The 7-11. You take a penny from the tray, right? Well those are whole pennies, right? I'm just talking about fractions of a penny here. But we do it from a much bigger tray and we do it a couple a million times.
April 5, 2012 5:19 AM   Subscribe

What are the risks of online banking? Has anyone developed best practices for consumers and bankers regarding security?

I do about 100% of my banking online. I have three savings/checking accounts that are linked to my credit cards/investment accounts/bill paying systems/etc.

What happens if my money is gone one day?

Presumably, banks would be liable to consumers to the extent that the theft came through a failure in the bank's security. But it seems like whether a breach was a result of the bank's security failure or a user's failure could be covered with a lot of gray.

FDIC insurance would presumably cover deposits in the event of a bank failure.

I don't even pretend to know how this would happen, but there seem to be a lot of points at which it could:

1. Me
2. My internet access points (laptop, work, phone)
3. Man in the middle/Phishers/other intermediary exploits
4. Any number of other points within the banking system

It seems like this is going to happen at some point, but you never hear about this on a broad policy level. Who's thinking and writing about the implications of this and best practices to avoid risk?

I read Threat Level and Bruce Schneier's blog, but both tend to be focused on actual tactics more than policy in this area.
posted by benbenson to Computers & Internet (10 answers total) 8 users marked this as a favorite
Response by poster: PS: I'm familiar with PCI and not particularly impressed. And encryption is useful but it seems like there are dodges and backdoors.
posted by benbenson at 5:21 AM on April 5, 2012

What happens if my money is gone one day?

Like, how? You just wake up one day and the account is zeroed out?

Only two ways for that to happen.

One is for there to be some transaction on the record, i.e., you're the victim of identity theft or just bank fraud. Banks know how to deal with this, and while an enormous pain in the ass, you can get your money back most of the time. The reason you don't hear a ton about it is because it's 1) not all that common, and 2) relatively easy to deal with, all things considered. It's a known risk, and there are policies and procedures in place for handling it.

The other is for there to not be a transaction on the record, i.e., there's been some error in the bank's system. This is both more and less worrisome. More because it undermines the integrity of the institution, but less because your money hasn't actually gone anywhere. As soon as they figure out what the problem was, it'll be back. And assuming you've got statements--and if you don't, the bank presumably does--resetting your balance should be trivial.

For what it's worth, I've never, ever heard of the latter happening.
posted by valkyryn at 6:16 AM on April 5, 2012

Best answer: The American Banker's Association actually covers a lot of these things in their various working groups.

Security is actually a big thing in the various deposit institutions, although internet security usually follows the best practices of the technology industry, rather than the Banks coming up with things on their own (technology-wise). It's the same thing as asking about firewalls and DMZ's - there are industry best practices around how to handle security around those things from a wide variety of organizations.

As for the whole social manipulation thing (phishing, bogus emails, etc) and YOUR access points - there isn't anything the banks (or any merchant) can do about those, other than making it harder for you to log in, in general. I mean, they could start mandating you use a RSA SecureID rotating pin number for log in, and so forth, but that becomes prohibitively expensive for everyone at some point.

It's very easy to get a Bank's policy on unauthorized access to you account, and what they will refund you (which is usually everything, although as valkyryn states - can be a pain in thass and take some time depending on the situation).
posted by rich at 6:22 AM on April 5, 2012

Even if you had an old-fashioned passbook savings account, your bank would still be manipulating your money electronically. I mean, it's not like they have an envelope full of cash labelled "benbenson" in the vault. There's no "real" money there, whether you're experiencing it as online banking or not. Someone could still steal/lose your money out of the bank's computer.

The only time money has been "just gone" from my bank account, it was because I dropped my debit card on the street and didn't notice for 3 days. That was my mistake, for sure! But the bank still didn't hold me responsible for purchases the person who found/stole my card made (though it took a few weeks for the money to find its way back to my account).
posted by mskyle at 6:32 AM on April 5, 2012

Best answer: Regardless of whether you do online banking or nor, your bank does online banking. There's already countless connections between the banks that hold your paychecks, the brokerages that hold your retirement accounts, and those that hold your debys. The merchants you shop at send your credit card info every time you make a purchase and your entire financial history is whisked off to whomever pays for a credit check on you. All of this happens every day with or without you participating.

