When the Internet was first envisioned, it was seen as a place where information could be shared freely. Yet now the biggest concern for Internet users is how to keep their personal information from being shared too freely – with scam artists and criminals who can and do put the information to devious use.
Nowhere is this more apparent than with on line banking, which has evolved over the years to cope with an ever evolving threat to the security of online transactions.
One of the most important things to know about online banking is that the weakest link in the security chain is almost without fail the user and not the systems the bank has in place. This is why most attempts at gaining access to accounts aim to trick the user into surrendering account information or intercepting that information when the user attempts to access an account.
The basis of any online banking security system is still a password. Some sites now require passwords that include a number, a symbol, at least one capital letter, at least one lower case letter, and are in excess of seven characters long. If this sounds unnecessarily complicated, it is eye-opening to go through lists of the most common passwords people use. Due to the need to remember many passwords, people will often use the same password for many sites and services, including their online banking. This is not a good habit, even if the password is strong. The strength of a password is determined by how complex it is, making it harder to guess. Therefore, a longer password
containing letter and numbers, as well as upper case letters, will be much stronger than a single word.
However, many people tend to be quite lax when it comes to selecting passwords. In the aftermath of a hack that exposed the passwords of 32 million users of a popular social network site in 2009, the predictability of many passwords was shocking.
The password used most often, by 290,000 people, was 123456, a very simple number sequence. Even worse, second place was held by 12345, with third place going to 123456789. The first word in the list came in at number four and was ‘password’. A large number of people also used the name of the website as their password, while 1234567, 12345678 and abc123 also made it into the top ten passwords. Other passwords often found on lists are ‘qwerty’ (the first six characters in the upper row of a computer keyboard) and ‘letmein’.
Such simple passwords can easily be guessed, allowing a hacker easy access to an account without even having to steal passwords.
Most banks also offer the option of using an on-screen keyboard rather than a standard keyboard to enter your login information. Although this might seem rather unnecessary, the feature was created in response to key-logger software that can record keystrokes, thus allowing hackers to find passwords and login details.
Although key-logger software has a valid role to play on your computer, viruses will often attempt to access this information and send it to a hacker in order to grant them access to your account. Fortunately antivirus programmes can detect and remove programmes that attempt to do this.
The use of multiple security questions is also an effective response against key-logger software, as the security question is cycled through a number of different options, which means that the answer logged by the key-logger software may not be the correct answer the next time around.
Another level of security is provided by security questions that ask for random characters from a password. Unless the password itself has been compromised, this is a very secure method, as the entire password is never entered into the system after the initial setup.
even the strongest password in the world is worth nothing if you hand it to the scam artists on a silver platter. This is why the most effective scams are still phishing scams, where the scam artists lure their victims into volunteering their personal information, including passwords and login details. The scam will often involve an e-mail, purporting to be from a bank, claiming that your login details need to be updated or changed. The e-mail itself will contain a link which, when clicked on, takes the victim to a site which appears similar to that of the bank in question. However, once the login information has been entered, it means that the scam artists
now have access to the victim’s bank account.
This is still one of the most difficult scams for banks to defend themselves against, as the user ‘volunteers’ their details to the criminals. Banks therefore inform their customers of the risks involved, and often carry very visible messages on their home pages making it clear that they will never as
k for their clients’ login details per e-mail.
Some banks have added even greater levels of security to online banking transaction through the use of one-time passwords and similar systems.
One of the first things scam artists will do once login details for an online banking account has been obtained is to create a new beneficiary in order to pay money into an account they control. However, when a new beneficiary is created, some banks will send a one time password to the account holder, often in a text message to a mobile phone. Unless this code is entered, the new beneficiary cannot be created and the scam artist cannot transfer the money from the account.
Security tokens also add another level of security, requiring a piece of hardware to be present along with the password when the account is accessed. This means that merely obtaining the login details to an account will not grant access unless the security token is also obtained, making online banking systems using security tokens virtually impossible to hack through traditional means.