Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Is Online Banking Safe?

//
I would think that no PC would be immune from malicious threats if they landed on some corrupt site that then installed malware or key-capture software. Is there any reasonable way to continue to safely do online banking?

Sure.

Avoid getting infected.

I know, that sounds trite and flippant, and I don’t mean to be so. Ultimately, though, all the advice boils down to exactly that: do what it takes to stay safe on the internet.

I regularly bank online. In fact, I’ve done so for years without incident. I much prefer it over the alternatives, particularly since many alternatives seem to be slowly disappearing.

Become a Patron of Ask Leo! and go ad-free!

Follow the basics

It really boils down to remembering and consistently following the basics.

Use a strong password. Many account thefts are due to poor passwords. You must have a strong password on your banking accounts. It’s your best, first line of defense.

Don’t share passwords. Giving your password to someone you “trust” is another way banking accounts get compromised. The problem arises when the individual turns out to be not so trustworthy or not as security-conscious as you need them to be.

Online BankingUse two-factor when available. Two-factor (also “multi-factor”) authentication prevents unauthorized entry into your accounts even when the password is known. Using SMS, a dedicated app, or some other approach is the best way to truly lock down your most important accounts.

Open only email attachments you trust. If you’re the least bit uncertain, don’t open ’em. Email attachments are by far the most common way malware lands on machines these days.

Learn to recognize and avoid phishing. In order to fool you, hackers constantly send email that looks like it came from your bank. Don’t click on links in email messages from your bank. Instead, visit your bank as you would without the email: type the address of your bank’s website into the browser address bar (or use a bookmark you saved previously).

Secure your network. Make sure to secure your router. Understand what it means to use an open Wi-Fi hotspot or other shared network connection safely. Yes, you can bank online safely when traveling (again, it’s something I do), but it does require that you pay attention to network security.

Avoid shared or public computers, period. While library computers or the machine you can borrow while visiting your friend might be convenient, you have no idea what’s on them. They could be full of malware or include undetectable malicious hardware. Avoid using them for anything sensitive.

All banking is dangerous

All banking, online or off, is dangerous.

In my opinion, you’re more likely to be affected by bad behavior you have no control over — such as that in the bank’s back room or at some hacked third party — than you are to have your information compromised due to your own failings… as long as you follow the basic security rules, as you should already be doing.

Podcast audio

Play

Video Narration

75 comments on “Is Online Banking Safe?”

  1. I have a follow-up question: Is it safe to go to a secure site like your banks (indicated by the “https”) from your own laptop on an open public WiFi network? As a precaution I don’t. But I need some reassurance on this from a tech-guru.

    As long as the connection is https and always https, then I would feel safe doing so.

    – Leo
    27-Mar-2009
    Reply
    • Agree with Leo, however some things to be aware. Go directly to your https site do not open the browser and do some general surfing then go to the bank site as i believe this could allow a hacker to hijack your connection, inject their own SSL certificate and do a man in the middle attack , granted you would get a certificate warning but often users will ignore these.

      Reply
  2. Turn the question around: Is non-online banking safe?

    Assuming that the appropriate precautions are taken, I’d argue that online banking is safer than the alternatives.

    As an example, a few years ago my credit card number was used for a series of unauthorized payments to a PayPal account. Because I bank online, I was alerted to the transactions with 24 hours and was able to deactivated the card.

    Another example: I was assessed a “foreign transaction fee” on a recent credit card purchase. I’m located in the US, the purchase was for a product made in the US and sold by a US based retailer. Again, because I bank online I was notified immediately of the fee and was able to have the bank remove it, all done online.

    My bank has even taken the step at their web site to allow checks to be scanned and deposited electronically by the customer, releasing the funds for immediate use.

    As a result, I haven’t seen the inside of a bank for a decade and a half and never personally been in the bank I use, which is located in another state.

