The latest bank in the UK to fall victim to a DDoS attack was HSBC, who claimed that no customer data was compromised. In July last year, RBS and NatWest were also hit by Distributed Denial of Service (DDoS) attacks, which flooded their websites with traffic, temporarily shutting them down. This resulted in bad publicity and complaints from many customers. Fortunately, customer accounts were not compromised so the bad publicity was all the damage the attack caused.
DDoS attacks, where bad guys flood a website with so much work that they fold under the pressure, aren't even strictly a security issue on their own. Unless the DDoS is part of a recipe to steal stuff, it's a nuisance that is more about someone flexing their muscles than doing damage. Luckily in the cases of RBS, NatWest, and HSBC, no data was stolen; however, they do raise the question of whether online banking is secure. So is there a security issue at hand?
Is online banking secure?
The power to secure your online banking mostly rests with you, the online banking user. Of course, your bank may get attacked but if the bad guys get into the systems of the bank itself, you’re protected by insurance and other mechanisms that mean you will have no real financial hit. Most often, though, online banking is exposed one poorly secured account at a time as bad guys get username and password combinations from much weaker targets, like email accounts or online shopping accounts. They then find someone used the same password at their bank, which means the bad guys are able to work their way in from there.
The moral of the story is to use every single security feature your bank gives you. Turn on the bit that sends codes to your phone when you log in. As annoying as it may be, use a completely different username and password for the online banking account – at least a very different password. Don’t make yourself an easy target. Understand that you are a target for sure – we all are. But also understand that with all those other easy targets out there, just a bit of precaution can make you too annoying for the bad guys to spend time on.
Do banks have all the right security measures in place?
Having seen the sophisticated and comprehensive things banks do to protect online banking, it’s safe to say there are many layers of the latest security tech protecting major banks. They are doing everything every other IT shop does and more. They are patrolling activities, searching for fraud with sophisticated intelligence. Banks have complex systems to ensure that IT administrators on the inside of the banks can’t just do as they please with their privileges.
And there are layers and layers of security checks and balances to attempt to give users convenient yet secure access. Every bank with online banking will check to see if they’ve seen your laptop before. They make multi-factor authentication available to allow for a second check of your login by sending a code for you to enter to your phone, for example. Of course, users can often turn much of this off and do. Security seems annoying until you’re reading an article about how your bank got attacked and you’re wondering if your account was on the list of the exploited.
Users are the weakest links in online banking
The weakest links in the security of online banking tend to be the users. This is true of most technology. Users choose poor passwords because they can’t recall them. Users decide to use the same username and password combination to secure their online bank account and their online cat food ordering account. When the bad guys break the poor security at the pet shop, they now have the keys to your bank account. Even with the poor choices of the users, they are still very well protected. Bad guys stealing money online will never really become the user’s problem. Insurance will get them their cash back and the bank is left with the higher premiums in the end.
Let’s face it, even if you are worried about the security of online banking, the chances of you reverting back to purely in-branch banking are highly unlikely, it’s simply not practical. However, at least try to keep good online hygiene so you can sleep slightly better at night.
Jonathan Sander, VP of Product Strategy at Lieberman Software