News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Michael Horowitz's picture
Michael Horowitz

Defensive Computing

More posts | Read bio

October 8, 2009 - 1:56 P.M.

Being alert about online banking

8 comments

From the get-go, I didn't trust online banking.

To make my case to Windows users, I instruct you to start Internet Explorer. If you are running version 7, go to Tools -> Manage Add-ons -> Enable or Disable Add-ons, and then look at the four different sub-categories of add-ons. If you are running IE8, go to Tools -> Manage Add-ons and review the various add-ons of each type (for Toolbars and Extensions, be sure to show all).

Do you know what all those add-ons are? What they do? Where they came from? I suspect many of you will answer no, no and no. If that's the case, then you are trusting unknown software that lives inside Internet Explorer every time you use the Web browser.

Even Firefox users (on Windows machines) need to be concerned with one type of IE add-on: Browser Helper Objects, or BHOs. They live not only inside Internet Explorer, but also inside Windows Explorer.

My initial hesitancy is fueled by the recent reports of new sophisticated attack methodologies. No longer does your password need to be stolen. Instead, "crimeware", once installed on a Windows machine, simply waits for you to log on to a banking website. After the bank trusts your computer, the malicious software, running silently in the background, transfers money out of your account.

Two-factor authentication doesn't protect you. Secure HTTPS web pages don't protect you. According to Finjan, the new URLZone software doesn't even bother to generate new transactions, instead, it silently modifies the transaction you enter.

In my opinion, people should not conduct online banking from Windows machines. As I've written elsewhere, I feel the safest approach is booting to Linux to run Firefox.

But outside of your computer, alerts can be your best friend. Regardless of the source of the transaction, it's great security to be be alerted, via email and/or SMS text messaging, anytime more than a pre-defined amount of money leaves your account. Likewise, it can be very important to be automatically notified anytime your account falls below a certain dollar limit.

So, I checked with my bank, Chase, about setting up alerts. The good news is that Chase customers can set up alerts; the bad news is that only customers can do so, and only online. Walk into a Chase branch, and they can't do it for you, meaning if you, like me, have no online account, then you'll have no alerts. It's pump your own gas, when it comes to Chase banking alerts.

And if you open a Chase online banking account, setup alerts and then close the online account, the alerts go away too.

If you've set up automatic alerts with your bank, please leave a comment below about the experience. They can be a real lifesaver.

Update October 9, 2009: Speaking of being wary of online banking, the head of the FBI is no longer allowed to do online banking. His wife won't let him. 

What People Are Saying

Add new comment

Use tokens with signature support

Submitted by Anonymous on October 12, 2009 - 4:43 P.M.

We have two important parts for each transaction. The account number we want to pay to and the amount. Best way to protect you is to use a bank that has tokens. But the token must support entering numbers, signatures.
1. Add a new account you want to send money to. Sign the account number in the token. You don’t need to repeat this next time.
2. Send money. Sign the amount in the token; every time.

Please don't just focus on authentication. For bank security we need secure transactions.

Reply | Report this comment

And you are surprised by this?

Submitted by Anonymous on October 12, 2009 - 1:36 P.M.

"And if you open a Chase online banking account, setup alerts and then close the online account, the alerts go away too."

And you are surprised by this?

Reply | Report this comment

Re: Being Alert About Online Banking

Submitted by Karen on October 9, 2009 - 5:06 P.M.

I have email alerts set up on my online banking account. The alert is for when the account balance drops below a certain amount.
I don't know if alerts are available without an online account at my bank (SunTrust).
As I have the only Linux machine in our home, all banking log-ons are done from my computer.
We only use the online banking account for checking transactions and balance, but I do realise that while I do not pay bills or enact other transactions, my account is still vulnerable.
Banks should take online security more serious. I am only required to enter a user name and password to access the online account.

Reply | Report this comment

Banking Alerts

Submitted by Anonymous on October 9, 2009 - 2:04 P.M.

My daughter just started college. I opened a joint account for her so that I could keep it funded. BofA has more types of alerts than I'll ever need.
I get a daily balance, an over limit AND an under limit (I set the limits) and alert if the card is used out of state or out of the country.

I look for the balance alert every day - so if any malware shut it off, I'd know.

I also have the alert sent to her so she can't say she didn't know she was low on funds...talk about Big Brother...but this one really eases my mind.

Reply | Report this comment

banking alerts

Submitted by Michael Horowitz on October 9, 2009 - 10:24 P.M.

More power to you. I'm too lazy to watch a balance on a daily basis. I would settle for alerts of outbound transfers over a certain dollar amount. The out of state and out of country alerts are great ideas.

Reply | Report this comment

Alerts

Submitted by Dan on October 9, 2009 - 9:18 A.M.

I believe for most of the people that are using online banking such alerts will not help. Why?

Because the 'next version' of the malware will find how to turn them off online. The same way it found how to transfer money from the account.

What I have seen in the market is an SMS confirmation with a PIN code that the user will need to type in for a money transfer transaction to take effect. This apply to any transfer, online or offline.

Reply | Report this comment

validating the transaction

Submitted by Michael Horowitz on October 9, 2009 - 10:20 P.M.

The alerts are not generated on your computer, so I can't imagine malware on your computer doing anything to interfere with the alerts.

The SMS confirmation for each transaction is indeed a great approach for security. It defeats even the latest types of malware which depend on the session being validated and then granted carte blanche.

The eternal trade-off is security vs. convenience. The extra confirmations of each transfer may seem like too much of a hassle for some people. Then again, booting to Linux to run Firefox is also a hassle.

Reply | Report this comment

Booting PuppyLinux from a CD or USB FLash DIsk is Easy.

Submitted by Fred Finster on November 22, 2009 - 2:27 A.M.

Yes booting to Linux to run FireFox or SeaMonkey might be a hassle to have secure online Banking.

But with a PuppyLinux CD, you can boot from CD easily and have a secure convenient environment for your online banking.

http://www.puppylinux.org

Download a 105MB pup431.iso file and burn image to CD disk with multisession enabled. You now have a CD that you can boot from in any computer that you use on the internet. Since PuppyLinux loads totally from the CDROM and runs totally in RAM, you have a quick secure easy to use Linux to do your online Banking with. When you shutdown Puppy Linux and remove the CD ROM no trace will be left on the computer you just used. The CD Rom cannot catch Malware or Viruses. So you have a secure environment to use over and over again for online banking.

Give PuppyLinux a try by downloading and burning .ISO image to a CD ROM. You can also install PuppyLinux from a booted CD to a USB FLash disk. Now boot a PC with a USB Flash disk inserted in to a USB port by selecting the USB FLash disk from the BIOS Boot Menu after pressing the F12 key.
This is so cool to have a portable Linux run from a USB Flash disk key.

Did your Windows XP or Windows Vista Crash? Save the day by booting from your PuppyLinux USB FLash disk key.

Reply | Report this comment

Related Posts

Defending against the Clampi Trojan
Best of Computerworld Blogs in 2009
Mac OS X Java fiasco: Apple still doesn't get security
Researchers: Macs are less secure than Windows PCs

Editor's Picks

Mitch Wagner: Google Buzz buzzkill

Court to review standards for cell phone data requests

Researchers warn of likely attacks against Windows, PowerPoint

New Russian botnet tries to kill rival

Panasonic takes swing at rugged rivals, launches latest Toughbook tablet

Chinese artist-dissident lauds Google plan to stop censoring

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.