    Reply
  3. I have always been skeptical on on-line banking and have a suggestion for those of you that feel the same but want to do it and avoid some risk. I signed up for a “free” on line banking account with a local bank. It was a bank where I do not have my main checking account or savings account or any IRA accounts or SEP accounts. So I use it for checking on line banking and I only have a #2,000 deposit in it. When it gets low I drop by the bank and put in a check for a thousand or so and replenish the on line banking account. If someone hacks into their system all they can find is my one on-line checking account and the most it will have is $2000 and since I don’t have other accounts there they cannot link or hack into other accounts of mine once they hack into the online banking. The general banking practice is to guarantee 100% against online banking fraud so I think this way I limit my exposure to my main assets and the most I could possible loose is $2,000 or less if the bank turns out to not honor their hacking protection pledge. On line banking is much easier but I do not care who the bank is I suspect somebody out there can hack into it ultimately so you need to limit you exposure somehow and this is how I do it.
    GPTDesign

    Reply
  4. One other thing I suggest to add to the security measures for those who still use wired & not wireless connections is never, never connect your computer directly to the internet, always go through a Secured, Fire-Walled, NAT Router, they’re not as expensive as they used to be,
    I just bought a 4 Port for less than $150.00.

    Reply
  5. I might add one other security measure I use for on-line banking. My username is also a combination of upper and lower case letters and numbers. It only has to make sense to me.

    Reply
  6. For my particular bank, I can set up e-mailalerts that let me know if a large deposit or withdrawal was made, or if my balance has gone below a certain amount. I wouldn’t have that type of bulletin if I simply waited for a paper statement to arrive. Besides that, having organized many people’s paperwork and files through the years, it’s not uncommon to find that statements can remain upon for weeks, months, sometimes even years. So as long as you take the precautions Leo prescribes, you are probably safer overall against fraud by banking online than by the old methods.

    Reply
  7. How do I set up WPA encription on my laptop when I go wireless? I have a Compaq EVO N600C with the wirless card. I was concerned when I go to hotels that are wireless and want to know how to protect my passwords. I have a current antivirus which is Panda. Thank you for your time in answering my question.

    WPA is something that’s chosen not by you and your laptop, but by the connection provider – the cafe or the hotel – or when you set up your wireless access point at home. When you then attempt to connect to a wireless network that uses WPA you’ll be prompted for a passphrase. If you can connect without a passphrase, then it’s probably open. Cafe’s and Hotels rarely use encryption of any sort. You can read about your alternatives here: How do I stay safe in an internet cafe?

    – Leo
    01-Apr-2009
    Reply
  8. The smaller banks and credit unions where I live all use two-factor authentication. Wells Fargo does not! Wouldn’t you know it.

    Reply
    • EU banks all use two factor authorization to make transactions, I believe, by law. The US needs that. Because of that level of security, anybody can make a transfer to anybody else by simply entering in their account and routing numbers. Not only safer but more convenient.

      Reply
    • My bank is a credit union. They do not offer 2 factor, but they use something called a watermark (that you set up when you establish the account). It should be checked every time you go on line. I don’t know how it works. It has never stopped me on my own computer in the last 15 years. Does the last pass password manager check for watermarks, do you know? That’s what I use for passwords.

      Reply
      • Lastpass wouldn’t check for watermarks, but it won’t log into a fake website because it only logs into the website with which it is associated.

        Reply
    • … and what does the travel router connect to for internet access? The public WiFi ! A travel router is nothing special. It’s just a small router, but not that much smaller than your home router. Unless the travel router has a firewall AND you’ve meticulously configured the firewall against incoming bad stuff, you’re still connected to the public WiFi. The travel router may appear to be “trusted” by your device (i.e. cell phone or laptop) because the connection settings are saved on your device (because you configured it at at home). If the travel router has the same SSID as your home router, then it’s broadcasting your home SSID through the public WiFi. If you haven’t changed your travel router’s password and admin IP (from the factory settings) then anyone can log into your router. Some routers have built-in VPN software, but to use that you’ll still need a VPN service.

