[clug] Secure your Internet facing stuff (was Re: googlebot doing funny things in logs)

Thu Jun 16 22:21:07 MDT 2011

On Fri, 17 Jun 2011 08:33:59 +1000 Robert Edwards
> 
> On 17/06/11 06:33, Martijn van Oosterhout wrote:
>> > On Thu, Jun 16, 2011 at 10:48:03PM +1000, Robert Edwards wrote:
<snipped>
>>> >>
>>> >> Does anyone actually _know_ of any instances where someones bank account
>>> >> was accessed without proper authorisation over the Internet and the
>>> >> bank didn't work hard to fix the problem? Just curious.
>> >

<snipped>

>> >
>> > Have a nice day,
> So that's a no? Not an actual instance of this happening?
> 
> Bob Edwards.

Yes. Still working to get the money re-instated.
Somehow a debit card which the (which) bank swore could only be debited
for the available balance in that stand-alone account was overdrawn by
an overseas (former USSR) company AND the bank then charged an
overdrawal fee.

It took some time to recover the funds and I have been unable to recover
the overdrawal fee - I'm considering pursuing that through the Banking
Ombudsman.
The amount fraudulently debited from my account was small - I've had
other frauds in the past for larger amounts (double dipping by Chinese
e-bay traders) which were quickly and easily resolved by the bank.

In the current case the company name appearing on the statement was
implied illegal pornography. No I didn't and don't - and I presume that
most people seeing this companies trading name on their statement would
simply die of embarrassment and never consider confronting the bank. The
first two attempts to rectify the problem in person at the bank got no
where - only after writing and threatening to take the matter to court,
demanding evidence authorisation, and threatening use my ISPs records
and my firewall logs to show I couldn't have made the transaction did I
get my $12 back. I doubt the police would have initiated an
investigation over such a small amount. At that point in time that card
had only ever been used for ebay purchase, and only online - so it kind
of narrows down the number of places/people who would know my name,
address, credit card number, and security key.

The other incident was with a *very* well known international company
with Australian offices in Sydney and Melbourne, who offer a commercial
email hosting service. I decided to take up their offer of a "free
trial" so I could test the level of support for a client's needs. The
displayed terms were a 30 day "free trial", and, if at the end of the
period you liked it you would be charged $50, otherwise you'd lose your
emails pay no fee. To begin you had to provide a valid credit card,
which I did. I was then denied the trial as the "transaction was
declined by your bank" (I only put money on the card equal to what I
intend to immediately spend). The account was then charged $1 - only
writing to the bank threatening legal action got my $1 back (petty I
know, but multiply it by all the other people and it's a good income for
nothing). Repeated calls to the relevant woman at the Sydney office got
me an answering machine but she never returned my call.

Oh, and then there's the various bogus "money changing fees" that are
greater than the cost of the money being changed (US to OZ). Fat chance
getting "that" bank to refund those. $5 VOIP headset, free shipping, $12
money changing fee.

Cheers