JANBUARY 16, 2009 (http://bulletin.aarp.org) - Nearly half of Internet users bank online, enjoying the convenience of 24/7 access to their accounts and the ability—theoretically—to quickly spot fraudulent activity and protect against identity theft.
But after reviewing hundreds of banking websites, University of Michigan researchers say that three in four have design flaws that could make customers vulnerable to cybercrimes.
“To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country,” says study leader Atul Prakash, professor of electrical engineering and computer science.
These design flaws—which include placing customer login fields and bank contact and security information on insecure pages, allowing the use of Social Security numbers or e-mail addresses as user IDs, and e-mailing passwords or statements to users—leave security cracks through which hackers can gain access to accounts and other personal information.
The average loss per case from online banking fraud is about $30,000, according to the Federal Deposit Insurance Corp. In just three months of 2007, hackers stole nearly $16 million from U.S. residents.
Doug Johnson, vice president of risk management policies for the American Bankers Association (ABA), maintains that online banking is safe but allows there’s room for improvement. “I will say that we brought this study to the attention of our membership and that there are things they need to look at to ensure that online banking websites are not on the wrong side of security walls,” he says.
There are no universal guidelines by the ABA or others for banking websites; the design is left up to individual financial institutions. So how can you protect the confidentiality of your personal information? Prakash offers some tips:
- Examine the website’s URL. It should begin with “https://”—a more secure Web protocol than “http://”. Never enter your user ID and password on any page without that S, says Prakash. Although most banks use the safer https:// on some pages, only a small percentage have it on all pages, his report shows.
- Make sure the bank’s name follows the https://, as in https://www.bankofamerica.com. An unsafe website has the “host” or other name listed before the bank’s, as in https://www.oriwa.com/bankofamerica/index.html.
- Don’t trust security indicators, such as padlocks or lock icons inside a page, to show you’re protected. Scammers can duplicate padlock icons on login pages and pages containing what’s billed as bank contact information. Instead, Prakash tells Scam Alert, “a hacker could change an address or phone number and set up a fake call center to gather private data.”
- Choose longer, more obscure passwords, with at least eight keystrokes—ideally, a combination of uppercase and lowercase letters, numbers and symbols, such as go#Hen2Ry4&z. Never use your Social Security number or e-mail address as a user ID or password, which was allowed by one in four bank websites surveyed by Prakash.
- Don’t click on any incoming e-mail purporting to be from your bank, especially a message asking you to update your passwords or accounts. Instead, bookmark your bank’s homepage and access your accounts that way. Also, don’t accept offers from your bank to e-mail you passwords or statements, which can be intercepted by cybercrooks.
- Never conduct online banking from a public computer in an Internet cafe or local library, or even with your own computer in an airport or hotel. Also don’t bank online when your computer is very slow or has many pop-ups; those conditions may signal the presence of a virus that could include “keyloggers,” which pass along your keystrokes to a hacker.
- Whether you bank online or receive your statements in the mail, immediately report any suspicious withdrawals or other account activity to your bank.
The FDIC also provides consumer advice on online banking.
Sid Kirchheimer is the author of Scam-Proof Your Life (AARP Books/Sterling).