As featured in The Wall Street Journal, Money Magazine, and more!
     

8 Things Banks Can Do to Make Online Banking Safer

This article was written by in Banking. 17 comments.


Banking online by visiting a bank’s website directly to perform typical transactions like checking your balance, reviewing and reconciling your recent transactions, paying bills, or transferring money, is generally safer than doing the same in person, whether at an ATM or a teller. Your information is encrypted and you can take care of your business in the privacy of your own home. There are some dangers, however.

Most commonly, the danger lies in your own computer. If your computer is infected by a virus or a Trojan horse, your account information, like identification name, password, PIN, and secret word, could be recorded by this program and secretly transmitted to someone who will use the information to drain your account. Less frequently, the bank’s database containing customer information can be compromised.

I’ve seen many lists with tips for customers who want to ensure that their online banking experience is safe. For example, customers should always look for the padlock icon in the browser when visiting a banking website, always verify the URL in the address bar has https (note the “s”) before entering a password, and never click on links in emails that claim to come from a bank (phishing). Other general security tips include keeping your passwords private and maintaining up-to-date virus and spyware scanners on your computers.

But there are certain things banks can and should do to keep up their end of the bargain. Many banks already follow some or all of these suggestions, but smaller banks may not always have the money to implement these features. If safety is your concern, look for banks that have put effort into these ideas.

1. Require multi-factor authentication.

A user name or number and a password or PIN are no longer enough. Most banks still operate their websites by asking the customer for only a user name and a password to log in. This method is highly vulnerable to phishing and Trojan horse programs. Some banks have implemented additions to this process to enhance security.

ING Direct, in addition to a customer number or PIN, requires you to enter the answer to one of several questions, such as, “What was your high school mascot?,” selected when the account was created. In this case, the question is only asked the first time you are log into the bank from any particular computer, though you may be asked to reconfirm every month.

2. Avoid using input fields in web forms.

The most common way to allow a customer to enter information, like a user name and password, into a website is to use a “web form.” Web forms can be encrypted, but their existence is a signal to malicious people who want to steal users’ information.

HSBC Direct requires two passwords, though the second is called a “security key.” Rather than typing the security key using the letter and number keys on the keyboard, the bank’s website presents the customer with a graphic. He or she must use the mouse or other pointing device to click the letters and numbers within the graphic in order to gain access.

3. Require strong passwords.

I am lazy. I have hundreds of passwords I must remember for various websites and applications. There is a tendency for people to deal with password overload by using the same password for multiple systems or choose words that are easily memorable. Banks can’t do anything about customers who use the same password across several institutions, but they can enforce “rules” for determining passwords. Strongest passwords should be a mix of letters, numbers, and punctuation. No combination of letters found in the dictionary should be allowed. For example, meaty613 is weak password while yk1lt3m^ is much stronger.

A minimum of eight letters, numbers, or punctuation marks would help to strengthen passwords as well. Long passwords with a combination of characters not found in the dictionary will help to reduce the chances of someone — a friend who knows what you might choose or a computer program that has the ability to use “brute force” techniques to keep trying different passwords until it finds one that works — guessing the right combination. Banks can enforce these rules.

4. Use a dynamic key.

To access my work’s network from home or any other remote location, I have a SecurID token. Every sixty seconds, a new six-digit number appears on the token. This number, in combination with a PIN, is required in order for me to log into work from home. Obviously, sending SecurID tokens to every bank customer would be a large expense for any reasonably-sized bank. There are other ways to use dynamic keys, or passwords that change over time.

I am unaware of any bank that currently offers this, but one way to implement a dynamic key would work like this: You enter your user name, strong password, and second authentication key through the bank’s website. The bank retrieves your user account information, including your cell phone number or mobile email account and sends you a text or e-mail message with a dynamic key. You are then required to enter this key into the website.

