Reduce Online Banking Risks

I use a dedicated PC to login to my online bank accounts.  That is because hackers have demonstrated that they can get in, take what they came for, and get out before anyone is the wiser.  Even this extraordinary precaution is not a fool-proof method of avoiding attack, it still relies on my own diligence to not surf anywhere else with that PC (awareness), the configuration of my router and firewalls (controls), my determination not to defeat my own security restrictions for convenience (policy adherence), and to remember why I am doing this activity in this way (process).  Often, the bank and the account holder don’t find out about their losses until one or the other notices that the funds are gone, when the next transaction fails.  There have been court cases lodged recently where US banks have refused to compensate the account holders, and that precedent being set may indicate future policy.

What is it that these hackers know that mere mortals do not?  They understand human nature, and can gain access to PIN numbers and passwords in several ways:

  • Taking advantage of carelessness is the most common method. People often write their passwords down on a piece of paper and leave it where it can be found by others.
  • Passwords are often re-used in multiple locations.  One of those locations may not be as secure as all the others.  Once that weak spot has been exploited, the others fall like dominoes.
  • Browsers are often configured to store passwords and PINs as a convenience feature.  Quite convenient for someone who is looking to steal your money.
  • Trojans, botnet agents, and keyloggers are another possibility. These malicious programs can get on a PC through infected emails and websites, or be downloaded directly as infected programs.
  • They operate in the background, capturing and relaying login details through your Internet connection.
  • They can interfere with anti-virus and other protective and detective software.
  • They will often establish themselves, take down your defenses, and then install other programs to ensure their success.
  • If you use your laptop to login to your bank account while you are out of the office, your data can be intercepted by “evil twin” wireless hotspots.
    • They appear to be the real thing, and offer the services that your favorite hotspot would.
    • They are operated by scammers who have set up logging and sniffer programs on them to gather your details and credentials.
  • Phishing emails appear to come from a bank or credit card company, attempting to trick users into divulging their login details.  Some of them are quite convincing.
  • Smartphones are easily lost or stolen, and security vulnerabilities have been discovered on them just like any other platform.
    • Some have encryption options, but options generally need to be turned on.
    • Convenience still trumps security for most folks, because the risks are currently being absorbed by the banks.
    There are of course more exotic techniques for breaking into PCs, and we cannot discount good old-fashioned B&E.  Your details can also be lost or stolen from breaches of company networks and systems, and there is always the risk of insider fraud.  All too often the loss of your credentials and your money can be attributed to lax security on the part of the account holder.  These incidents cost everyone more and more each year.  The banks “absorb” the costs of fraud by passing additional or increased fees to ALL of their customers.  They have to in order to ensure their own success.
    What are some of the things that each of us can do to reduce the risk of having our data and dollars compromised or stolen?
    • Don’t write your password down.
    • If you absolutely MUST write your password down, keep it in a secure location.
    • Find a method to obfuscate the password, like only writing half of it down, using word association, or adding letters before, amid, and after the actual password that you will remember to ignore.
    • Use a secure password vault.  Choose one with encryption so that it is not easily circumvented.  There are free ones available for PC’s, PDAs, SmartPhones…
  • Don’t allow your browser to store your passwords.  Don’t be lazy.  Type them in.
  • Use anti-virus software, and keep it up to date.  It may not catch the latest threats, but it will protect you from known ones.
  • Supplement anti-virus software with services such as web-content filtering.  Again, there are free ones available, and they work for many of the things that A/V software doesn’t.
  • Make use of free software like Trusteer to ensure that your online banking is not interfered with.
  • Don’t trust “found” USB keys, be wary of ones provided by others, and be aware that even store-bought cheap ones can carry malicious software.
  • Don’t bank using “foreign” wireless.  Only trust systems that you are in direct control over.  Yeah, it aint convenient, suck it up, buttercup!
  • Banks and credit card companies WON’T ask for your password or PIN.  If they do, report them!
  • Ignore emails that seek personal information or credentials.  If they really want you, they have better ways to get in touch with you.
  • If someone calls your phone claiming to be with the bank or credit card company, be wary.  Always get them to provide a name and phone number, then look up the company’s number yourself.  Call the main number and ask to speak with whomever was calling you.
  • Be very careful with your small electronic devices.  They are sought after targets, not just for their resale value, but for the information that they contain.
  • Keep your doors and windows locked, get home owners’ insurance, invest in an alarm system, use web-cams to capture activity around your PC, and encrypt your personal data at home.
  • None of us is guaranteed, even by taking all of these precautions and more, that some scumbag attacker won’t intercept or modify our credentials or accounts.  However, even if banks and credit card companies decide that they will not reimburse careless customers any longer, if you have taken appropriate precautions, operated using due diligence, and protected your assets reasonably, a good lawyer will be able to change their minds.