The Risks of Online Banking

Legend has it (incorrectly, it seems) that infamous bank robber Willie Sutton, when asked why banks were his favorite target, responded, "Because that's where the money is."

The modern-day Willie Suttons of the world target bank Web sites for the same reason. With online transactions, money is represented in the form of electronic records of ownership, which means online bank robbers will be able to steal more money, in less time, than by stealing literal currency--and they don't even need a getaway car. But that doesn't mean internet banking necessarily has to be a riskier proposition.

"Internet banking is terribly secure," says Brad Adrian, an Internet banking analyst with Gartner. "Financial services providers...make their systems as secure as possible."

But, he says, "unscrupulous people using phishing, keystroke collection, or similar activities" to steal your passwords or account numbers are a growing challenge.

Going Phishing

Phishing scams, in which attackers use spoof e-mails and Web sites to lure users into entering personal financial information and communications (such as credit card numbers, bank account information, and passwords), have increased in the last many months. Yet even though public awareness of these scams has grown, people continue to fall victim to them in increasing numbers.

The click-via rate on phishing e-mails is 3 percent, estimates Avivah Litan, vice president and research director at Gartner. That compares with a response rate of about 0.5 percent for spam, he says. One possible reason for this: People take e-mail from their bank very seriously, he says. In part the solution is better client education, he adds, but banks could also do more to prevent the scams from working in the first place.

Online criminals--including those who phish for a living--have become even more sophisticated, creating fraudulent Web sites and e-mail messages that are harder to detect. Professional phishing criminals even work current events into their attacks to make them seem more realistic: One fairly new scam, for example, posed as an e-mail soliciting campaign donations.

To combat the growing trouble, credit card issuers and financial institutions are experimenting with new technologies to make cards harder to forge and easier for consumers to use.

But some of these attempts might be misguided. For example, some companies are experimenting with so-referred to as contactless payments. An RFID chip embedded in a card would let a client pay by simply waving the card toward the RFID reader. Still unanswered is the question of whether users would have to either leave their credit cards in the car or enclose them in Mylar (which blocks the radio signals these cards emit), to prevent card records from being stolen while they walked with the help of stores. Next month, card companies and credit card issuing banks will weigh the trade-offs between the convenience of contactless payments and the risks to consumers at the Smart Card Alliance Conference.

Safeguard Yourself

For users trying to assess the defense of an online transaction--banking or otherwise--the Public Key Infrastructure group, an business association that deals with card safety, recommends users look at five aspects of the transaction: depositor authentication, member authorization and privacy, protection of the purchase information, and nonrepudiation (meaning a customer cannot deny their actions after they click the "acquire" button).

Authentication (are the parties to a transaction who they operate as?) and authorization (does just about every party have the authority to carry out the actions?) can pose major problems for individuals. How will be able to users be sure they have reached a legitimate bank Web site? And how are going to the bank make sure the person logging in to your account is really you?

One interesting concept that might partly solve this difficulty is termed "shared secrets." You send a file to the bank, perhaps a photo of your kids. When you log in to the bank Web site, that picture is displayed. If you don't see the picture, you know you've reached the wrong site. The concern, of course, is that you have to type in your user ID and password before seeing the picture. While this verifies the bank's Web site to you, the bank must still make sure it's really you on the other end of the transaction.

To be effective this solution requires a second layer of security. Gartner's Adrian suggests that the client be required to click on a predetermined area of the picture. Even superior, the depositor could be required to click on a sequence of areas in a specified order. For example, if you uploaded a photo of your dog, you would click on his nose and then his mouth. Some banks are also looking into using so-called two-factor authentication, where you have to enter two passwords to log on: Your own password, and a "throwaway" password on a scratch-off card the bank sends you in your monthly statement. After you've used the throwaway password, you (or a details thief) may never use it again.

If your internet bank doesn't offer this type of safety, there are still steps you can take to shield yourself.

Make sure your internet banking password is at least six characters long and includes both letters and numbers. Avoid using the same password you use for other sites, and avoid obvious combinations such as your street address or the combination of your first initial and last name. If your institution allows it, generate a hard-to-guess user name as well.

If you receive an e-mail allegedly from your bank, never click the link in the e-mail message. Instead, type the URL of your bank right into the browser's Address bar yourself, and forward the e-mail to a known, legitimate bank e-mail address. Chances are excellent that, if you ask the bank if it sent the e-mail you received, you'll find out it didn't.

If you believe you've reached your bank's Web site, check the security certificate before you type in any personal communications. In Internet Explorer, select File, Properties and click the Certificate button. The name on the certificate should match your bank's name. Then select View, Privacy Report to see more details about the site's privacy policies.

Most banks insist that you use a browser with at least 128-bit encryption. Also, remember that most Trojan horse viruses are aimed at Internet Explorer. To be extra safe, try using an alternative browser, such as Mozilla, Mozilla Firefox, Opera, or Netscape.

If you have an "always on" Internet connection, never store your internet banking information and communications on the PC. Adrian, the Gartner analyst, stores his online passwords in an encrypted area of his PDA. He also suggests using many different passwords, and keeping track of them with the PDA. Of course, you then have to worry about battery life, but in the long run that's less important than an unexpected, precipitous drop in your checking account balance.

The bottom line: Internet banking need be no more risky than its offline counterpart, as long as you take the time to protect yourself.

Compare the Best Online Banks in the market. Visit http://onlinebanking-options.com