5. Require password changes every thirty days.

In a world where we have hundreds of passwords to memorize, being required to change passwords every thirty days is a huge annoyance. It also invites laziness. I know many people who simply change the number at the end of their password each month, cycling through passwords like flexo1, flexo2, flexo3, and flexo4 each month. Many banks will choose not to implement this rule simply because it is seen as not user friendly. And yes, I would be annoyed if every bank required me to change my password every month. It’s a trade-off between security and convenience.

6. Lock accounts after detecting three failed log-in attempts.

If a bank detects a series of incorrect passwords for any one account, it should disable the account from being accessed through the web. Most people do not guess their passwords. By requiring a telephone call, during which the customer service representative asks more authentication questions, banks can ensure the rightful account owners can quickly regain access to their accounts while protecting accounts experiencing someone trying to “hack” their way in. Note that the bank should not send an email with a link to unlock the account because the email account may have been compromised, as well.

7. Contact the customer after every transaction.

Banks could increase security by informing their customers of each transaction that takes place in the account. When I initiate a transfer at ING Direct, the bank sends me an email to let me know that it has been initiated. If someone else had accessed my account and transferred money out, I would know within minutes and could contact the bank immediately.

ING Direct has also begun to contact me when other companies pull an ACH debit. My electric and gas bill is configured to be paid in full every month from my ING Direct account, and each month, I receive a notice from ING Direct when the ACH is accepted. Rather than email, a quick text message might be considered unobtrusive enough for activity confirmations.

8. Require up-to-date antivirus and spyware detection software.

In order to log into my network at work from a remote location, I am required to be running the latest version of an antivirus application. The brand doesn’t matter; I could be running McAfee or AVG Free. AVG Free is one of my favorite security suites. It provides state-of-the-art protection from malicious software (malware), and it’s free.

Banks can install a small application through their website that detects the presence of protective software like AVG Free, McAfee, or Norton, and determines whether the software is up-to-date. If no antivirus software is installed and running in the background, then the customer is presented with options for installing protection. Preventing unprotected computers from accessing the website will help reduce the frequency of stolen account information through phishing.

Some of the above suggestions may be considered annoying or excessive for customers. Banking over the internet is generally safe, but malicious individuals increase their knowledge and ability all the time. They adapt faster to security implementations than banks adapt to new methods of breaching. In the worst case, hackers — or people who pay hackers — can steal not only your money but your identity. I understand that cleaning up the mess left behind when your identity is stolen can be one of the most grueling processes one might ever experience. It may be worth some inconvenience to add more layers of protection between the world and your bank accounts.

Updated September 16, 2011 and originally published January 28, 2009. If you enjoyed this article, subscribe to the RSS feed or receive daily emails. Follow @ConsumerismComm on Twitter and visit our Facebook page for more updates.

Email Email Print Print
avatar
Points: ♦127,387
Rank: Platinum
About the author

Luke Landes, also known as Flexo, is the founder of Consumerism Commentary. He has been blogging and writing for the internet since 1995 and has been building online communities since 1991. Find out more about him and follow Luke Landes on Twitter. View all articles by .

{ 17 comments… read them below or add one }

avatar Miranda

While it can sometimes be tedious to jump through all of these hoops when accessing your account online, it is nice to know when banks are trying to protect you. And, even with the hoop jumping, I’d rather do my banking online than go down to the bank…

Reply to this comment

avatar nickel

Hmmm. I just tried logging into your bank with “flexo1″ but it didn’t work. Maybe you already changed it for February? ;)

Reply to this comment

avatar Harsh

DBS Singapore gives secureID tokens to its customers. As secure as it gets.

Reply to this comment

avatar Bryan Short

Sorry, but your last point actually reduces security to some degree. Those programs that “test” a user’s computer for up to date virus programs/definitions and MS updates (like cisco clean access agent) are a NIGHTMARE for anyone who doesn’t use Microsoft software. So, in effect, these programs kick off the MOST secure users who choose to use *NIX based OSs, like Linux, BSD, Mac OSX, etc. Ultimately, these “secure access” policies, only weaken the security profile because they discriminate against users who use platforms that are MUCH less prone to viruses, malware, trojans, rootkits.

