Sophos Cloud Optix
Online banking is nice and convenient. But it does come with certain risks. Just as you hear of people being robbed at ATMs, or having their cards cloned, so online accounts are also a point of vulnerability.
Follow these 8 tips and you can minimise the risks to your finances and bank safely online:
1. Choose an account with two factor authentication
Try to get a bank account that offers some form of two factor authentication for online banking.
These days many, but not all, banks offer a small device that can be used to generate a unique code each time you log in. This code is only valid for a very short period of time and is required in addition to your login credentials in order to gain access to your online account.
2. Create a strong password
If your bank requires a user-generated password in order to access online accounts make sure you choose one that is strong. The best way to achieve this is by making it long and a mix of upper and lower case letters, numbers, and special characters.
Always avoid using any common words or phrases and never create a password that contain your name, initials, or your date of birth. If your bank allows it, change your password every few months.
When setting up online banking, if your bank asks you to provide answers to some standard security questions remember that the answer you give doesn’t have to be the real one.
So you don’t have to answer “Thumper” to the name of your first pet – make it something else, as if it was a password. Use a password manager if you are concerned about how to remember everything!
3. Secure your computer and keep it up-to-date
Security software is essential these days, regardless of what you use your computer for.
As a minimum, make sure you have a firewall turned on and are running antivirus software. This will ensure you are protected from Trojans, keyloggers and other forms of malware that could be used to gain access to your financial data.
You’ll also want to keep your operating system and other software up-to-date to ensure that there are no security holes present.
4. Avoid clicking through emails
No financial institution worth their salt will send you an email asking you to provide any of your login details.
If you receive an email that appears to be from your bank that asks for such details then treat it with suspicion as it may well be a phishing attempt to trick you into handing your credentials over.
Likewise, be aware of links in emails that appear to be from your bank – this is a trick often employed by the bad guys to get you onto a website that looks like your bank. When you log in to ‘your account’ they will steal your username and password and, ultimately, your cash.
It is always safer to access your online bank account by typing the address into your browser directly.
Also, be aware of unsolicited phone calls that purport to be from your bank. While your financial institution may require you to answer a security question, they should never ask for passwords or PINs (they may ask for certain letters or numbers from them, but never the whole thing).
If in doubt, do not be afraid to hang up and then call your bank back via a telephone number that you have independently confirmed as being valid.
5. Access your accounts from a secure location
It’s always best practice to connect to your bank using computers and networks you know and trust.
But if you need to access your bank online from remote locations you might want to set up a VPN (Virtual Private Network) so that you can establish an encrypted connection to your home or work network and access your bank from there.
Look for a small padlock icon somewhere on your browser and check the address bar – the URL of the site you are on should begin with ‘https’. Both act as confirmation that you are accessing your account over an encrypted connection.
6. Always log out when you are done
It is good practice to always log out of your online banking session when you have finished your business. This will lessen the chances of falling prey to session hijacking and cross-site scripting exploits.
You may also want to set up the extra precaution of private browsing on your computer or smart phone, and set your browser to clear its cache at the end of each session.
7. Set up account notifications (if available)
Some banks offer a facility for customers to set up text or email notifications to alert them to certain activities on their account. For example, if a withdrawal matches or exceeds a specified amount or the account balance dips below a certain point then a message will be sent.
Such alerts could give quick notice of suspicious activity on your account.
8. Monitor your accounts regularly
It should go without saying that monitoring the your bank statement each month is good practice as any unauthorised transactions will be sure to appear there.
But why wait a whole month to discover a discrepancy? With online banking you have access 24/7 so take advantage of that and check your account on a regular basis. Look at every transaction since you last logged in and, if you spot any anomalies, contact your bank immediately.
The above tips should go a long way to ensuring that you enjoy the advantages offered by online banking without experiencing any of the pitfalls.
If you have any more advice to add to this, please do so in the comments below.
Safe banking to you all!
Images of piggy bank, gold coins and phishing courtesy of Shutterstock.
Make sure you are logged out of anything else
Don't access your banking account when you are currently also online in your Facebook account, other social network or similar site, where phishing and hacking regularly visits. Typing in your password could be recorded while you are logged in elsewhere.
I don’t even use the same browser for anything else. Some browser are designed to be spyware while others have spyware thrust upon them.
Under 4. Avoid clicking through emails, you say
"Also, be aware of unsolicited phone calls that purport to be from your bank. While your financial institution may require you to answer a security question, they should never ask for passwords or PIN numbers (they may ask for certain letters or numbers from them, but never the whole thing)."
It is totally unacceptable for anyone to phone me, claiming to be from my bank, and ask me to answer a "security question". They phoned me. They know they have my phone number. There is a good chance that I am the right person. I have absolutely no idea who they are, and if the question really is a matter of security, the onus is on them to prove their identity first.
There are only two plausible reasons why a bank would do such a thing. Either it is a deliberate policy so that if my answers to their "security questions" are ever compromised, they can prove that I have been careless in giving them to anyone who asks for them. Or they are stupid.
