With keylogger, hacker will receive your login ID, password & TAC that you input to real online banking in no time. Normally TAC has an expiration of 30 mins to few hours so hacker could use all the 3 info to conduct online transction during that small window.

That also means external random key generator also not secure as long keylogger is operating.

Keylogger is some sort of trojan that running in the background without user's knowledge. Normally planted to PC via free downloaded apps, games or software from net.

PC must be protected by reputeable antivirus such as Symantec, McAfee and etc. Of cause the virus def must up to date.

Refer to my earlier explanation then you will understand why the hacker don't event need to change the phone no. Basically make use of the same TAC within the small validity window.

Hacker can wait until the genuine user logout and betting on TAC is still valid for next transaction.

If I can get hold of the stolen ATM card and PIN, I rather withdraw cash directly from ATM machine. No electronic traces left compare to intenet banking which could be traced all the way to the location of the fraud origin.

---

Added on October 11, 2008, 12:09 pmThe victim must prove it is a genuine fraud else bank is not liable for the loses. Sad by facts.

Once I was hit by credit card being cloned and used for refuel petrol. The bank dropped those transactions without much questions becuase

1. It was used to pump dif brand of petrol that I used to.
2. The locations were not the place I frequent to.
3. The transactions amount and frequency were significantly dif from my regular refuel amount.

Transaction was perfromed everyday around midnite time for fewdays before it was detected by the bank and card was blocked by fraud preventive systems.

This post has been edited by patricktoh: Oct 11 2008, 12:09 PM

The petrol station or "merchant" (in credit card terminology) bears the loses. I can tell you that bank is always well protected from any fraud loses. If the card holder can't prove fraud then he/she has to absorb the loses. Else the merchant has to absorb because it allows fraud transaction.

I work in banking & finance industry so can share with you some insight of the urgly practices.