Electronics

Internet banking security

Updated: 01 Jun 2011
11jun-internet-banking-hero

Introduction

How safe is online banking? We look at how banks protect you and what you can do to protect yourself.

While we love internet banking for its convenience, there's a trade-off between convenience and security. This fine – but crucial – line has to be walked by all banks that offer online banking.

We surveyed 11 banks to find out how they protect their customers.

Bank security

Laptop and piggy bank

Online banking is popular, with 81 percent of internet users using it at least weekly. Many banks reward customers with low fees (or no fees) for online transactions because of the huge savings to them in time and productivity.

This must make internet banking a no-brainer – right?

Well, not entirely. Internationally, the e-crime “industry” is estimated to be worth more than US$ 10 billion. And e-crime brings unique policing challenges because of its anonymity, global nature and speed. A recent report by Deloitte's (an international consulting firm) on cyber-crime noted that many institutions underestimated its threat, operating under "reactive" security that left them vulnerable.

Our survey

In March 2011 we surveyed 11 banks about the process customers went through to access their accounts online – ANZ, ASB Bank, BankDirect, BNZ, HSBC Bank, Kiwibank, The National Bank, PSIS, RaboDirect, TSB Bank and Westpac.

Simultaneous logins

One issue that came out of the survey was that just under half the banks allowed you to log in on more than one computer at the same time – which could let someone else access your account without your knowledge, while you were logged in.

The National Bank and ANZ said that if this unauthorised access occurred, it would raise a flag with their detection team. PSIS has recently launched a website on which simultaneous log-ins are no longer possible. On TSB Bank's site this has not been possible since May. Kiwibank stated its IT experts had never found or heard of simultaneous log-ins causing significant security problems and it considered it a non-issue.

Two-factor authentication

10 of the 11 banks use two-factor authentication devices as part of their security set up, some as an optional extra and others as a standard part of the account. (Kiwibank doesn't use it, while BankDirect requires it for online transactions over $500.) 

Two-factor authentication means a constantly changing access number (randomly generated by the bank’s authentication device) used in combination with the customer's username (or number) and password.

This extra level of security is harder to breach than passwords or customer numbers. But it isn’t invincible. This year RSA Security – the US company that provided two-factor authentication to ANZ and ASB – warned that highly sensitive data relating to its authentication devices had been stolen. While both New Zealand banks are satisfied their customers are not threatened by this security breach, it’s a sobering illustration of the growing ingenuity of e-criminals.

Additional protection

All the banks also have strong background-security systems that can't be detected by the customer. Banks also offer reimbursement to victims of internet fraud with the proviso that they have taken the necessary precautions to protect themselves – for example, not disclosing passwords to others and making sure security software is installed on their computer.

Banking Code of Practice
While the Banking Code of Practice covers consumers for most cases of internet banking fraud, the banks don't guarantee to reimburse you – so you should still make sure your computer is secure. However, the Office of the Banking Ombudsman tells us very few cases are brought by scam victims: this suggests that consumers who’ve been caught by scams are settling any issues satisfactorily with their banks.

Self protection

Phishing illustration

There are 2 main frauds to look out for:

Social engineering scams
You’re the the weakest link in most security setups. So these types of scams use confidence trickery to get information out of you without time-consuming attacks on your computer software. This kind of scam is also known as “phishing” because scammers are fishing for your banking or identity details.

They work by sending you an email from your bank that looks legitimate. You’re asked to provide personal details for plausible reasons such as security upgrades, providing a refund, or even protection from fraud. The email will usually contain a link to a site which closely resembles your bank's genuine website (and there are reports in Australia of sophisticated scammers directing victims to automated “call centres” to allay their suspicions).

Key-logging
This is when the scammer installs a program into your computer to record or “log” every key you type. It then sends these records (passwords and credit card numbers) to the person who installed it. Key-logging programs are insidious and can lurk inside all sorts of downloads – such as e-greeting cards from less reputable sources and links in dodgy emails.

Tip: If you are worried that you may have fallen prey to a scam, don't hesitate to notify your bank immediately. It may be able to assist you, or even prevent the damage.

How can you protect yourself from these attacks?

  • The Golden Rule: Never give anyone your password or your PIN. Your bank may contact you but it will never ask for these details. Anyone who does is a scammer.
  • Install a security program on your computer and keep it updated. Without it, your computer will be fair game to e-criminals.
  • Change your passwords regularly and make sure they are hard to guess by including numbers as well as letters. Also try to use different passwords for different sites.
  • Look for warning signs within an email – are there spelling mistakes? Is the name of your bank spelt slightly differently from usual?
  • Call your bank first, even if you think the communication is legit. It never hurts to check with a real person at the bank.
  • Don't click on email links – if you want to look at your bank's website, always type it into your browser. That way you can be certain you’re going to the right place.
  • Be wary of opening links in any email – and particularly links that end in .exe (they’ll install a program on your computer). Make sure you know a link is trustworthy before you open it. Also check you have a secure connection whenever you do a financial transaction: it’ll always have “https” at the start.
  • Don’t do your banking on public computers such as those in internet cafes or libraries – they may be infected with key-loggers.

 

Smartphone security

Smartphone

5 banks – Westpac, ASB, ANZ, BankDirect and National – offer online banking on your smartphone. Other banks are working to develop it.

Smartphones are mini-computers and just as vulnerable to e-crime as your PC. One example is the fake banking app that turned up on Google’s Android phones – many people entered their banking details before the fraud was discovered.

So you need to take the same precautions on your smartphone as you do on your PC. New security measures for banking via mobile phones – such as biometrics – may emerge in the future, but for now play it safe and make sure security protection is loaded on to your phone. It may pay to avoid mobile banking until security is more certain.

How to protect yourself

  • Install a security program – there are now mobile security apps that can identify and remove suspect apps.
  • Make sure no one can see you enter sensitive information into your phone.
  • Lock your phone when you’re not using it, so it’s not accessible to others.
  • Turn off any settings that automatically save passwords.
  • Be wary of banking apps – in a recent American security test of 6 popular banking apps only 1 passed.
  • Don't lose your phone!

 

Electronic transfers

It may come as a surprise that funds transferred electronically don't always appear in your account right away. Most banks have a ceiling for what they’ll clear immediately – for example $5000. Anything above this must go through the same round of checks as a cheque deposit.

Though this seems counter to the “convenience” of online banking, these are important security checks to make sure the funds are coming from a legitimate source or are actually available.

As well, banks have various security obligations for electronic transfers under the 2009 Anti-Money Laundering and Countering Financing of Terrorism Act.

 

More information

More from consumer.org.nz

 

Report by Amanda Lyons.