3 Non-Negotiable Security Features for Online Banking

The current state of online banking: passwords are not enough, users do not receive transaction notifications and security questions increase the risk to banking customers.

Pay careful attention to how you access your online bank account. If it’s easy for you, it may be equally easy for criminals.

Hardly ever does a week go by without someone mentioning unauthorized transfers to me. In every case the victim notices money disappearing from their account as a result of what appears to be a normal transaction.

Take this morning for example. A young man notices a money transfer *to* his employer in an amount exceeding his balance by $200. The money was “e-transferred” to the recipient whose name he recognized, but whose destination email had been changed.

The bank will likely cover the losses or reverse the transaction, but that’s not likely to last. As recently as last month, a similar situation unfolded, but culminated in the bank’s refusal to cover the losses, indicating that the victim was responsible for safeguarding their password to prevent the account take-over (ATO).

Money transfers from your bank account should always be accompanied by a notification email, so you know when it happens.
Money transfers from your bank account should always be accompanied by a notification email, so you know when it happens.

Trusted Users

Indeed, ATO occurs when user credentials are lost or stolen, but that’s not entirely the fault of the user. In fact, every bank customer will tell you that they realize the sensitivity of their online banking account and respect it for its importance. Why would they knowingly share their access credentials or even allow their password to fall into the wrong hands? If anything, they protect it to a higher degree than they do their other passwords.

So what’s going on here? Could it be that the tools available to users are inadequately matched to the sensitivity of the asset being protected? Could users be trusted to protect their password? Absolutely, but there’s a catch: not if they ever have to use their passwords. Indeed, anytime you enter your password into a phone, computer, telephone keypad, website or even password database, there is a very real risk of its being compromised. Keyloggers, virus infections, untrusted phones, buggy software and unpatched systems all contribute to a risk that compounds over time.

Risk vs. Risk

Can this risk ever be fully eliminated? No. But can it be mostly mitigated? Absolutely — and the solution has been with us for over a decade. 2-Factor Authentication (2FA) is all that’s needed. It’s simple, quick, secure and easy for banks to adopt. And yet, most do not. Why? Because their understanding of risk means balancing the risk of confusing users with the added requirement of entering a code after their password, with the risk of having to cover the ensuing losses. The decision, to date, has been easy. They’re sitting on insured cash, so they will not only cover the losses, but look good doing it because they will spin it as if they’re acting in the customer’s best interests.

Unfortunately, this is not sustainable. More and more, banks are refusing to cover losses under the pretext that the victim ‘waited’ over a month to report the situation, used an infected machine or simply failed to ‘take steps’ to protect their privileged access to the bank’s infrastructure.

Faulty Reasoning

Banks always have full visibility into all transactions and their investment in anti-fraud and intelligent systems means that they assign a fraud risk rating to each and every transaction. They can do these things, but they care about friction, salience and any number of psychological elements that would bring unnecessary concern to users. They want to make it look easy. And it is, but unfortunately, antiquated security features also make it easy for cybercriminals to carry out their nefarious activities.

Staying on topic with the fancy-sounding ATO compromises, here are three things you absolutely need to watch out for when it comes to online banking:

Go ahead and edit the contacts on your list: you may be surprised as to the number of online banking transactions that result in zero email notifications. In other words, unless you really scrutinize your bank statement, you may never find out about these transactions. In effect, even when you do scrutinize it, unauthorized transactions may look exactly like legitimate ones, leaving you to foot the bill for the amount lost unless you can convince your bank otherwise.

As usual, prevention is better than the alternative, so pick up the phone and call your bank to ask about 2FA and advice on how to enable email notifications for all transactions. The faster you learn of an unauthorized transaction, the more likely it is that the bank can reverse it and you can enjoy the rest of your day.

Fīat jūstitia, ruat cælum. Personal musings on data protection fails, snafus & oddities, collected & edited by Claudiu Popa; author, educator, booknerd.