      Reply
      • A travel router only protects your data between the computer and the router. After the router, all of the data transmitted is essentially the same as it would have been if you didn’t have the travel router in the middle. And you can’t use a travel router unless you can plug it into an Ethernet port on the public WiFi router. So you can use it in a hotel but not in a coffee shop. And even If you could plug it in, it would protect you against sniffing but not against the owners of the internet connection.

        I don’t see how the travel router would have the same SSID as your home router and even it it did, any hackers would have to know were you lived and go there to access your home internet connection.

        I have 2 travel routers. I use one when I travel to get WiFi in places where I can only get an Ethernet connection; my laptop only has WiFi. I use the other at home to extend the range of my home WiFi.

        Reply
      • Most hotels now only provide WiFi access (no Ethernet cable port), so all this becomes irrelevant. Also, a router doesn’t really protect you by simply sitting between the internet and your computer. If that were the case then all these discussions about “internet safety” would be pointless.

        Reply
  9. Maybe Leo can confirm if something I read years ago is still valid or not when it comes to keyloggers.

    I read that keyloggers can only record the order in which you enter a keystroke so the suggestion of the article was two fold – begin entering your password first as most people enter their UserID first then password.

    The 2nd part of the article stated to only enter parts of your password and userid at a time and use your mouse to move to the part of the either entry to enter another part of the completed password/userid – you only need to move two times to cause the keylogger to be totally messed up and record something that will not ever work. A bit tedious but definitely worth the effort if you are in a public setting or simply do not trust online security in general.

    Again, not sure this still works – the article was quite a few years ago.

    Reply
    • Keyloggers can log much more than keystrokes — even years ago. They can also log the movements you make, take screen shots, and more. Bottom line: no, this will not thwart a sophisticated keylogger.

      Reply
  10. RonC’s Question on Keyloggers: Yes and No [grin]

    Yes, the method you state would stop a ‘classic’ keylogger that only captured keystrokes. But … No, keylogger malware can do so much more – including mouse movements and screenshots taken multiple times a second.

    The answer is simple, as Leo says, “Avoid getting inflected.”

    Reply
  11. One extra layer of security is… use a dedicated computer used ONLY for internet banking. No emails, no surfing, no nothing except banking. Expensive? Not necessarily, buy a second hand one, using DBAN 3 times to ensure no malware is on the device… ok, I’m obsessive compulsive, but better that than careless.

    Install a version of Linux… Linux Lite is quite good and easy to use. Password protect the log in. OMG the number of people I know who say, who cares, they (friends, family, the dog) don’t know my passwords yadda yadda yadda. But they could a) access an infected site or b) install malware deliberately. For goodness sake Don’t. Take. The. Risk.

    Keep it powered off unless using it for banking. Remove the ethernet cord when not in use. Do NOT use wifi. At. All.

    Life should then be breezy.

    Reply
    • I have a friend who teach computer science who does this and it’s a good idea. However, 3 passes with DBAN is unnecessary to protect you against malware. A simple install and format of a Linux distro should be sufficient protection against any installed malware. Although a wipe disk would protect you against any illegal material which may have been on the machine.

      A cheaper, but more cumbersome, solution would be to boot up Linux from a DVD or USB flash drive, without installing, to do your banking.

      Reply
  12. Keyloggers are easy to defeat with a keystroke encryptor. I’ve been using KeyScrambler Premium for years. With it or similar products even if someone got a keylogger on your machine all they get is encrypted garbage. I’d add a keystroke encryptor if you don’t have one in your security arsenal. It’ll make everything safer and especially online banking.

    Reply
    • I seriously disagree. Somewhere, somehow, those keystrokes need to be understood by the application or system in order for them to work. It’s at that level malware can intercept and record, completely bypassing the encryption. DO NOT rely on software solutions for keystroke logging protection. They can not work. Focus on avoiding malware in the first place.

      Reply
      • Including, for instance, the Secure Desktop option of Kee Pass ? Whereby the screen goes dark, except for the Kee Pass box where you type your master password ? Which is supposed to prevent keyloggers from working ?