Also, if you are accessing the bank’s website through your browser, such programs do not work as they are not SSL-based systems, but rather use different VPN protocols. And don’t get me started on user-agent string in browsers, those are so easily overcome as to be laughable.

Security does not require breaking the internet for a large (and growing) number of users.

Reply to this comment

avatar UH2L

I think that making password requirements harder in terms of forcing them to be “stronger” makes sense, but making people change them too often is counterproductive and forces people to share passwords across many sites due to not being able to remember. I suppose having different passwords for all your credit cards and financial accounts makes sense, but sharing them with other non-critical sites is no big deal. The problem with getting locked out is that it’s very inconvenient. Perhaps just getting an email and delaying transactions if they occur after 3 or more invalid attempts or adding an additional security level in these cases would work. I wrote about our society and how many passwords we need today and how it is such a pain. You might enjoy it…

http://uh2l.blogs.com/things_ive_noticed/2006/02/passwords_are_r.html

Reply to this comment

avatar Dion

Sorry but I only agree with #3.

For #1, answers may change or the questions are always the same. My mother’s middle name may not be that difficult to locate, especially with social engineering. Or my favorite sports team may change. Or I might forget how an answer was formatted such as my first car being an “Acura TL” or “Acura TL Type S”.

For #2, if the computer is infected with a sophisticated keylogger, the images can also be captured through screenshots.

I agree with #3. However, alot of financial sites do not support characters outside of a-z and 0-9. Some do not even recognize capitalization. I like the idea of having a minimum of 8 characters. I do not like a minimum higher than 8, such as Emigrant Direct which has a minimum of 10.

For #4, too costly and if I lose the token, I’d have to wait for days for a replacement. And is it something I carry with me as an inconvenience or is it so important that it belongs in a firesafe or safety deposit box?

For #5, every 30 days is ridiculous. I have 10+ financial accounts. I wouldn’t want to change it that often. Sorbanex-Oxley for businesses is every 90 days. If people have to change it every 30 days, people will start writing them down or coming up with lazy algorithms such as passwordMMYY where “password” is a keyword of their choosing and “MMYY” is the last time they changed the password. It can be even be current for that month.

For #6, 3 is too little. What if the caps lock is on, and you don’t realize it right away. 5 or 10 is a good number. A dictionary attack would be stopped.

For #7, too much hassle.

For #8, I run a Mac and I enjoy not having any anti-virus software. On my Windows PC, I don’t want a bunch of resource hogging programs running either.

Reply to this comment

avatar Rassah

I think it’s Chase that does #4 (have many bank accounts, so don’t remember which one). After your initial log-in, and after they ask for security questions, they give you an option to receive a key via text or e-mail, and you need to use that key to authenticate your computer (get a cookie)

Reply to this comment

avatar NickFadz

Regarding the first point, asking more than one question is not formally “multi-factor”. In true security terms, the three factors of authentication are something you know (a username or a password for example), something you have (like a SecurID token that changes the number every so often) and something you are (like a fingerprint reader or iris scanner). Asking multiple questions, while potentially adding a layer of security, is not considered to be mult-factor as all questions fall into the category of “something you know”.

Bank of America has started to offer a SecurID type token or Text Message built in called SafePass (http://www.bankofamerica.com/privacy/index.cfm?template=learn_about_safepass). This is for logging in to their web site as well as for verifying online transactions. I believe this to be a good step in helping to secure debit and credit card transactions as it is truly a multi-factor solution requiring something you know (your PIN) and something you have (the card verified by typing in the SecurID).

Reply to this comment

avatar SD Guy

Great ideas – I’ve seen some of them, like you posted, with the banks I’m working with already. I’d feel much much better if all of these ideas were used. I wonder with the fingerprint scanners coming out with laptops now if there’s a way they can include biometric security into account access.

