name they do not forward it, but save it for themselves and just show you some error message. Then they have all the information they need to get some of your money.
Also, unfortunately a lot of banks don’t give out code cards or similar things. So all the spyware has to do is catch one transaction, and the hackers have the only password they need.
I’ve never heard of any US bank using the code cards described by the OP. Upon checking I see he/she is from Latvia. Yet another country with more advanced banking than the US.
OTOH, the fact they need to use a one-time pad to secure their banking transactions means perhaps things are a bit wilder over their than at first appears.
Yes, a keylogger will be thwarted by a code card, but most hackers aren’t bank theives. Commonly, the payload of a trojan forces your computer to display more ads or asks for money to pay for a fake antivirus. These are very effective moneymakers. You can read about these money making networks here:
There was a Swedish bank that used to use a system like the one in the op, they changed it to something more secure after a couple hundred people fell victim to a phishing scam in 2006.
A real problem is that many people use the same password and name for everything. Imagine someone stole my password to the SD and I had the same password for my bank account. Well the person could just go to banks at random and enter information to see what works. They wouldn’t have phish the banks website.
This is why I always use PHONEY answers to questions. For instance the bank will ask for my mother’s maiden name, or the street I grew up on, or my best friend. I don’t give real answers. I make up phoney answers that way even if someone were to find out my mother’s actual maiden name it’s useless.
And I change my banking passwords at least 4 times per year. As for credit cards, at least once a year call them in as missing/stolen and have them issue you a new credit card with a new number.
When we were in the UK Barclays had a nifty device called a PINSentry (shown here) that you stuck your card into when you were banking online and it did all the code generation stuff for you. I think it basically required you were in possession of the card and the PIN as well as all the other details usually required.
It is becoming more common these days to see on-screen keyboards being used to log in to internet banking in order to thwart keyloggers.