        Incidentally, this option is off by default, and I would recommend to make sure it’s enabled.

        Reply
          • Are you saying that Kee Pass devised a fake option that does absolutely nothing ? (And they proceeded to hide it deep into settings, without making any fuss over it ?)

            Why on earth would they have done that ? They have nothing to gain and everything to lose : it’s a free program, it’s open source, it has been audited…

          • Absolutely Not

            I’m sure that KeyPass’s technique avoids some malware. The point is that it cannot avoid all malware. Malware, once on your machine, can do anything>

  13. Dear Leo,
    Wonderful article. I would like to add that programs like Quicken want you to allow direct downloads from financial institutions mainly, I guess for reconciling the accounts within the program (like Quicken’s). While this seems to be convenient, the issue is the program has to have your login credentials for every banking and financial account. I never would allow this personally and know that recent problems with banks and this automation have occurred. What is your take on this issue?

    Reply
      • Ah, but how does one ascertain that a program is reputable?

        I bought Quicken once. Over 10 years ago… most convoluted piece of junk I’ve come across. Even my friend who is an accountant said the same… so not me being technically challenged. I’m not anyway but… anyway Quicken is now an online subscription product. My bank’s interface is all I really need.

        Reply
        • Go all the way back to their first DOS version in 1983 if you want to stay historically relevant. (Did I just make up a new phrase for oldster computer geeks?) Those first versions were highly modifiable. I made a living supporting start-up companies running Quicken DOS. But then again, I’ve made a living supporting computer services for over 40 years (and still going, can’t wait for some eventual retirement…)

          Reply
        • It’s not always easy to determine if a program is reputable but reputable means having a good reputation. This can be checked out by checking its reputation on a reputable website (great circular logic, I know, but basically it means a website you trust) Quicken may not be a useful program for you but it is reputable, meaning they won’t misuse your data.
          What Does it Mean for a Source to Be Reputable?

          Reply
        • “Ah, but how does one ascertain that a program is reputable?” — indeed. That’s an important question for which not only is there no single answer, but the answer varies dramatically depending on who’s asking. While I don’t like Quicken, I consider it “reputable”. And, indeed, I use QuickBooks Online.

          Reply
      • In my mind there is a difference. If Online Account is hacked then ‘Online Banking’ and ‘BillPay’, in essence, are -not- different. Since BillPay regularly generates transactions across the wire including Routing/Account numbers, I see that as additional exposure. Please correct me if I am wrong, I could very well be missing something. I was 99.999% certain that Leo would respond as he did. I have used BillPay in the past. Reading this article reminded my of how it makes life easier. I am cogitating using it again. Obviously it is my choice to make regardless of Leo’s response, but it was nice to get Leo’s take (and yours as well).

        Reply
          • Diminutive? Oooh, big word… I work on the premise to use whatever word I choose to use. Looks like we a have a lot in common. Next time, consider how much your post contributes before commenting. I point you to Leo’s guidelines at the end of this and every article. Helps keep me in check.

  14. I’ve been using online banking since the late 90s and have been the victim of banking fraud twice. Neither was the result of online banking or purchases. One time when traveling in Eastern Europe, my credit card number was copied, I believe in a gas station and another time 2 counterfeit checks were cashed with my checking account number but with a fake name. I believe it’s more dangerous to put your credit card or a check in the hands of an unknown person than to use it on a reputable secure website.

    Reply
  15. Is it safer to do banking on iPad vs computer? I use my iPad as it is easier but am wondering now about the risk since there is no so called virus protection on it.

    Reply
    • A tablet is a computer and all internet activity looks the same to any sniffers once it has left your device and is traveling in cyberspace.

