How dangerous is online banking?

Sure, the Web makes it simple to manage your money. It also makes your account easier to hack into. Here's a look at the risks and realities -- as well as 9 smart tips that can help you protect yourself.

Rate this Article

Click on one of the stars below to rate this article from 1 (lowest) to 5 (highest) LowHigh
By Carolyn Salazar, MSN Money

Joe Lopez will never forget the day he checked his Bank of America account online and realized that more than $90,000 had vanished.

Months before, the Miami business owner had stopped making weekly visits to his local branch, opting instead to conduct his financial transactions entirely over the Internet.

"I absolutely thought it was safe," Lopez said. "And it was convenient."

What he didn't realize were the risks. A malicious virus had infected his computer and, in a matter of minutes, captured his user name and password -- allowing a hacker to transfer $90,348 to a rogue overseas account.

Lopez got most of his money back months later, after a federal investigation and, eventually, a lawsuit. But his experience taught him the hard way, he says, what many experts have concluded: "Online banking is a danger."

Since its debut just a decade ago, online banking has become one of the fastest-growing Internet activities. Roughly 43% of people who use the Internet, or about 63 million Americans, do some banking there, according to a 2006 survey by the Pew Internet & American Life Project -- even more than make travel reservations online.

But that growing popularity has also brought increasing anxiety over whether something as private and personal as a bank account can be fully protected in the relatively unregulated and unpoliced world of the Internet.

"It's pretty hard not to do online banking because it is so convenient, and people want convenience," said Atul Prakash, a University of Michigan researcher who conducted a study on the risks of Internet banking. "Nevertheless, there are reasons to worry."

Mia Jozwick, a student at Wagner College in New York City, was duped by a “phishing” e-mail made to look like a message from her bank. Thinking it was an important financial notification, Jozwick responded by firing off her user name and password; she learned it was a scam only after someone emptied her account.

'My account was negative $1,000'

To make matters worse: Thieves were also able to steal her identity, because her password was her Social Security number. It took her a year and help from Identity Theft 911, a service agency, to unravel the mess she found herself in.

"It was a nightmare," she said.

Talk back: Do you feel safe banking online?

How the scams work

Since the birth of electronic commerce, financial institutions have stepped up online security measures to try to make the process less vulnerable to attacks.

Continued from page 1

Some have spent millions adding more layers of authentication, toughening encryption schemes and going after and shutting down bogus bank sites.

But that hasn't stopped hackers, who continue to look for ways to exploit security gaps.

Among the most popular attacks are phishing schemes that duplicate bank Web sites and ask customers to log on to their accounts. Others send e-mails, purportedly from bank employees, asking for sensitive financial information. Often the two work in tandem, with an e-mail containing a link that directs recipients to a bogus bank site. Both scams are designed to steal user IDs and passwords as a customer types them in, giving a cyberthief access to the person's financial accounts.

Is online banking really safe?

Other cyberthieves embed viruses, spyware or "Trojan horses" -- programs that can give thieves unauthorized access to a computer by recording and sending out a user’s keystrokes. These programs allow thieves to look over your virtual shoulder as you type in sensitive financial information. Within seconds, your savings and checking accounts, even your investments, could disappear.

How big a problem are we talking about? The numbers are tough to pin down: Experts say there are no reliable studies showing how much money is lost through online banking alone, primarily because banks themselves can't always pinpoint the source of how a crime occurred, whether on the Web or through an ATM.

But various reports offer hints at the magnitude. For instance, about $3.2 billion was lost to phishing attacks in 2007, according to a survey by Gartner, a technology research firm -- with about 3.6 million people losing money to these attacks over 12 months.

"It's a huge business," said Graham Cluley, a senior technology consultant at Sophos, a spam-fighting security firm. "The scammers are literally making millions, and they can be based anywhere in the world."

And the attacks are increasing.

Take the so-called Sinowal Trojan, a virus that injects what seem like legitimate pages on someone's browser, then steals the user's log-in credentials. In probably one of the largest online banking breaches known to date, the virus has compromised 300,000 online bank accounts and about 250,000 credit and debit card accounts over the past three years, according to a study published in October by California's RSA FraudAction Research Lab -- with more than 100,000 online bank accounts hit in the past six months alone.

