Is Online Banking Safe?

//
I would think that no PC would be immune from malicious threats if they landed on some corrupt site that then installed malware or key-capture software. Is there any reasonable way to continue to safely do online banking?

Sure.

Avoid getting infected.

I know, that sounds trite and flippant, and I don’t mean to be so. Ultimately, though, all the advice boils down to exactly that: do what it takes to stay safe on the internet.

I regularly bank online. In fact, I’ve done so for years without incident. I much prefer it over the alternatives.

Become a Patron of Ask Leo! and go ad-free!

Follow the basics

It really boils down to remembering and religiously following the basics.

Use a strong password – Much of the account theft I see is due to poor passwords. You must have a strong password on your banking accounts. It’s your best, first line of defense.

Don’t share passwords – Giving your password to someone you “trust” is another way banking accounts often get compromised. The problem arises when the individual turns out to be not so trustworthy or not as security-conscious as you need them to be.

Online BankingUse two-factor when available – Two-factor (also “multi-factor”) authentication prevents unauthorized entry into your accounts even when the password is known. Using SMS, a dedicated app, or some other approach is the best way to truly lock down your most important accounts.

Open only email attachments you trust – If you’re the least bit uncertain, don’t open ’em. Email attachments are, by far, the most common way malware lands on machines these days.

Learn to recognize and avoid phishing – In order to fool you, hackers constantly send email that looks like it came from your bank. Don’t click on links in email messages from your bank. Instead, visit your bank as you would without the email: type the address of your bank’s website into the browser address bar (or use a bookmark you saved previously).

Secure your network Make sure to secure your router. Understand what it means to use an open Wi-Fi hotspot or other shared network connection safely. Yes, you can bank online safely when traveling (again, it’s something I do), but it does require that you pay attention to network security.

Avoid shared or public computers, period – While library computers or the machine you can borrow while visiting your friend might be convenient, you have no idea what’s on them. They could be full of malware or include undetectable malicious hardware. Avoid them for anything sensitive.

All banking is dangerous

All banking, online or off, is dangerous. In my opinion, you’re actually more likely to be affected by bad behavior you have no control over — such as that in the bank’s back room or at some hacked third party — than you are to have your information compromised due to your own failings… as long as you follow the basic security you should already be doing.

Podcast audio

Play

27 comments on “Is Online Banking Safe?”

  1. I have a follow-up question: Is it safe to go to a secure site like your banks (indicated by the “https”) from your own laptop on an open public WiFi network? As a precaution I don’t. But I need some reassurance on this from a tech-guru.

    As long as the connection is https and always https, then I would feel safe doing so.

    – Leo
    27-Mar-2009
    • Agree with Leo, however some things to be aware. Go directly to your https site do not open the browser and do some general surfing then go to the bank site as i believe this could allow a hacker to hijack your connection, inject their own SSL certificate and do a man in the middle attack , granted you would get a certificate warning but often users will ignore these.

  2. Turn the question around: Is non-online banking safe?

    Assuming that the appropriate precautions are taken, I’d argue that online banking is safer than the alternatives.

    As an example, a few years ago my credit card number was used for a series of unauthorized payments to a PayPal account. Because I bank online, I was alerted to the transactions with 24 hours and was able to deactivated the card.

    Another example: I was assessed a “foreign transaction fee” on a recent credit card purchase. I’m located in the US, the purchase was for a product made in the US and sold by a US based retailer. Again, because I bank online I was notified immediately of the fee and was able to have the bank remove it, all done online.

    My bank has even taken the step at their web site to allow checks to be scanned and deposited electronically by the customer, releasing the funds for immediate use.

    As a result, I haven’t seen the inside of a bank for a decade and a half and never personally been in the bank I use, which is located in another state.

  3. I have always been skeptical on on-line banking and have a suggestion for those of you that feel the same but want to do it and avoid some risk. I signed up for a “free” on line banking account with a local bank. It was a bank where I do not have my main checking account or savings account or any IRA accounts or SEP accounts. So I use it for checking on line banking and I only have a #2,000 deposit in it. When it gets low I drop by the bank and put in a check for a thousand or so and replenish the on line banking account. If someone hacks into their system all they can find is my one on-line checking account and the most it will have is $2000 and since I don’t have other accounts there they cannot link or hack into other accounts of mine once they hack into the online banking. The general banking practice is to guarantee 100% against online banking fraud so I think this way I limit my exposure to my main assets and the most I could possible loose is $2,000 or less if the bank turns out to not honor their hacking protection pledge. On line banking is much easier but I do not care who the bank is I suspect somebody out there can hack into it ultimately so you need to limit you exposure somehow and this is how I do it.
    GPTDesign

  4. One other thing I suggest to add to the security measures for those who still use wired & not wireless connections is never, never connect your computer directly to the internet, always go through a Secured, Fire-Walled, NAT Router, they’re not as expensive as they used to be,
    I just bought a 4 Port for less than $150.00.

  5. I might add one other security measure I use for on-line banking. My username is also a combination of upper and lower case letters and numbers. It only has to make sense to me.

  6. For my particular bank, I can set up e-mailalerts that let me know if a large deposit or withdrawal was made, or if my balance has gone below a certain amount. I wouldn’t have that type of bulletin if I simply waited for a paper statement to arrive. Besides that, having organized many people’s paperwork and files through the years, it’s not uncommon to find that statements can remain upon for weeks, months, sometimes even years. So as long as you take the precautions Leo prescribes, you are probably safer overall against fraud by banking online than by the old methods.

  7. How do I set up WPA encription on my laptop when I go wireless? I have a Compaq EVO N600C with the wirless card. I was concerned when I go to hotels that are wireless and want to know how to protect my passwords. I have a current antivirus which is Panda. Thank you for your time in answering my question.