      Reply
  16. Although this is slightly off topic, Consumer Affairs has just published an article which you can google, with a link to Equifax, with which you can determine if you have been affected by the 2017 data breach, for which you may be compensated as a result of the credit bureau’s settlement with the government. If you were affected, you only have a limited time to exercise some of your most important options. Luckily I subscribe to Consumer Affairs emails; although I almost didn’t read the article linked by the email, I’m certainly glad I did. I learned that I was among the millions affected, even though Equifax has never taken steps to advise me. Learning about this in time allows me to take the necessary actions. Besides the Consumer Affairs article, the Equifax and the FTC websites have additional information on this.

    Reply
    • The “compensation” is $125, after you spend hours filling out forms. If you can prove, in court, that you had a financial loss due to fraud as a result of the breach, then you may be compensated for up to $20,000 (…and you could only prove that kind of claim if you spend a couple of hundred thousand dollars on attorneys). Footnote on the $125: that amount is effective only if a limited number of people apply for it. If there are more than the expected number of claimants, then the amount will drop to meet the budget. Of course, if you really want to get some serious money out of Equifax you need to be a lawyer in a class action suit.

      Reply
  17. I had decided not to do any online banking from a smartphone. This is supposed to be dangerous.

    And now I’ve just heard that a major European bank, with worldwide presence, has devised a transaction system where your identifier will be… your portable phone number.

    Security experts have told us in the past phone numbers were never meant to be secure identifiers. SIM swapping is an ongoing train wreck (at least in the US).

    And here comes this banking executive who says a number of major banks have teamed up to devise a specific common system for that, including secured containers for your phone number yada yada yada…

    Maybe, possibly, smartphone online banking will become more secure actually than doing it in person ?

    Reply
    • If a company’s database is hacked, the fault lies with the company, not the consumer who has an account with that company. They should be using strong encryption techniques to protect the database although the consumers should do their part and use a long (at least 14 characters) password.

      Reply
  18. CALL ME OCD about online security:

    (1) Before each browsing session I run “Live Update” for my security suite and apply any patches.

    (2) Two-factor, two-factor, two…

    (3) I never open ANY attachment without running custom security scans, including by a separate anti-malware program…even if from a “trusted” source.

    BTW, one of the big box retailers everyone knows will accommodate passwords of only 6-12 characters. I’ve repeatedly complained, saying that’s unacceptably lax security and, until it’s fixed, no account for me.

    Reply
  19. Worst case scenario… if your money was stolen online from a federally insured bank or credit union, would that money get reimbursed by the federal protections?

    Reply
    • I don’t know about FDIC protections, but every time my girlfriend or I’ve been the victim of bank fraud, my bank reversed the transaction and we’ve never lost a cent to bank fraud.

      Reply
    • In theory, I think so, but you really need to confirm with your bank. I’m no lawyer, but as I understand it most federal protection is protection against the bank itself failing, and not specifically against loss or theft. Also, if you can be found at fault (perhaps you shared a password, perhaps you did something that was demonstrably poor security) the bank may also take a different view of the situation. You do have a responsibility to use banking — and the internet — safely.

      Reply
  20. It all comes out but for the amount to keep the account open, each and every month at the start of the month. You don’t need an online account for that, and I don’t use cards or online payments anyway. Losing a money order is just as problematic but don’t forget that your regular bank account is fully insured up to well beyond any balance most of us here would ever have and you are not going to lose it from the bank itself.

    I am not a Luddite, it’s just an absolutely useless thing when I can go to my branch or ATM and deal with things. And someone helps me with online payments if I need to do that. Pay all your bills at the start of the month, no problem. Your mileage will vary, as they say.

    Reply
  21. I’m 75,not tech or banking savvy.Thanks to my my bank,I was notified on my phone of a new debit order deduction from my account.It was a hassle to stop it cancel my car and account and open new ones.I asked the bank what would happen if I was an old housebound granny with a large bank balance.The answer was err–toughies–cos all people need is your e-mail address,cellphone number and if they are lucky your account number.In my ignorance I was mortified but wondered who had that info.Answer anybody you have an account with who has people,bent as chocolate frogs. I don’t like it.

