Legend has it (incorrectly, it seems) that infamous bank robber Willie Sutton, when asked why banks were his favorite target, responded, "Because that's where the money is."
The modern-day Willie Suttons of the world target bank Web sites for the same reason. With online transactions, money is represented in the form of electronic records of ownership, which means online bank robbers can steal more money, in less time, than by stealing literal currency--and they don't even need a getaway car. But that doesn't mean online banking necessarily has to be a riskier proposition.
"Internet banking is terribly secure," says Brad Adrian, an Internet banking analyst with Gartner. "Financial services providers...make their systems as secure as possible."
But, he says, "unscrupulous people using phishing, keystroke collection, or similar activities" to steal your passwords or account numbers are a growing problem.
Phishing scams, in which attackers use spoof e-mails and Web sites to lure users into entering personal financial information (such as credit card numbers, bank account information, and passwords), have increased in the last several months. Yet even though public awareness of these scams has grown, people continue to fall victim to them in increasing numbers.
The click-through rate on phishing e-mails is 3 percent, estimates Avivah Litan, vice president and research director at Gartner. That compares with a response rate of about 0.5 percent for spam, he says. One possible reason for this: People take e-mail from their bank very seriously, he says. In part the solution is better customer education, he adds, but banks could also do more to prevent the scams from working in the first place.
Online criminals--including those who phish for a living--have become even more sophisticated, creating fraudulent Web sites and e-mail messages that are harder to detect. Professional phishing criminals even work current events into their attacks to make them seem more realistic: One recent scam, for example, posed as an e-mail soliciting campaign donations.
To combat the growing problem, credit card issuers and financial institutions are experimenting with new technologies to make cards harder to forge and easier for consumers to use.
But some of these attempts might be misguided. For example, some companies are experimenting with so-called contactless payments. An RFID chip embedded in a card would let a customer pay by simply waving the card toward the RFID reader. Still unanswered is the question of whether users would have to either leave their credit cards in the car or enclose them in Mylar (which blocks the radio signals these cards emit), to prevent card data from being stolen while they walked through stores. Next month, card companies and credit card issuing banks will weigh the trade-offs between the convenience of contactless payments and the risks to customers at the Smart Card Alliance Conference.
For users trying to assess the security of an online transaction--banking or otherwise--the Public Key Infrastructure group, an industry association that deals with card security, recommends users look at five aspects of the transaction: customer authentication, customer authorization and privacy, security of the purchase data, and nonrepudiation (meaning a customer cannot deny their actions after they click the "buy" button).
Authentication (are the parties to a transaction who they claim to be?) and authorization (does each party have the authority to perform the actions?) can pose major problems for individuals. How can customers be sure they have reached a legitimate bank Web site? And how can the bank make sure the person logging in to your account is really you?
One interesting concept that might partly solve this problem is called "shared secrets." You send a file to the bank, perhaps a photo of your kids. When you log in to the bank Web site, that picture is displayed. If you don't see the picture, you know you've reached the wrong site. The problem, of course, is that you have to type in your user ID and password before seeing the picture. While this verifies the bank's Web site to you, the bank must still make sure it's really you on the other end of the transaction.
To be effective this solution requires a second layer of security. Gartner's Adrian suggests that the customer be required to click on a predetermined area of the picture. Even better, the customer could be required to click on a sequence of areas in a specified order. For example, if you uploaded a photo of your dog, you would click on his nose and then his mouth. Some banks are also looking into using so-called two-factor authentication, where you have to enter two passwords to log on: Your own password, and a "throwaway" password on a scratch-off card the bank sends you in your monthly statement. After you've used the throwaway password, you (or a data thief) can never use it again.
If your online bank doesn't offer this type of security, there are still steps you can take to protect yourself.
Make sure your online banking password is at least six characters long and includes both letters and numbers. Avoid using the same password you use for other sites, and avoid obvious combinations such as your street address or the combination of your first initial and last name. If your institution allows it, create a hard-to-guess user name as well.
If you receive an e-mail allegedly from your bank, never click the link in the e-mail message. Instead, type the URL of your bank right into the browser's Address bar yourself, and forward the e-mail to a known, legitimate bank e-mail address. Chances are excellent that, if you ask the bank if it sent the e-mail you received, you'll find out it didn't.
If you believe you've reached your bank's Web site, check the security certificate before you type in any personal information. In Internet Explorer, select File, Properties and click the Certificate button. The name on the certificate should match your bank's name. Then select View, Privacy Report to see more details about the site's privacy policies.
Most banks insist that you use a browser with at least 128-bit encryption. Also, remember that most Trojan horse viruses are aimed at Internet Explorer. To be extra safe, try using an alternative browser, such as Mozilla, Mozilla Firefox, Opera, or Netscape.
If you have an "always on" Internet connection, never store your online banking information on the PC. Adrian, the Gartner analyst, stores his online passwords in an encrypted area of his PDA. He also suggests using many different passwords, and keeping track of them with the PDA. Of course, you then have to worry about battery life, but in the long run that's less important than an unexpected, precipitous drop in your checking account balance.
The bottom line: Online banking need be no more risky than its offline counterpart, as long as you take the time to protect yourself.