Never use your "PIN number" (personal identification number number) while directly connected to "AC current" (alternating current current).
so THEN you could chime in an ask "why must I turn off my Air Conditioning…"? Give up, it's correct. 😂
Also, don't forget your tin foil hat.
L.
Some are failing to see Mr. Languages teasing about "PIN numbers". You know, like the ones you use at the "ATM Machine"… They are not correct. =)
Before logging into your bank account close the browser. Completely. Open it, clear the cache (or set the browser to clear the cache on shutdown, more convenient), go to your bank webpage (type it), log in, do your business, log out. Clear the cache. Close the browser.
Once you get used to this you do automatically and honestly, it does not take so much time, you will not even notice any difference.
From a KISS perspective it may be easier to get buy-in to instead say "use a different browser for banking". Example: If you use Firefox for everyday surfing, use Chrome for banking.
Since most folks tend to use the same browser for everything, by using an alternate browser for banking the cleaning up you're after wouldn't be necessary. Of course you could additionally advise to set the "banking browser" with minimal/no cache, purge history on exist, have add-ons/plugins disabled, etc.
Or run the banking browser in privacy mode aka porn mode.
I am one for forgetting my password often, so I've thought of a novel one and have changed it to the word "Incorrect" so whenever I make a mistake the site will come back and tell me "Your Password is Incorrect" LOL
Hahahahaha! That's funny! :o}
Sadly, very very few banks have real two-factor authentication. Hint: Asking you to enter something else you "know" – e.g., favorite pet, birthplace, mom's maiden name, etc. – does NOT constitute two-factor authentication.
Bank of America has two -factor authentication
there are three authentication models, something you know, something you are, and something you have, for true two-factor there needs to be two DIFFERENT models used, like password (something you know), a one time password token (something you have)
Make sure your bank stores passwords in an encrypted format. If you click on the "forgot password" and the bank sends your password in plain text, then they are storing it in plain text (or are using an encryption method that isn't worth a grain of salt)!
Really? This is great to know. I might have to test my forgotten password! Thanks for the tip
Why aren't we talking bout the US Government's ability to force companies into giving over their SSL Certificates?
My HSBC Business account squire the use of Trusteer Rapport security. And Norwich & Peterborough Building Society require that too. Having installed it I find that all banks including Paypal are making use of it. Has Sophos any opinion on Trusteer Rapport?
When accessing your bank account from a smart phone, always use an app provided by the bank rather than a browser.
No, don’t use the app. Apps are often not very secure.
Why should we be interested in German government concerns with Firefox, back in March 2010?
I was advised to never use an administrative account on the computer when accessing my online banking.
It's not just banking. I suggest you don't do _anything_ on your computer logged in to an administrative account unless you explicitly need the privileges that come with an admin account to accomplish a particular task.
I'd recommend logging in as a user with the lowest possible level of privilege you need to get your normal activities done and then use sudo or runas if you need to accomplish something with admin privileges.
Thanks for the article.
The 9th thing we would all like to do is choose a bank that has a record of never losing any account data for it's customers. I.e., never being hacked into in a way that would give access to any personal and business account to someone other than the account holder or bank staff.
Use linux live system from cd. Never use smartphone it is enough smart to outsmart you.
Be aware, Phishing emails are similar to “look-alike” websites during online banking. They are very similar to the emails sent by your bank but then redirect you to an URL that is not your bank’s; your data can be harvested from such URLs and misused.
1st never save your banking detais anywhere except your brain
2nd all ways use live OS to login or to do online transactions.
3rd allways choose login details different from ur name, date of birth, vehicle number etc.
(you can choose something different and easy to remember that’s hard to guess like the name of news paper you read including digits and symbols eg. dailymail@9am) it sounds funny but it’s very effective.
4the everything before loging in use VPN and activate https everywhere plugins + disable plugins in browser.
use only original live OS soon there is no chance of hidden keylogger inside it. better use any Linux Live OS running on USB easy for everyone.
don’t use online banking on public connections.
donthe type your OTP anywhere on Web without checking the links properly it can be phishing page.
Virtual machine is not going to help you much remember this.
I agree that it is a good idea to set up an account notification if it is available. This is really nice because then you are alerted almost instantly if something weird is going on. You might even consider setting an intense tone to go along with it when that message comes through. A siren is probably a good noise to have go off to let you know it’s an emergency.
I never knew that you should choose an online banking account with two-factor authentication. I am looking for a new bank to set up a checking account with. Thanks for the tips on safer online banking.
To be safer you need to adapt various ways which can prevent you from any fraud as you need to create a strong internet banking password which can avoid hackers to easily crack as there are various software’s came which easily breaks weak password so try to make password with combination of uppercase, lowercase and special characters as these types of passwords are hard to crack. Be careful when you use ATM machines because sometimes ATM distributors turn out to be fraud.