Tracking down and eliminating the cause of a security breach.

1. Have good security on your home wifi network, including timed access control (MAC address filtering).
2. Running a one-time virus scan on your Mac would be reasonable to look for any malware that would be there now, but I would avoid keeping AV software running all the time. I have used Sophos and ClamX AV in the past and both seemed reputable.
3. AV software is a hotly debated topic on this forum (especially among those with scant knowledge on the subject. The more scant the knowledge, the hotter the debate.) There is a good page here about Mac security: The Safe Mac » Mac Malware Guide : Do I need anti-virus software? Personally, I do not have any third party antivirus software running all the time in the background, because when I did, it slowed my Macs down, and never found any malware anyway (but was good at wasting my time with finding false positives). Macs are not PCs, OSX is not full of security holes the way Windows is, and there is not a swamp of viruses and other malware out there waiting to pounce on your Mac the way there is for PCs. It's not like there is no Mac malware out there, but there is way, way less out there than PC malware. If you are careful what you download (stay away from pirated software and ***********) and what attachments you open, you should be OK. Mavericks has anti-malware protection built into it already.
4. The security problem from February was related to SSL and TLS, so if your bank does not use those, then that was not the issue. Apple Issues Fix for Security Problem on Macs - NYTimes.com - NYTimes.com And the keylogger thing seems rather far-fetched to me. More likely, you responded to a phishing email and gave them your username and password yourself. These emails are usually pretty easy to spot- usually the spelling and grammar are off. They smell, like bad fish, and thieves. In any event, you should not respond to some email with a link requesting your account info.
5. Robust passwords are a very good idea. Mavericks makes this very easy to do and will remember them for you with industry standard encryption. If you are especially worried you can change your passwords regularly.
6. I'd get a new bank.

JSA on my Mac wrote:

1) Although I don't have times access, our wifi is secured.

If not using a strong password with WPA2 encryption, it's not secure.

About the only way a Keylogger could be installed on you computer is if somebody had physical access to it or was given shared access by a user over the network. The only known malware capable of doing anything close to that is rare and has only been used against small targeted groups, such as Tibetan sympathizers. As a result, most A-V software doesn't even look for it. MacScan from SecureMac is the only one that specializes in Spyware and it's not very accurate, so be certain that you aren't trashing something needed by you or your software.

The Apple SSL flaw did not actually involve Safari at all. It was in the SecureTransport portion of the OS X security library which is used by many Apple applications that require a secure connection, including Mail and Messages. In any case, I don't see how that could have been used based on your description.

I can think of two possibilities: 1) the problem with security on Safari that was fixed with a Mavericks update

It's unlikely that that bug was ever exploited. It could only have been done if you were induced to visit a bogus website masquerading as the bank site, a very difficult trick to bring off.

2) key logging malware may have somehow been installed

Also very unlikely, but if you want to check for it, ask for instructions. Running any kind of "anti-virus" software is a complete waste of time.

By far the most likely causes of the breach are not the ones you mentioned, but rather these:

1. The bank's internal security was breached for reasons that have nothing to do with you. A common occurrence.

2. You used a weak password that could be guessed, or you used the same password on more than one site.

3. You fell for a "phishing" scam.

You say that your bank site does not use SSL/TLS. If that is true, how does your bank site protect the integrity of the connection? If the site is not using HTTPS (ie, encrypting the HTTP transactions with SSL/TLS), then all transactions would be completely open and available for snoops to intercept.

Most likely, you have mis-interpreted something that your bank told you. However, if this is true - if the bank site is not using HTTPS, and there's no lock icon anywhere in the address bar of your browser when logging into the site - then you need to immediately stop using all online functions, then find a new bank. Under no circumstances should anyone ever consider using a bank site that isn't using HTTPS! Unless you also would choose to use a bank that kept your money in a cardboard box hidden underneath someone's bed.

If the bank site is actually secure, then I would refer you to the reasons that Linc posted for a possible breach. Having a keylogger, while technically possible, is actually pretty unlikely.

Sounds like the bank site is using SSL, then. Probably they told you that they're not using OpenSSL, which is the implementation of SSL used by most servers, and which is the one that was vulnerable. There are other implementations, though, which your bank could be using.

There is absolutely no way to find out if the bank suffered other breaches unless 1) you connect with a large number of other users of that bank and find out they also had breaches, or 2) the bank owns up to a breach.

do you know if there is a way to find out whether the bank experienced other breaches?

As far as I know, there is currently no Federal law in the U.S. requiring a financial institution to disclose a breach of data security. Some states do have such laws.

Security Breach Notification Laws

Is the now-fixed Apple SSL flaw different from the Hearbleed Bug? They sound very similar.

They are actually very different. Apple's bug was a Mac OS X bug, and could have allowed malicious SSL certificates to be verified as legit, which could be used to induce "trust" on the part of the user for a malicious site. Heartbleed, on the other hand, is a server bug that allowed for random bits of data to be fished out of the server's RAM by malicious requests. See:

Apple’s “gotofail” SSL bug

What is Heartbleed?

(Fair disclosure: The Safe Mac is my site, and contains a Donate button, so I may receive compensation for providing links to The Safe Mac. Donations are not required.)

For what it's worth this is the result of a scan of the bank's URL by Qualys SSL Labs - Projects / SSL Server Test

If you go to this web page you'll see that SunTrust gets an A- rating for both their servers and if you click on the IP address of each server you'll see a detailed analysis of each server and exactly what SSL and TLS they use:

https://www.ssllabs.com/ssltest/analyze.html?d=www.suntrust.com

Edit: Just noticed that OldToad showed this earlier, but you can drill down deeper using my approach.

BTW, an "A-" is very good.

Message was edited by: MadMacs0