The current state of online banking: passwords are not enough, users do not receive transaction notifications and security questions increase the risk to banking customers.
Hardly ever does a week go by without someone mentioning unauthorized transfers to me. In every case the victim notices money disappearing from their account as a result of what appears to be a normal transaction.
Take this morning for example. A young man notices a money transfer *to* his employer in an amount exceeding his balance by $200. The money was “e-transferred” to the recipient whose name he recognized, but whose destination email had been changed.
The bank will likely cover the losses or reverse the transaction, but that’s not likely to last. As recently as last month, a similar situation unfolded, but culminated in the bank’s refusal to cover the losses, indicating that the victim was responsible for safeguarding their password to prevent the account take-over (ATO).
Trusted Users
Indeed, ATO occurs when user credentials are lost or stolen, but that’s not entirely the fault of the user. In fact, every bank customer will tell you that they realize the sensitivity of their online banking account and respect it for its importance. Why would they knowingly share their access credentials or even allow their password to fall into the wrong hands? If anything, they protect it to a higher degree than they do their other passwords.
So what’s going on here? Could it be that the tools available to users are inadequately matched to the sensitivity of the asset being protected? Could users be trusted to protect their password? Absolutely, but there’s a catch: not if they ever have to use their passwords. Indeed, anytime you enter your password into a phone, computer, telephone keypad, website or even password database, there is a very real risk of its being compromised. Keyloggers, virus infections, untrusted phones, buggy software and unpatched systems all contribute to a risk that compounds over time.
Risk vs. Risk
Can this risk ever be fully eliminated? No. But can it be mostly mitigated? Absolutely — and the solution has been with us for over a decade. 2-Factor Authentication (2FA) is all that’s needed. It’s simple, quick, secure and easy for banks to adopt. And yet, most do not. Why? Because their understanding of risk means balancing the risk of confusing users with the added requirement of entering a code after their password, with the risk of having to cover the ensuing losses. The decision, to date, has been easy. They’re sitting on insured cash, so they will not only cover the losses, but look good doing it because they will spin it as if they’re acting in the customer’s best interests.
Unfortunately, this is not sustainable. More and more, banks are refusing to cover losses under the pretext that the victim ‘waited’ over a month to report the situation, used an infected machine or simply failed to ‘take steps’ to protect their privileged access to the bank’s infrastructure.
Faulty Reasoning
Banks always have full visibility into all transactions and their investment in anti-fraud and intelligent systems means that they assign a fraud risk rating to each and every transaction. They can do these things, but they care about friction, salience and any number of psychological elements that would bring unnecessary concern to users. They want to make it look easy. And it is, but unfortunately, antiquated security features also make it easy for cybercriminals to carry out their nefarious activities.
Staying on topic with the fancy-sounding ATO compromises, here are three things you absolutely need to watch out for when it comes to online banking:
- Make sure your bank account has multifactor authentication (another name for 2FA) enabled. If all it takes is a password for anyone to pretend to be you, then there’s little you can do to prove that the last person who transferred your money is not entitled to it. Switching banks is a good way to let your financial institution know that you care about your finances and your peace of mind. Also, that you don’t find the prospect of supplementing your password with a simple code particularly daunting.
- Does your bank ask for trivial security questions when you login? This is called security theater and actually increases your account’s risk of compromise. Why? It’s simple. These are personal details that can often be guessed or unwittingly shared with skilled social engineers in what appear to be entirely unrelated contexts. So if you do see prompts for such things, simply answer anything, but be sure to keep track of your answer (in a password database’s notes section).
- Can you complete e-transfers using your online banking account? There’s a good reason to demand better security. The payees or recipients you have set-up in there can easily be added or edited with different email addresses, so any account thief will head straight there, enter their own email account and proceed to transfer your money. Chances are you might not even receive an email when a new recipient or an existing one is edited. If you’re lucky, you will see an email when the fraudster accepts the transfer and concludes the transaction.
Go ahead and edit the contacts on your list: you may be surprised as to the number of online banking transactions that result in zero email notifications. In other words, unless you really scrutinize your bank statement, you may never find out about these transactions. In effect, even when you do scrutinize it, unauthorized transactions may look exactly like legitimate ones, leaving you to foot the bill for the amount lost unless you can convince your bank otherwise.
As usual, prevention is better than the alternative, so pick up the phone and call your bank to ask about 2FA and advice on how to enable email notifications for all transactions. The faster you learn of an unauthorized transaction, the more likely it is that the bank can reverse it and you can enjoy the rest of your day.
Member discussion: