>Gone phishing
>Banking on new technology
>Our own worst enemy

Printable version

Email article

Every day, from the comfort of their homes or offices, millions of people log on to their computers to pay bills, transfer cash, or buy and sell stocks. Online banking saves us countless hours of driving to the bank, waiting in line, and writing checks by hand, not to mention the cost of stamps and gas. But while we innocently enter our user names and passwords, hackers could be watching every keystroke we make, as though they were looking over our shoulder.

Welcome to the world of cyber crime.

It’s a world Dr. Korukonda Murty unwillingly entered last July when he came home from a trip abroad, opened his mail, and discovered his E*Trade brokerage account had been drained of almost $175,000. Assuming that some sort of clerical mistake had been made, Murty, a nuclear engineering professor at North Carolina State University, contacted E*Trade immediately. An investigation revealed that cyber criminals had stolen Murty’s user name and password and ordered E*Trade to liquidate his holdings and deposit the money in a phony account in a foreign bank account. An e-mail sent by E*Trade asking for Murty’s approval for the transaction was useless because the thieves had penetrated his e-mail as well. Believing the request to be legit, E*Trade performed the transactions. Many sleepless nights later and with the help of the FBI, an attorney, and a local TV station’s troubleshooter reporter, Murty has reached what he calls a satisfactory settlement with E*Trade, although E*Trade maintains there was no breach in its security system.

With online fraud stories such as Murty’s flooding the headlines, consumers are experiencing a crisis of confidence with respect to online banking. Results of a recent survey performed by Entrust Inc., an IT security firm, show that 18 percent of respondents have decreased or stopped their use of online banking, and 30 percent are worried that the banking Web site they visit might not be the real one. “Two years ago, hackers were young kids in the basement trying to impress their girlfriends,” says Chris Voice, chief technology officer for Entrust. “But today, it’s the criminals who are perpetrating the majority of these activities for financial gain. It’s not a gloom-and-doom situation, but online banking is definitely not hitting its potential because of these concerns.”

Gone phishing

Cyber criminals, or fraudsters, employ a variety of methods to rob your account. The most common are phishing, pharming, and keylogging. In a phishing attack, an e-mail that claims to be from a legitimate source tricks the victim into divulging confidential information. With pharming, your Web browser is hijacked, and when you attempt to visit your bank site, you are diverted to a false site without your knowledge. Keylogging, considered the most dangerous of the so-called spyware programs, infects your computer with a hidden application that waits for you to go to your banking Web site and then watches every keystroke you make, thereby copying your password and any other confidential information you enter. In all three cases, the theft of your personal information gives the fraudster the tools he needs to steal your money and identity.

Banking on new technology

If you’re ready to stuff your money in your mattress, read on. Most banks already are stepping up their security measures to combat the latest wave in cyber crime. Banks frequently perform security risk assessments that help them pinpoint their vulnerabilities and correct them accordingly.

Companies such as Entrust work with banks to develop easy and cost-effective ways to authenticate the user and the transactions they’re performing. “Banks want to deploy a variety of different mechanisms,” says Voice. “They want to start when you log in, with something transparent to the user like machine authentication. If we know you’re on tour in Afghanistan and someone logs in from Belarus, we know there’s a problem.” At this point, the bank can ask you a security question, such as ‘What’s your favorite football team?’ to make sure users are who they say they are.

Banks also are issuing external devices such as smart cards, tokens, or numeric grids that look like Bingo cards. They give customers a one-time access code that must be entered along with the username and password, making unauthorized log-in virtually impossible. The downside? It’s just one more thing the user has to keep up with, and some banks are passing this cost on to the customer. As if cell phones didn’t do enough already, banks are starting to use them as a way to confirm the user’s identity. In the future, fingerprint authentication may provide all the verification we need, eliminating the need to keep up with any external device.

If you still don’t trust your bank to protect you online, safeguards built in by the government might make you feel better. The Federal Reserve Board’s Regulation Estates that a consumer’s liability for unauthorized electronic fund transfers can be as little as $50 — if you notify the bank in a timely manner. A new mandatory guidance issued by the FFIEC, a council that acts as a watchdog over financial institutions, has given banks until the end of 2006 to install better online security measures that will likely go well beyond what most banks have in place today.

Alecia Kontzen, an e-commerce risk manager with Wachovia Corp., a large financial services company, likens the virtual world to a brick-and-mortar building. “It’s like the house with a padlock on the front door,” she explains. “The criminals are just going to go around and try the side door. You’re only as strong as your weakest link.”

Our own worst enemy

One of those doors in the virtual house leads to the user’s computer — and many of us leave it wide open for cyber criminals to walk through. It’s far more likely that they’ll invade your virtual house through your personal computer than via a bank’s internal network. “That’s what scares me more than anything — what customers have on their PC that we can’t control,” says Kontzen. To minimize your risk of being attacked, here are some steps you can take to protect your assets:

Keep up-to-date with antivirus software, firewall programs and Windows patches. Murty’s computer lacked antivirus software and had been infected with malicious code that likely enabled the fraudsters to get what they needed. Most banking Web sites offer reduced prices on several of the antivirus software packages and firewall programs available to consumers.

Change your password often, and if you have to write it down, leave it in a secure place. Never share it with anybody you don’t trust implicitly, and make it tough to crack. One trick is to think of a favorite phrase such as ‘A dog is man’s best friend’ and use the first letter of each word in the phrase to create the password, in this case, ADIMBF.

Ignore e-mails that threaten to close your account unless you provide certain personal information. “Our bank will never ask you for information via e-mail,” says Kontzen. And if you’ve just been told you won the Zimbabwe lottery and your money will be deposited as soon as you provide your account information, hit delete fast.

Take advantage of the online banking feature that lets you check your account balance and activity. Look for any suspicious transactions daily, if possible. Not the pro-active type? Many banks let you set up alerts that keep you informed of account activity via e-mail.

Restrict your banking activity to your home computer when possible. With the abundance of camera phones, you never know if someone is taking pictures as you work on your laptop at the local Starbucks.

Opt to receive your statements electronically rather than mailed to your home. Mail sitting in your mailbox is much more vulnerable to theft than an e-mail.

Log off the Web site when you finish your online banking. Staying connected increases your risk dramatically. Most banks will log you off after a period of inactivity, but the sooner you’re off, the better.

Contact your bank. What are they doing to protect your assets? Do they offer any security measures that you aren’t taking advantage of? What is their policy regarding unauthorized removal of funds? E*Trade now promises to cover any loss that results from the unauthorized use of their services. Remember to ask specifically about your business account if you have one — the policy can differ dramatically.

Check for two things when you log on to your bank’s Web site: a master lock symbol at the bottom of your screen and ‘https’ instead of ‘http’ in the address. If they aren’t there, you’re definitely not on a reliable site.

So, is online banking secure? It’s not 100-percent foolproof, but if you protect your virtual house with as much diligence as you do the house you live in, your money should be safe and sound.