    Reply
  22. Sorry,where my post said car,I meant card.My point is I am very nervous,through ignorance of on-line banking but I do it and I use https.It still gives an old man the willies and with the rhubarb I get on my phone——say no more.

    Reply
  23. The thing I worry about is a hack of my banking or brokerage company that causes their services to be unavailable for some significant time. I use these services extensively and more than a day of access loss would be difficult. So for my essential functions I have redundant accounts so I can continue to operate if one if unavailable.

    Reply
  24. Regarding the “Is Online Banking Safe?” Just heard about an the “change of address” scam that is going around by someone who was scammed. Turns out that the US Postal Service does not require identification and/or certification for filing a change of address form. So anyone can file a change of address form for you and your mail will then go to the address written on the form. From that time on, all your mail will go to the new address, including bank statements, SS checks, credit card statements, etc. At this point, which is safer, snail mail or email/online?
    I would say do not have any financial or personal information go via either. Log on to the financial or health or whatever website directly. Do it with 2 factor and use VPN. Use a password manager, and not one like the Google Chrome password manager, to generate and store really ugly and long passwords. Finally, keep your identity on your devices YOURS alone. Don’t even share an identity with your spouse. Create a separate identity (userid) for each person on a computer. You can’t control how they practice security. Create a special local account for your grandkids and put security controls on that local account. (I provide them with a separate device with a Ubuntu education variant.) Don’t share your smartphone with your grandkids. Lock up your router. Get rid of the default password. Don’t let anyone on your personal wifi. Have them use the guest wifi.

    Reply
    • It’s funny how so many people distrust online banking or online shopping when the vast majority of scams happen offline. Used safely, online shopping can be much safer than handing a server your credit card which they take to the back to process or writing a check where your information can be counterfeited or as you mentioned having your snail mail redirected. Although, it does seem that the address redirection scheme would get the scammers busted, as after a few days, a victim would go to the PO to find out why they aren’t getting any mail and being shown the change of address. At that point, the police would get involved and arrest the scammers for mail fraud.

      Reply
  25. Unfortunately, even when precautions are taken sometimes people get compromised. In Canada sometimes you are not compensated unless you make a big enough stink. Even if you disable online banking, change your password, and tell the bank that you are being defrauded, sometimes the criminal can find a way through the bank’s infrastructure (and I don’t know how they managed to do it). I will be migrating my accounts to two-factor authorization in the very near future. I was avoiding the hassle since I had very little money in the accounts which have online access, but it appears the dangers are increasing.

    https://www.cbc.ca/news/business/banks-deny-compensation-online-fraud-security-1.5322982

    Reply
  26. I’ve been working since 1982 and married since 1988. Been through the evolution from being paid with cash, to being paid with a cheque which I had to stand in line at the bank to deposit, to now being paid via direct debit from my employer’s account to my account. Also moved from withdrawing cash inside the bank to withdrawing cash at the ATM. Evolved from paying my household bills with cash to paying with cheques, to paying online. (And when my daughter and son-in-law borrow money from me, they repay me online too).

    I refuse to let any fear of online banking put me back where I was in 1982 or 1988. The biggest annoyance though is that one of the banks forces a password change every 2 to 3 months. Maybe it’s for my own protection, but the notice always pops up at an inconvenient time when I’m rushing to do an important transaction.

    Reply
    • When banks first came into being, I’m sure there were many people afraid to trust their money with the banks. And we learned in high school that people resisted greenback dollars and now most people don’t think twice about unbacked money. We use it every day. With every new technology, there’s a resistance from many, kind of a newtechnophobia. I’ve never had any fraudulent activity against my account due to online banking and shopping. But I’ve had fraudulent transactions against my credit card due do some employee grabbing the numbers and a couple of forged checks. My bank reversed both of those debits from my account and I lost nothing. That’s also another count in favor of online transactions. It seems like the bank takes full responsibility for allowing fraudulent activity and not sufficiently protecting the account.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.