Reply to this comment

avatar David C

Paypal offers a SecurID-like device: https://www.paypal.com/securitykey and it only costs $5. The only downside is that you’d probably end up having one for each bank: that might motivate you to only have accounts with one or two institutions :-|.

Reply to this comment

avatar thomas

thanks for the list. don’t agree with all of them, but there are definite improvements that need to be made for online banks.

Reply to this comment

avatar Pev

Some of these ideas are good. But I don’t know, maybe having way too much security could be a great hassle. I mean we all have so many passwords already and if we have to change the password for our bank account every 30 days could be too overbearing.

Reply to this comment

avatar NickFadz

One of the ideas that would eliminate the need for having multiple usernames and passwords and having to remember which ones go to which places is a system called Federated Identity Management. Essentially, you have a single centralized account which you use to give access to all of your other, accounts. Google does this a little bit where you use your Google login to access Gmail, your personalized Google home page and Blogger for example. The key here to to make sure that the security surrounding the central account is managed properly (using three factor authentication as I’ve described above for example) but properly configured a system like this would be convenient as well as secure.

Reply to this comment

avatar Apex

I work in the field of computing. I have strict password requirements and changes on many accounts constantly.

I am of the firm opinion that this decreases security. So what do I do? I have a rotating formula that follows a date pattern of the last time my password was required to be changed so if you can figure out the other beginning part of my password and discover my scheme you have a much shorter password you need to figure out and then just add the numeric representation of the date on there that I use and you would be in. Thats how I get around the nightmare of constantly rotating passwords. Some systems refute my scheme by checking that I don’t use any repeating sequences from one password to another. I have a simple solution to this too. pw.txt which sits right on my desktop and lists all my logins and passwords that are required to change constantly and have strict rules about repeating sequences between passwords.

Am I being a bad computer user by using these techniques. I don’t know any other way to do it. I can’t remember 15 different passwords that change every 30-90 days. I would be contacting IT to get my passwords reset every week.

I see people with postits on their computer etc.

if you try to make security so tight that it is not possible for people to comply, they will circumvent it by using techniques such as I describe which are less secure then if you simply made your security reasonable.

Password requirements must be sufficiently stringent to make sure the password is not simply an easy word but it must support a reasonable secure password that is accepted in most systems (emigrantDirect as mentioned above with their 10 character minimum is too long. It should be 8. Most people don’t have 10 character passwords so the Emigrant password gets stuck on the sticky note, nice going for security)

I think the system in place that most banks use now of a password, a security image, and a couple individualized questions is quite good (on a side note I try to pick the types of questions that most systems have in there and so I only have about 8 or so different questions across all systems and the answers are always real easy for me to remember because I choose once that are not ambiguous and I always give the most simple answers. For example acura TL as mentioned above would never be used. Something simple like acura or camaro would be used, always 1 word answers no spaces and no capitalization on all answers, otherwise its too complicated again.

Again, my main point is security must be functional or it will be circumvented. Tighten it down too much and you actually loosen it. Less is more!

Reply to this comment

avatar Andrew

PayPal’s Security Key also works via text message, so if you already have a texting plan it costs you nothing. I think this would be a very good option to increase security for those who want it.

Reply to this comment

avatar PT Money

I think it helps to also have a very liberal insurance policy / theft protection. While you can minimize them, you can’t stop every breach. Hopefully the bank will do whatever it takes make things right after a theft or loss.

Reply to this comment

avatar Jules @ The Francophile Files

Good post. ING is also offering Trusteer, some sort of additional security measure. Has anyone downloaded it yet? I haven’t heard much about it so if you have the scoop on this technology, that would be greatly appreciated. Merci.

Reply to this comment

Leave a Comment

Connect with Facebook

Note: Use your name or a unique handle, not the name of a website or business. No deep links or business URLs are allowed. Spam, including promotional linking to a company website, will be deleted. By submitting your comment you are agreeing to these terms and conditions.

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Previous post:

Next post: