I use a dedicated PC to login to my online bank accounts. That is because hackers have demonstrated that they can get in, take what they came for, and get out before anyone is the wiser. Even this extraordinary precaution is not a fool-proof method of avoiding attack, it still relies on my own diligence to not surf anywhere else with that PC (awareness), the configuration of my router and firewalls (controls), my determination not to defeat my own security restrictions for convenience (policy adherence), and to remember why I am doing this activity in this way (process). Often, the bank and the account holder don’t find out about their losses until one or the other notices that the funds are gone, when the next transaction fails. There have been court cases lodged recently where US banks have refused to compensate the account holders, and that precedent being set may indicate future policy.
What is it that these hackers know that mere mortals do not? They understand human nature, and can gain access to PIN numbers and passwords in several ways:
- Taking advantage of carelessness is the most common method. People often write their passwords down on a piece of paper and leave it where it can be found by others.
- Passwords are often re-used in multiple locations. One of those locations may not be as secure as all the others. Once that weak spot has been exploited, the others fall like dominoes.
- Browsers are often configured to store passwords and PINs as a convenience feature. Quite convenient for someone who is looking to steal your money.
- Trojans, botnet agents, and keyloggers are another possibility. These malicious programs can get on a PC through infected emails and websites, or be downloaded directly as infected programs.
- They operate in the background, capturing and relaying login details through your Internet connection.
- They can interfere with anti-virus and other protective and detective software.
- They will often establish themselves, take down your defenses, and then install other programs to ensure their success.
- They appear to be the real thing, and offer the services that your favorite hotspot would.
- They are operated by scammers who have set up logging and sniffer programs on them to gather your details and credentials.
- Some have encryption options, but options generally need to be turned on.
- Convenience still trumps security for most folks, because the risks are currently being absorbed by the banks.
- Don’t write your password down.
- If you absolutely MUST write your password down, keep it in a secure location.
- Find a method to obfuscate the password, like only writing half of it down, using word association, or adding letters before, amid, and after the actual password that you will remember to ignore.
- Use a secure password vault. Choose one with encryption so that it is not easily circumvented. There are free ones available for PC’s, PDAs, SmartPhones…
None of us is guaranteed, even by taking all of these precautions and more, that some scumbag attacker won’t intercept or modify our credentials or accounts. However, even if banks and credit card companies decide that they will not reimburse careless customers any longer, if you have taken appropriate precautions, operated using due diligence, and protected your assets reasonably, a good lawyer will be able to change their minds.