And there are thousands more Trojans out there, many of them specifically targeting online banking customers.

"There is definitely more risk than there was one or two years ago," said Avivah Litan, a Gartner analyst.

Continued from page 2

She said her clients have told her they've noticed the assaults have doubled in the past six months: "The attacks are so vociferous and manipulative that even the big banks can't stop them."

What are the banks doing?

That's not to say banks are not trying. For a small fee, Bank of America -- the largest online banker in the United States -- recently introduced the SafePass card, a wallet-sized card embedded with a button that, when pressed, sends the customer a six-digit security code via text message. The customer can then enter the code along with his/her user name and password to access an online account. For business accounts or wealthier clients, some banks also offer SecurID, a token-like device that generates a new six-digit code every minute that users need to log in to their accounts.

Bank of America, along with other financial institutions, also has started an alert system advising customers by e-mail or text every time a transaction occurs. "Protecting the safety and security of our customers' information is our top priority," Bank of America spokeswoman Britney Sheehan said.

But not all banks offer the same level of security. "If you are going to do the bulk of your transactions online, you should really shop around to find a bank that has the best security measures," said Anthony Reyes, the CEO of New York's ARC Enterprises, which investigates computer intrusions. "But you have to also make sure you are doing everything right on your side."

Protect yourself

So should you be avoiding online banking altogether? Not so fast: There are risks associated with traditional banking as well.

More than three-quarters of banking fraud stems from offline factors, such as check fraud, mail theft or a lost wallet, according to the 2007 Online Banking Security Report, released by Javelin Strategy & Research, a California firm.

"When you're online, even though you have a lot of risks, you're more in control because you can do something about the risk -- you can monitor your accounts, and you can say no to the malicious junk," Javelin President James Van Dyke said. "In the old-fashioned world, such as the paper and mail world, you can't do much to keep prying eyes from looking at those paper checks and paper statements."

But others point out that online crooks can target thousands, if not millions, of accounts at once, making Web banking the more lucrative target.

"To compromise half a million accounts, you'd have to raid millions of mailboxes -- probably 20 (million) to 30 million in the mail world. But online it could take a matter of seconds," Gartner analyst Litan said. "So in terms of hit rate, online banking is not as safe."

Experts suggest that anyone using online banking should take these steps:

Continued from page 3

1. When logging on to a bank Web site, a user should look closely at the site's URL to make sure it matches the bank's name. A more secure URL will begin with "https://" and be followed by the bank name. Make sure the bank's padlock is displayed in a corner of the site before you log on.

How to protect yourself

2. Log on to banks only from a secure computer. Never log on from a public computer in a hotel or cafe, and be careful when logging on to unknown networks with a laptop.

3. If you get a warning e-mail, call your bank -- don't click on any provided links.

4. If your computer is acting strangely -- for instance, reacting slowly or getting pop-ups -- avoid using it for online banking until you can get it checked out.

5. Keep anti-virus and anti-spyware software up to date.

6. Install and maintain a firewall.

7. Never respond to any e-mail that requests personal information.

8. Be leery of fly-by-night, Internet-only banks with high interest rates on savings or checking accounts. Make sure the bank is FDIC-certified and is insured.

9. And, most importantly, use a different user name and password for each financial account. The password should be complex, with numbers and symbols, and changed regularly.

Still, there are no guarantees.

"It annoys me when people say these consumers are dumb, (that) they fell for it," Litan said. "They are not dumb. These criminals are really good, and you'd have to be a total security geek to stop everything."

One final precaution: Know the rules. Federal regulations require that banks return money lost to electronic transactions, but the customer has up to 60 days to detect the fraud and two business days to report it. Meanwhile, different banks have their own rules -- look them up before you shift your banking to the Web.

For Lopez, the lesson was painful. As a business owner, he had to sue his bank to try to recover the money; the case settled last year. (There are fewer federal laws covering business accounts, which have more heightened security than personal accounts but tend to have less protection against online breaches.)

Now Lopez is back to old-fashioned banking methods and following up his transactions with phone calls.

"I don't do any online banking anymore. Nothing, zero," he said. "I'm so paranoid."

Produced by Anh Ly

Published Jan. 28, 2009