hacking

Banking online by visiting a bank’s website directly to perform typical transactions like checking your balance, reviewing and reconciling your recent transactions, paying bills, or transferring money, is generally safer than doing the same in person, whether at an ATM or a teller. Your information is encrypted and you can take care of your business in the privacy of your own home. There are some dangers, however.

Most commonly, the danger lies in your own computer. If your computer is infected by a virus or a Trojan horse, your account information, like identification name, password, PIN, and secret word, could be recorded by this program and secretly transmitted to someone who will use the information to drain your account. Less frequently, the bank’s database containing customer information can be compromised.

I’ve seen many lists with tips for customers who want to ensure that their online banking experience is safe. For example, customers should always look for the padlock icon in the browser when visiting a banking website, always verify the URL in the address bar has https (note the “s”) before entering a password, and never click on links in emails that claim to come from a bank (phishing). Other general security tips include keeping your passwords private and maintaining up-to-date virus and spyware scanners on your computers.

But there are certain things banks can and should do to keep up their end of the bargain. Many banks already follow some or all of these suggestions, but smaller banks may not always have the money to implement these features. If safety is your concern, look for banks that have put effort into these ideas.

1. Require multi-factor authentication. A user name or number and a password or PIN are no longer enough. Most banks still operate their websites by asking the customer for only a user name and a password to log in. This method is highly vulnerable to phishing and Trojan horse programs. Some banks have implemented additions to this process to enhance security.

ING Direct, in addition to a customer number or PIN, requires you to enter the answer to one of several questions, such as, “What was your high school mascot?,” selected when the account was created. In this case, the question is only asked the first time you are log into the bank from any particular computer, though you may be asked to reconfirm every month.

2. Avoid using input fields in web forms. The most common way to allow a customer to enter information, like a user name and password, into a website is to use a “web form.” Web forms can be encrypted, but their existence is a signal to malicious people who want to steal users’ information.

HSBC Direct requires two passwords, though the second is called a “security key.” Rather than typing the security key using the letter and number keys on the keyboard, the bank’s website presents the customer with a graphic. He or she must use the mouse or other pointing device to click the letters and numbers within the graphic in order to gain access.

3. Require strong passwords. I am lazy. I have hundreds of passwords I must remember for various websites and applications. There is a tendency for people to deal with password overload by using the same password for multiple systems or choose words that are easily memorable. Banks can’t do anything about customers who use the same password across several institutions, but they can enforce “rules” for determining passwords. Strongest passwords should be a mix of letters, numbers, and punctuation. No combination of letters found in the dictionary should be allowed. For example, meaty613 is weak password while yk1lt3m^ is much stronger.

A minimum of eight letters, numbers, or punctuation marks would help to strengthen passwords as well. Long passwords with a combination of characters not found in the dictionary will help to reduce the chances of someone — a friend who knows what you might choose or a computer program that has the ability to use “brute force” techniques to keep trying different passwords until it finds one that works — guessing the right combination. Banks can enforce these rules.

4. Use a dynamic key. To access my work’s network from home or any other remote location, I have a SecurID token. Every sixty seconds, a new six-digit number appears on the token. This number, in combination with a PIN, is required in order for me to log into work from home. Obviously, sending SecurID tokens to every bank customer would be a large expense for any reasonably-sized bank. There are other ways to use dynamic keys, or passwords that change over time.

I am unaware of any bank that currently offers this, but one way to implement a dynamic key would work like this: You enter your user name, strong password, and second authentication key through the bank’s website. The bank retrieves your user account information, including your cell phone number or mobile email account and sends you a text or e-mail message with a dynamic key. You are then required to enter this key into the website.

5. Require password changes every thirty days. In a world where we have hundreds of passwords to memorize, being required to change passwords every thirty days is a huge annoyance. It also invites laziness. I know many people who simply change the number at the end of their password each month, cycling through passwords like flexo1, flexo2, flexo3, and flexo4 each month. Many banks will choose not to implement this rule simply because it is seen as not user friendly. And yes, I would be annoyed if every bank required me to change my password every month. It’s a trade-off between security and convenience.

