When was the last time you went to your bank and withdrew cash from an honest-to-goodness bank teller?
For many of us, it was probably years ago, as most people now prefer the ease and 24/7 availability of online banking and automated teller machines.
Today's bank robbers prefer them, too. They’ve gone high-tech, using ATM skimmers to get hard cash out of our accounts, and computer malware to raid accounts the electronic way.
In fact, depending on computers for bank transactions has gotten so risky that getting to know our bank tellers is starting to sound good again.
This raises the question: Should we quit banking online altogether?
Ways to beef up your security
Of course not, said Josh Shaul, chief technology officer with New York-based Application Security Inc.
Shaul does all his banking online or at ATMs and never worries about the risk. He leaves that worry to the banks. For that reason, Shaul recommended that consumers, instead of panicking, learn how their banks approach security.
“I think larger banks tend to have more-sophisticated security systems than smaller banks can offer,” although smaller banks may be catching up or devising cost-effective security methods, he said.
Shaul said consumers shouldn’t hesitate to ask their bank about how they handle online banking security. What kind of authentication system do they use? How do they notify the customer who has forgotten a password? What are the security policies in place in case there is a breach?
“If you feel you don’t know enough about security to judge the bank’s security application, talk to a friend who does,” Shaul said.
Harry Sverdlove, CTO for Bit9, based in Waltham, Mass., is another security expert who has no problem with banking online.
The bank's job
But Sverdlove would like to see banks step up with another layer of security, especially as the most dangerous malware focuses on keylogging (recording keystrokes to steal passwords, PINs and bank numbers) or man-in-the-middle attacks (where it appears that an online transaction is happening as normal, but the malware hijacks and controls the information).
“One of the banking sites I deal with gives you a random generic [on-screen] keypad and you use the mouse to click in your PIN,” Sverdlove said. “Keyloggers won’t be able to read it because I use my mouse, not my keyboard.”
He’d also like to see banks use a card swipe or biometrics — something that has to be physically done by the consumer, separate from typing in login authentication.
That way, Sverdlove said, even if a criminal has the financial login information, he can’t do anything without the second layer of authentication.
For the most part, Sverdlove and Shaul agree that the platform used for online banking doesn’t make much difference.
Macs may be a little safer than Windows right now, simply because the vast majority of malware is still written for Windows machines. (Shaul says the increased use of iPads and iPhones will spur the creation of malware written for those platforms.)
The type of browser used makes little difference as well. Most of the banking malware is written to cross browser platforms.
Wise up about smartphones
What about using mobile devices for online banking? This is where Sverdlove and Shaul part ways, at least slightly.
Sverdlove said he doesn’t use his smartphone for banking.
“Banks will use SMS or text messages to authenticate things with you, and that information can be intercepted,” he said. “But the real reason I don’t use mobile banking is because how easy the device can be lost. Once the attacker has physical access to your device, a wealth of opportunities opens up.”
While Shaul agrees that the biggest risk in mobile-device banking is loss, he believes mobile devices are actually safer because the banking malware technology hasn’t caught up yet with banking apps.
But again, this can change as more people use banking apps and hackers refocus their efforts.
Online banking can be done safely if consumers follow some basic best practices:
- Keep up to date with patches. Shaul said malware will sneak in through the vulnerabilities in operating systems, browsers and software, so if your computer is alerting you of an update, install it immediately.
- Check your online account once a week to make sure everything looks okay.
- Use the “smell test.” Sverdlove said that if you log into your account but the interface is different or the look of the site has changed, contact your bank as soon as possible using the number printed on your ATM card.
- Ask your bank about its security practices.
- Do all of your banking from one computer. If you have a desktop, use that for banking. If you have to use a laptop, make sure banking information is not stored in a browser’s “cookies” before traveling with it.
- Never use an unfamiliar computer, such as a library computer or a friend’s laptop, to conduct banking.
Finally, maybe it isn’t always safest to visit the teller.
Roel Schouwenberg, a security expert with Kaspersky Lab Americas, related an alarming story.
“I saw a case in the Netherlands where the bad guys had gone as far as renting office space for their scam,” Schouwenberg told SecurityNewsDaily. “Victims were sent emails with information on the 'new office' complete with a special phone number. The office was completely branded as the targeted bank, complete with desk clerks and fake customers.”