Owing to the advancements in technology, banking transactions that used to be done only at the bank during office hours can now be done anywhere, anytime, because of the existence of online banking. Online banking is widely used, both by individuals and businesses, because of its convenience, ease of use and cost saving benefits.
However, these benefits do not come without risks. In late 2015, mobile banking customers were targeted by a malicious software (malware), disguised as a WhatsApp software update. The malware infected about 50 Android smartphone users over a three-month period in Singapore. Affected customers reported losses of up to several thousand dollars after clicking on a suspicious pop-up window that sought their credit card details to complete the software upgrade.
Online threats are rampant and end users should not be negligent with their online activities. To stay secure when performing online banking, familiarise yourself with the security measures that banks put in place to safeguard their clients' accounts and adopt safe online practices.
Banks’ Security Measures
To safeguard clients’ accounts, most banks have taken measures to ensure that the identity of the account holder is properly authenticated before granting access to their bank accounts online. The common measures include the use of a complex password (at least eight characters in length, consisting of uppercase and lowercase letters, numbers and symbols), and a second-factor authentication such as a token-generated Personal Identification Number (PIN) or one-time PIN sent via Short-Messaging Service (SMS). This ensures that only the account holder who holds these two types of information is granted access – the password is the information that you know, and the pin is the information that you own (stored on a device).
Banking websites also implement encryption to ensure that all information that is transferred through the network cannot be deciphered by a third party. Such websites would have their URL beginning with “https”. To further confirm the validity of the website’s encryption, do check the Secure Sockets Layer (SSL) certificate’s issuing authority and validity period via your browser. The certificate should be issued by a trusted certifying authority and should not have expired.
Most banks also allow their clients to set limits to the funds that may be transferred to other bank accounts through online banking. An SMS alert would be sent to the account holder if a transaction beyond a certain pre-defined amount had taken place.
End Users’ Security Measures
While banks have taken active steps to secure their online banking transactions, end users also need to adopt good online habits and take the necessary precautions to prevent these measures from being circumvented.
First of all, let us understand how banking Trojans such as ZeuS and SpyEye work. Banking Trojans infects a victim’s computer just like any other malware. They could be downloaded onto the victim’s computer through drive-by-downloads (where the malware gets downloaded onto the victim’s computer when visiting a malicious website, without their knowledge), or by appearing as a harmless attachment in phishing emails or a link posted by a friend on social networking sites.
Each type and variant of banking Trojans may operate differently to infiltrate the victim’s online banking account. Some may lead the victim to a fake login website, thereby stealing their login credentials and logging in to the real website simultaneously; while others may initiate a fund transfer without the victim’s knowledge. No matter what form the banking Trojans take, their common objective is to steal money from the victim’s bank account.
Protect your bank account details
To avoid becoming a victim of these cyber threats, keep your confidential information well protected. The password that you use to log in to your bank account should be unique from the passwords for your other online accounts. Do not share your passwords with others. Refrain from divulging personal information such as your date of birth on the Internet as it may be used by the bank to verifying your identity.
Beware of social engineering tactics
Banks will never use channels such as email to request for your banking details. If you receive such emails that appear to be from your bank, you should report it to your bank immediately instead of replying or clicking on links in the e-mail.
Familiarise yourself with the bank’s security measures
To prevent yourself from accessing a fraudulent banking website, familiarise yourself with the bank's security measures. Banks will usually send advisories to their clients if they intend to change their security measure, such change would not be done overnight. If you find that the website’s authentication process is different from your previous experience, refrain from entering your login details. Check the website’s authenticity before proceeding further. Here are some steps that you may take:
- Confirm that the URL of the website in the address bar is the same as your bank’s
- Confirm the SSL certificate of the website is issued to your bank by a trusted certifying authority and within the validity period
- Compare the website’s authentication process when accessed from another device (in case your computer has been infected by a banking Trojan)
When in doubt, check with your bank.
Practise safe surfing habits
Refrain from accessing your banking website on a public or shared computer, you never know if the information you entered are being tracked. Even if you are accessing the banking website on your own computer, always log off and clear the cache on your browser to remove transaction records. Also refrain from surfing suspicious websites as malicious software may be installed without your knowledge.
Check your bank account transactions regularly
While most banks allow their clients to set financial limits for online transactions, cyber criminals may make multiple small value fund transfers to work around these limits. As a precautionary measure, check your bank account transactions regularly for any unauthorised transactions.
Online banking has brought about ease and convenience for us. However, you should always be cautious of the perils of the Internet.
Bank online safely on your smartphone - https://www.csa.gov.sg/gosafeonline/go-safe-for-me/homeinternetusers/bank-online-safely-on-your-smartphone
2FA – The use of OTP Token - https://www.csa.gov.sg/gosafeonline/go-safe-for-me/homeinternetusers/2fa-the-use-of-otp-token
Malware targeting mobile banking - https://www.csa.gov.sg/singcert/news/advisories-alerts/malware-targeting-mobile-banking