Gone are the days of balancing check books. The advent of online banking has made budget-keeping and bill-paying a convenient, if not automatic, transaction for adults managing their finances.
Which is why it's a prime target for cybercriminals.
According to a recent study by Fiserv, 80 percent of US households now do their banking online. The sheer number of customers is a likely attraction for threat actors. But what makes online bankers irresistible prey is that a breach results in direct access to their money—no need to bother with a ransom. That's probably why more than 25 percent of malicious activity online is aimed at financial institutions.
"Mobile banking has a tighter ecosystem than desktop online banking and some technical advantages that improve security," says Seth Goldstein, a Certified Information Systems Security Professional (CISSP) with nearly 20 years of experience in banking IT. However, mobile banking isn't foolproof. In 2016, Malwarebytes' Mobile Intelligence Database flagged more than 12,000 unique Android application packages (APKs) as banker Trojans.
How cybercrooks steal your cash
From social engineering scams to spear phishing, there's no method crooks won't try to get to your money. The most common techniques center on fooling you into a sense of security by pretending to be your bank. Whether that's in the form of a spear phishing email that copies the logos of your financial institution or spoofing your mobile banking app, criminals have become adept at pulling wool over the eyes of online bankers, who are now accustomed to receiving digital communication from their banks.
Smishing, or sending malicious text messages, has been a popular attack method for years, luring customers into entering their login credentials via text.
In 2014, several thousand JP Morgan mobile customers received a text message containing a link to this phony login screen.
With so many susceptibilities in both desktop and mobile online banking, it's important to not only choose a bank that offers high level protection for your accounts, but also take your own initiative to keep those accounts secure. That's why we've come up with 12 steps for safer online banking.
How banks protect your accounts
The first part of our 12-step program centers on the protections that banks have to offer for their customers. In choosing a financial institution with which to conduct your online banking, look for these top-level security measures. After all, banks have just as much to lose if you get breached.
- Two-factor authentication: These days, a strong password is not enough. The safest banks offer multiple-step login processes that require both something you know (a password and/or security questions) and something you have (your phone, which will receive a text message of a second code you'll need to enter to gain access).
- SSL secured websites: On any website where a financial transaction takes place, secure communication is key. Look for the proper padlock icon to the left of the URL. If it’s there, that means the information passed between your bank's server and your browser remains private. In addition, the URL should read “https” and not just “http.”
- Automatic timeout sessions: Banks that close out your session after a few minutes of inactivity protect you from prying eyes and human error. Better to have to log back in than to have someone swipe your account numbers while you're on a bathroom break.
- Fraud monitoring: Any bank worth trusting with your money should have continuous, real-time monitoring for fraudulent activity such as large withdrawals or purchases made in new locations.
- Mobile password protection (fingerprint scanning): A twist on two-factor authentication right out of a spy movie, many mobile banking apps offer fingerprint scanning as an additional method of verification. The safest banking apps also require that phones be password protected if fingerprint scanning is to be used.
How you can protect your accounts
The second part of our 12-step program is all about user education and action. Once you've found a bank that can pull out all the online security stops, it's your turn to step up the game.
"The SANs Digital Forensics and Incident Response group published a poster a couple of years ago with the catchphrase, 'Know Normal…Find Evil,'" says Goldstein. "This should be the mantra for online and mobile banking users."
Take these precautionary measures to understand what's normal communication from your bank, what's suspicious, and what you can do to ward off malware attacks.
- Beware of phishing emails and texts. Keep a sharp eye on email and text communications from you bank. Unless absolutely certain of the email or text's origins, avoid clicking through links, especially if they ask for login or other personal identification information.
- Report suspicious activity right away. "One of the most important benefits of Internet and mobile banking is the convenience for users to check balances frequently," says Goldstein. He recommends customers follow their account activity in order to quickly identify and report abuse. "It’s much easier for banks to research and take action on recent transactions, and it gives you the best leverage to recover any losses."
- Make sure you download the official app of your bank. Whether downloading from Google Play or the App Store, be sure to check reviews, read summaries carefully, and double and triple check who and where the app comes from.
- If possible, don't use a public computer and/or public Wi-Fi for banking. If you don't have Internet access at home, make sure you sign out of your account before closing the browser. And if you're sitting at a café working on your blog, that's not the best time to catch up on your bill-paying. Public wifi is much easier to breach than your own password-protected home connection.
- Buy a computer just for bills. For those willing and able, purchasing a laptop dedicated only to financial transactions helps limit the potential for infection and breach. That means online banking and bill paying only. No checking email. No surfing the web. No social media. Start up, check accounts, and shut down.
- Customize online banking transactions. Take a look at the admin controls of your online banking accounts. Some banks let you limit online transaction capabilities, like international wire transfer. The less you do online (without completely hindering the convenience of online banking), the safer your money is.
- Layer your security. The more the merrier. Firewalls can stop known threats, while anti-malware, anti-ransomware, and anti-exploit technologies cover advanced threats like malvertising and ransomware. And to protect against those malicious mobile banking apps, consider an anti-malware program for your Android or iPhone.
For the safest online banking experience, it's best if you live by two credos. One is to know thyself. By keeping an eye on your online accounts and credit score, you can stay on top of abuse. The second is to know thy adversary.
"Your bank doesn’t ask you to confirm account details via email or call you for personal information," says Goldstein. "There is no urgent matter that requires verifying your responses to ‘secret’ questions or sharing the CVV code on the back of the card to prove your identity."
Simply put: if you are asked to share account details in any way—don't. And if you want to pay it forward, notify your bank's call center when you receive these suspicious communications. You just might help to protect the next online banker, too.