Number 307 - December 2008
Are Your On Line Financial Transactions Secure?
by Cass Lewart (rlewart@monmouth.com)


Convenience For You, Saving For The Bank
   The main reason for conducting financial transactions on line, as compared with doing it by mail, by phone, or in person, is convenience. The question is how secure are on line transactions. As you will find out convenience and security do not always go together.

   More and more computer users do their financial transactions on line. Paying a bill, checking your stock portfolio, investing, transferring cash from your checking or savings account to pay your credit cards is made simple with on line access. You do not have to write checks, address envelopes and check if the postal rates increased again, find an appropriate stamp and take your letter to the mail box.

   You can access your bank, your broker or a credit card by means of financial programs such as Quicken or Money or you can access an account directly by logging into your financial institution or a credit card issuer. Advantage of on line banking for you is convenience, the advantage to the financial institution are tremendous cost savings. Keeping a "brick and mortar" place of business is very expensive in terns of rents, salaries and investments in real estate. By comparison keeping a presence on the web is relatively inexpensive. The huge savings allow a financial institution to assume some risk and keep the customer "whole" in most cases of fraud. As such policies vary from one financial institution to another check for specific policies before you start with on line banking.

Precautions to Take
   Are you a gullible type open to scams? If you are, then forget about on line banking. My mailbox is full of official sounding emails supposedly from the IRS, PayPal, eBay or my local bank. They either promise refunds and rewards or list some dire consequences if I do not respond -- my account will be suspended, my refund stopped and my cat will be thrown into boiling water. All I have to do to avoid such consequences is to enter my password and other details of my accounts. If you do,then be not surprised if your cash will quickly evaporate.

   When you connect on line to a financial institution make sure that the URL starts with "https" and not "http", where "s" stands for a secure connection. Many browsers also display a closed lock when connected to a secure site.

   I will therefore assume that you are fairly cautious, financially savvy and are ready for on line banking.

Convenience versus Security
   The major threats to a secure transaction are as follows:
   
  • The key logger is a malware program inserted on your computer which records the keys pressed and forwards the information to a third party. Such programs are often imbedded on public access computers in Internet cafes or libraries. Therefore a good advice is not to conduct sensitive business in public places.

    •    
  • A sniffer program analyzes Internet traffic and extracts information from data packets addressed to specific web addresses.

    •    
  • Fake sites masquerading as legitimate sites.


    •    Here are some of the methods used by financial institutions to protect your account from such threats. As the level of protection increases it is less and less convenient to follow them.
       
  • Protection through a unique user name and password. Simple and convenient but relatively easy to break.

    •    
  • When you log in with user name the institution responds with a picture and a secret word which you select when establishing the account. Only after you recognize the picture and the secret word, are you prompted to enter your personal password. This approach protects you from giving your password to a fraudulent site,

    •    
  • When you log in with the account number a virtual keyboard with scrambled numbers and letters appears on the screen. You then enter your password by clicking on the virtual keyboard. This approach protects you from key loggers and sniffers as the virtual keyboard changes every time you log in.

    •    
  • You get a unique look up table by mail. The financial institution prompts you to enter a letter or number from the look up table. Unless you have this table you will not be able to access your account. Secure but not convenient. This method in connection with other methods is used for Treasury Direct accounts.

    •    
  • Account access is limited to your computer. The financial institution sends a cookie to your computer. If it is not found then the transaction can not be completed. Simple with good level of protection but somewhat inconvenient.


    • Charges Against Your Bank Account
       Another potential problem may arise when you may give permission to utility companies and credit card issuers to automatically charge your bank account without additional authorization. The only way to find out if an unauthorized payment has been made from your bank account is to look at your statements. If you see a questionable payment notify your bank immediately. Fraudulent transactions can be reversed.

    Conclusions
       You should always consider who your potential enemies are. Is it a group of thieves with limited resources or is it a government organization. While it is relatively easy to protect yourself from the first group using caution mixed with some paranoia, it is nearly impossible to protect yourself from the second group.
      Number 307 - December 2008