With the advancement of technology, banking transactions that used to be done only at the bank during office hours can now be done anywhere, anytime with the existence of online banking. While online banking brings greater convenience, we must not ignore the risks involved. With online threats are on the rise, everyone should not be negligent with their online activities.
To stay secure while banking online, you should understand how banks authenticate their online banking users and adopt the safety measures in securing your bank account.
Banks’ Security Measures
To safeguard clients’ accounts, most banks have taken measures to ensure that the identity of the account holder is properly authenticated before granting access to their bank accounts online. The common measures includes the use of complex password (e.g. upper and lower case, numbers and symbols), and a second-factor authentication such as a token-generated Personal Identification Number (PIN) or one-time PIN sent via Short-Messaging Service (SMS). This ensures that only the account holder who holds these two types of information is granted access – the password is the information that you know, and the pin is the information that you own (stored on a device).
Banking websites also implement encryption to ensure that all information that is transferred through the network cannot be deciphered by a third party. Such websites would have their URL beginning with “https”. To further confirm the validity of the website’s encryption, do check the SSL certificate’s issuing authority (i.e. it should be from a trusted certifying authority) and validity period (i.e. it should not have expired) via your browser.
Most banks also allow their clients to set financial limits to the funds that may be transferred to other bank accounts through online banking and send SMS alert to the account holder if a transaction beyond a certain pre-defined amount had taken place.
End Users’ Security Measures
While the banks have taken steps to secure online banking transactions, end users also need to adopt good online habits and necessary precautions to prevent these measures from being circumvented.
First of all, let us understand how banking Trojans such as ZeuS and SpyEye works. Banking Trojans infects a victim’s computer just like any other malware. They could be downloaded onto the victim’s computer through drive-by-download (where the malware gets downloaded onto the victim’s computer when visiting a malicious website, without their knowledge), by masquerading as a harmless attachment in phishing emails or by clicking a link posted by a friend on social networking sites.
Each type and variant of banking Trojans may operate differently to infiltrate into the victim’s online banking account, some may lead the victim to a fake login website, thereby stealing their login credentials and logging in to the real website simultaneously; some may initiate a fund transfer without the victim’s knowledge. No matter which permutation the banking Trojans take, their common objective is to steal money from the victim’s bank account.
Protect your bank account details
To avoid becoming a victim of these cyber threats, personal confidential data needs to be well protected. The password used for bank account login should be unique from other accounts’ passwords and not shared with others. Even personal information such as your date of birth should be refrained from being divulged on the Internet as they could be the questions that the banks ask to verify your identity.
Beware of social engineering tactics
In addition, banks will never use channels such as email to request for their client’s electronic banking information. If you receive such email allegedly from the bank, you should report it to your bank instead of replying or clicking on the hyperlink in the e-mail, no matter how dire the content may sound.
Familiarise yourself with the bank’s security measures
To prevent yourself from accessing a fraudulent banking website, familiarise yourself with the bank's security measures. Banks will usually send advisories to their clients if they intend to change their security measure, such change would not be done overnight. If you find that the website’s authentication process is different from your previous experience, refrain from entering your login details. Check the website’s authenticity before proceeding further. Here are some steps that you may take:
- Confirm that the URL of the website in the address bar is the same as your bank’s
- Confirm the SSL certificate of the website is issued to your bank by a trusted certifying authority and within the validity period
- Compare the website’s authentication process when accessed from another device (in case your computer has been infected by a banking Trojan)
If in doubt, check with your bank.
Practise safe surfing habits
Refrain from accessing your banking website on a public or shared computer, you never know if the information you entered are being tracked. Even if you are accessing the banking website on your own computer, always log off and clear the cache on your browser to remove the transaction records. Also refrain from surfing suspicious websites as you might unknowingly download malicious software without your knowledge.
Check your bank account transactions regularly
These days, cyber criminals are smart, while the bank may allow their clients to set financial limits for online transactions, cyber criminals may make multiple small value fund transfers to work around this restriction. As a precautionary measure, check your bank account transactions regularly.
Online banking has brought about ease and convenience for us. However, you should always be cautious and beware of the perils in the Internet.
Bank online safely on your smartphone - https://www.csa.gov.sg/gosafeonline/go-safe-for-me/homeinternetusers/bank-online-safely-on-your-smartphone
2FA – The use of OTP Token - https://www.csa.gov.sg/gosafeonline/go-safe-for-me/homeinternetusers/2fa-the-use-of-otp-token
Malware targeting mobile banking - https://www.csa.gov.sg/singcert/news/advisories-alerts/malware-targeting-mobile-banking