Online Bank Security
Remember those old movies where the bank robber needed to “crack” the safe? In my mind’s eye he’s crouched in front of a big metal cube, holding something like a stethoscope up to the door as he slowly turns the dial of the combination lock. Slowly, slowly, while his compatriots wait behind him with silent anticipation. Then…presto! The door swings open and the bags of cash are theirs for the taking.
I’m not sure if there are any more of those specialized safe crackers around anymore. Times have changed and the new crook isn’t crouched before a lead safe. More than likely, he’s sitting at a computer (and that computer could be anywhere in the world).
That’s because, with so much of our financial transactions performed digitally, he doesn’t actually have to get into the bank vault to get your money. What he needs is access to your account, that digital representation of your own personal “safe.” In a way, your password, account number, and other identifying information is the combination; once he has those…presto! Your hard earned money is transferred from your account to his pocket.
There are no armed guards outside this digital safe. Instead, most banks employ a high level of technological security on their side, encrypting communications between your computer and their system, offering two-factor authentication, etc. It would be a difficult task for a hacker to force their way through these levels of security (dare I make the comparison to Fort Knox?) and gain access to your account.
Unfortunately, there is a weak link and the weak link is you. And me.
The user. Like the poor bank clerk in the old movie, we know the combination and it is up to us to hold out despite the thieves tactics, because if we give up our account information the safe will be open and our money removed. There are no guns waving in our faces, though. No threats and sneers from black-hatted desperadoes. Some of the most popular tactics of the modern bank robber are much more clever:
Phishing. Smishing. Vishing.
In a way, these three methods all employ the same social engineering tactics via different means. Phishing uses email: unexpected communications that appear to be from your bank (even employing your bank’s logo and/or very official looking privacy/security lingo in small print at the bottom of the message) and ask for your information. The ruse might be a variety of things. Sometimes they say there’s been a security breach and they need your account information to be sure your money is safe. Or maybe they claim that the bank is updating its systems and needs you to confirm your account. Whatever the purported reason, the goal is to get you to type in your password and account information and click “send.” Once you do: presto!
Vishing uses the phone. You get a call from someone purporting to be from your bank. There’s been a case of fraud, they say, or there have been some misplaced funds that need to be transferred to your account. Or maybe they claim to be from the IRS and warn that you have back taxes due; unless you pay immediately, there will be legal action taken. No matter the pitch, the goal is to get you to give them account information that will allow them to bypass the bank’s security and access your money.
Smishing is much the same, only via text message or SMS. With so many banks now using text alerts, it isn’t a surprise to get a text from our financial institution, and it’s easy to assume that a request – claiming to be from your bank – is legitimate.
There are certainly other methods of password stealing (the use of malware and the use of other hacked systems to guess a password, for example, are covered in detail elsewhere). These three methods, however, are among the most popular and continue to become more and more believable and sophisticated.
Despite this, phishing, vishing, and smishing have one glaring weakness: Legitimate banks will never ask for your personal information via these means. They will never ask for your social security number, account number, or your credit card info via a phone call, email, or text. They will never threaten you with legal action unless you give over this information or transfer funds to a separate account. They will never ask for your password in any way. They just won’t do it.
So keep your head. When you get that urgent email, unnerving phone call, or convincing message, don’t follow the impulse to act quickly. Take a breath. Recognize the request for what it is (a scam) and if you are really concerned, visit your bank’s trusted website and log in to see if there are any alerts. Or call their official customer service number. Or even stop in to check with a real live human being standing behind the desk (they still have those, by the way). This will confirm that the suspicious message was, in fact, not from the bank and that your accounts are safe and secure.
Then you can rest easy.