Online Banking Security: When to Trust the Internet

Offshore banking normally involves operating your bank account through internet banking facilities since geographical remoteness of the bank obviously precludes you from visiting it personally every time. While internet banking offers you fast and anytime access to your funds, it also brings certain security risks.

Banks take possible measures to enhance security of the data transmitted and processed when banking through the internet, and quite successfully. However, they can hardly influence the security level on the client’s side. Only a combination of methods on both sides can ensure solid protection of the information from third parties.

This week we requested our IT Department to prepare a review on internet banking security: what do banks do to secure your money and what you shouldn’t overlook when using online banking systems. Though the article touches mostly technical issues, we recommend you to take a look at the main points and apply them when choosing a bank and operating your account online.

What do Banks do for Online Banking Security

There is a variety of methods targeting proof of identity of the remote customer and secure transmission of data used by banks. Here we will talk about the most reliable and widely used ones.

Secure Connection – SSL Data Encryption

This is what any internet banking system just can’t work without – SSL (Secure Socket Layer) encryption, which ensures the privacy of communication between you (your browser) and your bank’s server. It’s usually used from the stage of authorization until the end of the online banking session. If your bank provides at least 128-bit SSL encryption (the secure page’s URL always starts with “https://”), you can be sure nobody can decrypt and see what you send to your bank and vice versa.

Here are the technical details of SSL protocol if you’re interested.

Now, when the secure connection between two computers is established, the bank needs the remote client’s identity to be proven.

Login and Password

One of the most widespread ways to check your identity is asking you to enter your login and password. The bank will never ask you to disclose your login and password via email, post or phone calls. Some banks require changing of password every N days/months, others only recommend you doing it with sufficient frequency. However, protection through single password authentication can’t be considered secure enough for online banking. That’s why there exist second layer of security: PIN/TAN systems, and digital signature based internet banking.

PIN/TAN Security Systems

The PIN (personal identification number) represents a password used for the login and TAN (Transaction authentication number) represents a one-time password for authenticating transactions. TANs can be distributed in different ways. For example, the bank can generate a list of 50 TANs and send it to the client by a postal letter, which is enough to last half a year for a normal user. Some banks generate TANs for each transaction and send it by SMS to the client, others provide their clients with special software for TAN generation. Also there exist so-called security token devices which generate TANs using mathematical algorithms, time-synchronization or random numbers. Security token devices are believed to be the most secure way to generate transaction authentication numbers.

TANs are considered as strong security because of acting as a form of two-factor authentication: if the list of TANs is stolen, it can’t be used without knowing the password and vice versa, if the login details are stolen, no transactions can be completed without a valid TAN.

Digital Signature Security Systems

Digital signatures are used to simulate the security properties of a handwritten signature on paper. The main idea is bringing together a special cryptographic key with an identity. The keys for the signature generation and encryption can be stored on a variety of memory mediums or smartcards.

What You Can do to Secure Your Internet Banking

By following the advices below you can decrease your security risks when banking online to the very minimum.

Use Secure Web Browsers

Mozilla Firefox, Opera, Safari. Don’t believe all those paid reviews saying that Internet Explorer (IE) is the most secure browser nowadays. Any web security expert will tell you the truth: Internet Explorer is still too deeply integrated with the operating system (Windows) and thus makes it vulnerable. See the comparison of unpatched publicly known vulnerabilities and BrowseHappy website for more details.

Use Secure Operating Systems

Mac OS, Linux or other UNIX-based OS. Of course, you can still use Windows, but you have to do some work to make it secure enough for online banking. Also, make timely updates of your OS no matter which you use.

Use Secure Email Clients

Such as Mozilla Thunderbird, The Bat!, Opera Mail, Mac OS X Mail, etc., unless you use web-mail only. Your bank may send you some information regarding your bank account and you might not want it to be seen by someone else. The bank won’t send you login details for your online banking in plain text, of course, but nevertheless any correspondence between you and your bank should stay confidential. Please have in mind that Microsoft Outlook has the same problem as Internet Explorer as to security matters.

Use Antiviruses, Antispyware Tools and Firewalls

Especially if you’re on Windows, because the very major part of known computer viruses is dangerous only for Windows. A firewall is a software that monitors all incoming and outgoing connections between your PC and the internet and allows only authorized or familiar connections. Using a good antivirus and a firewall on continuing basis is a very good practice for any internet user.

Virtual Private Networks (VPN)

VPN can be an extra layer of security and privacy. For example, you can use VPN if you need absolute privacy when banking online, so that nobody will even know that you were on your bank’s website. Using Socks 5 proxy for such purposes would work well too. There are VPN service providers around the world who can offer you their VPN servers in different countries and who you can consult with.

General Rules to Prevent Using Social Engineering Against You

“Social engineering is the art of manipulating people into performing actions or divulging confidential information” (from Wikipedia).

People on the Internet are not necessarily who they claim to be. Falsification of an email address or even a whole website isn’t a big problem for a professional. Always check if the URL in the browser’s address box corresponds with the real address of the bank’s website.

Never give out any information to anybody unless you are sure this is the right person. Always pay attention to every single deviation from the routine procedures, for example, a requirement to enter your login details one more time when you don’t expect it. The bank will never ask you to divulge your login and password, PIN or TAN by email, post or telephone – remember that. It will hardly ask you to download and install any software either. You can always check the nature of such requests by simply contacting the bank by phone.

Protect your sensitive data such as PINs, passwords, TANs, access codes, credit card numbers and don’t store it on your hard drive. It’s always preferable to remember your password than write it down.

Choose secure passwords which you can remember, but which are at least 6-8 charachters long, a combination of lower and upper-case letters, numbers and special symbols. Avoid words that can be found in a dictionary, repetitions of single characters or keyboard patterns (eg. “qwerty”). Change your passwords every 3-4 months or as soon as you have a reason to worry whether somebody has discovered it.

We believe that our simple advices are able to make your online banking safe and secure.