    WPA is something that’s chosen not by you and your laptop, but by the connection provider – the cafe or the hotel – or when you set up your wireless access point at home. When you then attempt to connect to a wireless network that uses WPA you’ll be prompted for a passphrase. If you can connect without a passphrase, then it’s probably open. Cafe’s and Hotels rarely use encryption of any sort. You can read about your alternatives here: How do I stay safe in an internet cafe?

    – Leo
    01-Apr-2009
  8. The smaller banks and credit unions where I live all use two-factor authentication. Wells Fargo does not! Wouldn’t you know it.

    • EU banks all use two factor authorization to make transactions, I believe, by law. The US needs that. Because of that level of security, anybody can make a transfer to anybody else by simply entering in their account and routing numbers. Not only safer but more convenient.

    • … and what does the travel router connect to for internet access? The public WiFi ! A travel router is nothing special. It’s just a small router, but not that much smaller than your home router. Unless the travel router has a firewall AND you’ve meticulously configured the firewall against incoming bad stuff, you’re still connected to the public WiFi. The travel router may appear to be “trusted” by your device (i.e. cell phone or laptop) because the connection settings are saved on your device (because you configured it at at home). If the travel router has the same SSID as your home router, then it’s broadcasting your home SSID through the public WiFi. If you haven’t changed your travel router’s password and admin IP (from the factory settings) then anyone can log into your router. Some routers have built-in VPN software, but to use that you’ll still need a VPN service.

      • A travel router only protects your data between the computer and the router. After the router, all of the data transmitted is essentially the same as it would have been if you didn’t have the travel router in the middle. And you can’t use a travel router unless you can plug it into an Ethernet port on the public WiFi router. So you can use it in a hotel but not in a coffee shop. And even If you could plug it in, it would protect you against sniffing but not against the owners of the internet connection.

        I don’t see how the travel router would have the same SSID as your home router and even it it did, any hackers would have to know were you lived and go there to access your home internet connection.

        I have 2 travel routers. I use one when I travel to get WiFi in places where I can only get an Ethernet connection; my laptop only has WiFi. I use the other at home to extend the range of my home WiFi.

      • Most hotels now only provide WiFi access (no Ethernet cable port), so all this becomes irrelevant. Also, a router doesn’t really protect you by simply sitting between the internet and your computer. If that were the case then all these discussions about “internet safety” would be pointless.

  9. Maybe Leo can confirm if something I read years ago is still valid or not when it comes to keyloggers.

    I read that keyloggers can only record the order in which you enter a keystroke so the suggestion of the article was two fold – begin entering your password first as most people enter their UserID first then password.

    The 2nd part of the article stated to only enter parts of your password and userid at a time and use your mouse to move to the part of the either entry to enter another part of the completed password/userid – you only need to move two times to cause the keylogger to be totally messed up and record something that will not ever work. A bit tedious but definitely worth the effort if you are in a public setting or simply do not trust online security in general.

    Again, not sure this still works – the article was quite a few years ago.

    • Keyloggers can log much more than keystrokes — even years ago. They can also log the movements you make, take screen shots, and more. Bottom line: no, this will not thwart a sophisticated keylogger.

  10. RonC’s Question on Keyloggers: Yes and No [grin]

    Yes, the method you state would stop a ‘classic’ keylogger that only captured keystrokes. But … No, keylogger malware can do so much more – including mouse movements and screenshots taken multiple times a second.

    The answer is simple, as Leo says, “Avoid getting inflected.”

  11. One extra layer of security is… use a dedicated computer used ONLY for internet banking. No emails, no surfing, no nothing except banking. Expensive? Not necessarily, buy a second hand one, using DBAN 3 times to ensure no malware is on the device… ok, I’m obsessive compulsive, but better that than careless.

    Install a version of Linux… Linux Lite is quite good and easy to use. Password protect the log in. OMG the number of people I know who say, who cares, they (friends, family, the dog) don’t know my passwords yadda yadda yadda. But they could a) access an infected site or b) install malware deliberately. For goodness sake Don’t. Take. The. Risk.

    Keep it powered off unless using it for banking. Remove the ethernet cord when not in use. Do NOT use wifi. At. All.

    Life should then be breezy.

    • I have a friend who teach computer science who does this and it’s a good idea. However, 3 passes with DBAN is unnecessary to protect you against malware. A simple install and format of a Linux distro should be sufficient protection against any installed malware. Although a wipe disk would protect you against any illegal material which may have been on the machine.

      A cheaper, but more cumbersome, solution would be to boot up Linux from a DVD or USB flash drive, without installing, to do your banking.

  12. Keyloggers are easy to defeat with a keystroke encryptor. I’ve been using KeyScrambler Premium for years. With it or similar products even if someone got a keylogger on your machine all they get is encrypted garbage. I’d add a keystroke encryptor if you don’t have one in your security arsenal. It’ll make everything safer and especially online banking.

    • I seriously disagree. Somewhere, somehow, those keystrokes need to be understood by the application or system in order for them to work. It’s at that level malware can intercept and record, completely bypassing the encryption. DO NOT rely on software solutions for keystroke logging protection. They can not work. Focus on avoiding malware in the first place.

  13. Dear Leo,
    Wonderful article. I would like to add that programs like Quicken want you to allow direct downloads from financial institutions mainly, I guess for reconciling the accounts within the program (like Quicken’s). While this seems to be convenient, the issue is the program has to have your login credentials for every banking and financial account. I never would allow this personally and know that recent problems with banks and this automation have occurred. What is your take on this issue?

Leave a reply: