Breaking

Sunday, 28 February 2016

how safe are we when doing online or mobile banking?

how safe are we when doing online or mobile banking?

E-banking tip: Mom's maiden name? Say 'grapefruit'

Millions of people do their banking online through their computers, laptops or tablets and find their experience to be quick, easy and convenient.  In addition, according to a study last year by the Federal Reserve, 52% of smartphone owners use their smartphones for mobile banking, which is not surprising since so many of us, particularly younger Americans, do much of our financial transactions of all kinds on our smartphones.

But how safe are we when doing online or mobile banking?

The bad news is that we can be quite susceptible to having our identities stolen and our bank accounts emptied when doing online or mobile banking.  The good news is, however, that how susceptible we are to this danger is largely within our control.

Most banks require a person to enter a user name and a password when banking online or by using a smartphone.  Scam artists, the only criminals we refer to as artists, can be quite adept at getting you to provide your user name and password to them.

Using a knowledge of psychology that would have made Sigmund Freud envious, they use phishing techniques, most commonly through emails or text messages that trick you into either providing this information directly in response to the email or text message or luring you into clicking on links containing keystroke logging malware that can steal your user name and password from your electronic device along with all of the other information stored on your device.

These phishing emails are often designed to make you think that there is an emergency, such as a security breach of your bank account requiring you to provide confirming information.  Many times the emails are quite poorly designed, for instance carrying a salutation of “Dear Customer,” and coming from an address with no relationship to your bank and containing poor grammar.

However, other times, through a technique called “spear phishing,” the scammer uses personal information about you that may have been gathered through hacking of the computers of companies with which you do business to make the email or text message look more legitimate.  It will be directed to you by name, the email address from which it is sent may appear to legitimately be that of the bank with which you do business, the grammar is good and it may even carry the logo of your bank, which is easy to forge, on the email.

Spear phishing can be hard to recognize which is why it has been at the heart of many of the major cyberattacks we have seen in recent years ranging from the data breach at the OPM to the recent ransomware attack at the Hollywood Presbyterian Medical Center.  Once the criminal has your user name and your password, he or she can access your account at many banks and steal your money.

So what can you do to protect yourself from this danger?  Remember my motto, “trust me, you can’t trust anyone.”  Never provide personal information in response to a phone call, text message or email you receive until you have independently confirmed that the request for information is legitimate.  In addition, it is a good idea to have anti-phishing security software installed on all of your devices.

As an additional security measure, some banks require that you provide answers to security questions in addition to merely providing your user name and password in order to access your bank account online or through your smartphone.  This provides an additional measure of protection, however, in many instances, the security questions are little more than your mother’s maiden name, which is simple for an identity thief to find online.

Even what would appear to be more difficult security questions such as the name of your pet or your favorite sports team, can be easy for an identity thief to determine merely by looking at what you post online through social media.  The first way to make security questions more secure is to limit the amount of personal information you provide online through social media.

However, perhaps the best way to dramatically improve the strength of your security question is to use a nonsensical answer when you set up the account.  For instance, if the security question is what is your mother’s maiden name, make your answer something ludicrous, such as “grapefruit.”  This is an answer that no identity thief will ever find and it is silly enough to make it easy to remember.

For increased security, some banks, such as Bank of America and Chase even offer dual factor authentication by which when you enter your user name and password to access your account, a random password is sent to your smartphone that must be used to gain access your account.  This seems like it would be foolproof, but never underestimate the power of a fool.

Scammers are now calling their victim’s mobile service providers posing as their victim and telling the provider that their victim’s phone has been damaged, lost or replaced and that they need to reactivate their mobile number to a new SIM card in a phone controlled by the criminal.

A SIM card is an integrated circuit that stores information used to authenticate subscribers on smartphones.  Once the SIM cards have been swapped, when the criminal uses the already stolen user name and password to begin the access to the victim’s account, when the bank sends the one time password to access the account, it is sent to the new SIM card in the phone of the criminal.  Better use of security questions before service providers will change SIM cards can help to reduce this risk.

Online banking on your computer or smartphone can be safe if you take the right precautions.  As with so many things, the best place to find a helping hand is at the end of your own arm.

Steve Weisman is a lawyer, a professor at Bentley University and one of the country's leading experts in scams and identity theft. He writes the blog scamicide.com, where he provides daily update information about the latest scams. His new book is Identity Theft Alert.

No comments:

Post a Comment