So the only part in your control will be you using your bank's front end for customers. To keep you safe there you should be doing all the things you do to keep you safe on the rest of the internet: keep your OS patched, keep your browser patched, keep your antivirus up to date and use good judgement when entering your credentials ANYWHERE. That being said, I like to do as much of my banking from my smartphone as possible for several reasons:

1. My bank has their own app. This way if something goes wrong, they can't blame me for using the "wrong" software

2. There aren't, as far as I know, any keyloggers etc. for unjailbroken iPhones and (I think) the same holds true for unrooted Androids

3. I use the 3G connection because, unlike my home router, I'm randomly yanking an IP address along with thousands of others from a cell tower. In the unlikely even someone was trying to sniff my (encrypted!) traffic it's a lot harder to find than my wifi router at home advertising to anyone in a 300ft radius.

That being said, human error and thefts still happen. I've been the victim of both and each time things were resolved withing a couple of business days by backing out the offending transactions leaving me ultimately none the worse for the wear.
posted by Freon at 6:46 AM on April 5, 2012

Presumably, banks would be liable to consumers to the extent that the theft came through a failure in the bank's security.

I wouldn't be so sure. There have been cases of small business being victims of fraud due to weaknesses in banks' security and authentication systems. Courts have sometimes been favoring the banks over the victims in some of these cases - the small businesses are out of luck. In other cases the courts have protected the consumer/small business over the bank.

Paranoid people I know typically segregate their online activities into multiple VMs (or physical machines). Typically, one for general internet use, one for porn, and one for online banking. Most of the attacks against banking are client-side - social engineering / phishing emails load malicious software on your system. I would be less concerned about in-transit attacks.

I advise small businesses to do their bookkeeping and online banking on a dedicated system that is locked down and only online when they need to talk to their bank, payroll, or other providers.
posted by These Premises Are Alarmed at 7:00 AM on April 5, 2012

Best answer: Guidelines for online security are issued to banks from the FFIEC. They have distributed guidelines to FIs for the past several years with recommendations to mitigate the risk for customers of online banking. Banks have to regularly show how they have chosen to meet those guidelines, and are subject to audit and review on the processes/methods they have chosen. These guidelines cannot possibly be updated as quickly as new threats emerge.

I do work in this space for a bank. Our fraud teams say the closest you as a consumer can come to mitigating the risk is to bank on a dedicated PC that is ONLY used for online banking, or better yet boot from a thumb drive and bank from there. I can also tell you that most fraud we see on both the consumer and SB side is a direct result of lax handling of user credentials (including tokens) on the part of the user. I'm not saying external fraud doesn't happen, but it is terribly small for us (knock wood).
posted by ersatzkat at 7:20 AM on April 5, 2012 [1 favorite]

Best answer: Aside from what's been mentioned so far, the single most important thing you could do to mitigate risk if on a PC is to not operate a web browser or e-mail client while logged in as a local administrator. The moment either of these internet applications are compromised, it allows the attacker to run code under the same credentials.

So best practices for securing a PC, for example:
1. Install a good AV solution (like MSE or Avast) and keep it up to date
2. Install a good site advisor (like WOT)
3. Install a good software updater (like Secunia PSI)
4. Create another admin account, and reduce your standard login to a be a standard user by default.
5. Avoid following links in e-mails
6. Look closely at URLs returned in Google or Bing search results

All of these steps will help you avoid "man in the browser" hijacks, where your banking credentials and data could be compromised before it is encrypted by the browser. There are trojans such as Zeus (Zbot), TDSS, Spyeye, Mousetrap, Torpig, etc that can silently take hold in the form of a rootkit and happily log your activity without your knowledge.
posted by samsara at 1:58 PM on April 5, 2012

Switch your business to a bank that offers genuine two-factor authentication rather than wish-it-was-two-factor authentication, and then don't do this with your security token.
posted by flabdablet at 5:20 PM on April 5, 2012

And even then, hope that RSA does not get hacked again...
posted by samsara at 8:24 AM on April 6, 2012

« Older Keep the Lights On - Or Else!   |   Podcast about pop music song construction. Newer »
This thread is closed to new comments.