6. Lock accounts after detecting three incorrect passwords. If a bank detects a series of incorrect passwords for any one account, it should disable the account from being accessed through the web. Most people do not guess their passwords. By requiring a telephone call, during which the customer service representative asks more authentication questions, banks can ensure the rightful account owners can quickly regain access to their accounts while protecting accounts experiencing someone trying to “hack” their way in. Note that the bank should not send an email with a link to unlock the account because the email account may have been compromised, as well.

7. Contact the customer after every transaction. Banks could increase security by informing their customers of each transaction that takes place in the account. When I initiate a transfer at ING Direct, the bank sends me an email to let me know that it has been initiated. If someone else had accessed my account and transferred money out, I would know within minutes and could contact the bank immediately.

ING Direct has also begun to contact me when other companies pull an ACH debit. My electric and gas bill is configured to be paid in full every month from my ING Direct account, and each month, I receive a notice from ING Direct when the ACH is accepted. Rather than email, a quick text message might be considered unobtrusive enough for activity confirmations.

8. Require up-to-date antivirus and spyware detection software. In order to log into my network at work from a remote location, I am required to be running the latest version of an antivirus application. The brand doesn’t matter; I could be running McAfee or AVG Free. AVG Free is one of my favorite security suites. It provides state-of-the-art protection from malicious software (malware), and it’s free.

Banks can install a small application through their website that detects the presence of protective software like AVG Free, McAfee, or Norton, and determines whether the software is up-to-date. If no antivirus software is installed and running in the background, then the customer is presented with options for installing protection. Preventing unprotected computers from accessing the website will help reduce the frequency of stolen account information through phishing.

Some of the above suggestions may be considered annoying or excessive for customers. Banking over the internet is generally safe, but malicious individuals increase their knowledge and ability all the time. They adapt faster to security implementations than banks adapt to new methods of breaching. In the worst case, hackers — or people who pay hackers — can steal not only your money but your identity. I understand that cleaning up the mess left behind when your identity is stolen can be one of the most grueling processes one might ever experience. It may be worth some inconvenience to add more layers of protection between the world and your bank accounts.

{ 17 comments }

Every Tuesday, Smithee presents an article about his own experiences with credit cards and observations about the credit card industry.

A few weeks ago I was the victim of debit card fraud. In my case the system worked very well. The bank’s automatic mechanisms noticed a few big-ticket items being purchased in Chicago, which is quite far from where I live. The first one went through, the second one was held up and I started getting calls from the bank’s fraud detection department.

So, that card number had to be canceled and I got a replacement with a new number within a few days. The money was also refunded, but the surprise came when I noticed the new card had that little “PayPass” logo on it. You know, the thing that’s supposed to let you tap the card against a reader instead of sliding it through the reader? (Think of the time saved!) The old one didn’t have PayPass on it, and I was ambivalent about the technology, having read reports about how it’s not all that much faster.

The bigger problem is that it uses RFID, which is not exactly ready for prime time. To make a long story short, people can easily, and cheaply, extract the data from your card without you knowing. Here’s a video with a demonstration:

Interesting side note: Mythbusters was going to do a show about this, before the idea was quashed.

{ 6 comments }

Tleone: Update #2 I recieved a paper saying that they recieved my paperwork and they should have an answer to me by Dec. 28th. So... on Receiving the First Time Homebuyer Credit Takes About Six Weeks

harm: I like Ben, but with his recent gig playing a tout for a credit bureau has almost destroyed his credibility for me. grrrrrr on Ben Stein Offers Four Lessons From the Recession

LeanLifeCoach: In the end how much will the IRS really get; 10% maybe 20% of all this money? And how much will we spend collectively in actual dollars and... on Enforcing Tax Laws Works. Go Figure.

jammer(six): I’d like to buy it and turn it into a huge paintball arena. :-) on Pontiac Silverdome Sold for Less Than a House

Tom Dziubek: Imagine the kind of party you could throw in there. on Pontiac Silverdome Sold for Less Than a House