At your bank or credit union, if you want to check account balances or transfer money between savings, checking, and credit-card accounts, which is safer to use:
1–dedicated telephone line;
2–online access from PC.
I’ve assumed that telephone access is safer than PC access because there are so many vulnerabilities and hacker entry points when using a PC.
Is this correct?
Would hacker/thief types spend time trying to intercept data from a telephone line?
Cell phone or land line?
Back when the way to make (expensive) long distance calls was by giving the operator your calling card number, my boss reported the following scenario - at the large bank of phones in a subway station near the financial district, where a lot of people were making their urgent calls in response to pager messages, he saw one fellow using the middle phone in a row of 5 or 6. The guy appeared to be carrying on a conversation and writing in a notebook while people around him were making calls, often long distance. As he walked up to the nearby phone, my boss mentioned - the dial tone was so loud on this guy’s phone he could hear it clearly from the next phone. I wonder how many loud businessmen’s calling card numbers the guy got that day?
The main risk in using a PC is the risk that your PC is infected with an interesting virus that reads your keystrokes or something. (Or you keep the login information in a file or in your Inbox archive)
If you phone, the same information goes into the same computer system at the bank’s end.
Theoretically, any HTTPS conversation is encrypted at your PC and decrypted at the other end. There are “man-in-the-middle” techniques, but they are relatively sophisticated and hard to pull off.
If you only use the phone, but have a userid and password already set up by the bank, then a breach at the bank could allow someone to use those.
What identification means do you use to prove it’s you doing a transfer on a phone? Very few of us have a personal relationship with the bank call center employees - any ID can easily be spoofed over the phone, and even caller-ID can be spoofed (easily) by VoIP applications.
A chain is only as strong as its weakest link.
“Cell phone or land line?”
I should have specified–land line.
I am not an expert in the security field but I have heard of many cases where a company’s data is compromised by hacker’s, many cases where a user’s computer is compromised by viruses, but not one case where someone tapped into an online transaction in flight. Statistically you are worrying about the wrong thing. The biggest risk is not having your particular transaction hacked into but having your bank’s database hacked into.
However, to directly address the question, the method of communication over a dedicated phone line is probably more secure than than an Internet transaction, because the call path does not pass through nodes that are potentially accessible by the public. You cannot know a priori what nodes the data packets are going to pass through and a determined hacker can easily use a sniffer to pick them up; decrypting them is probably a much bigger challenge. But can you define what you mean by a dedicated phone line?
There are risks that can occur at the endpoints, like the spoofing **md2000 **mentions, but I am getting the sense your question is about the security of the physical transmission method, not the overall type of transaction.
A dedicated land line would potentially be safer–depending on how you define the term.
But the method of communication doesn’t really matter when the main security risk is at the bank. Virtually all banks and stores that have had trouble lately have had their main database hacked.
When you say “telephone access via landline”, which of these possibilities are you thinking of:
Different folks above have assumed each of those 3 interpretations.
There’s also the risk that the employee(s) may be the security breach. In that case, bringing your details - account balance, possibly the fact that you do not check balances online, you may be out of the country - are all red flags encouraging the employee to choose your account. Online, your activities are just one of tens of thousands of transactions the bank computer processes daily.
I thought about this possibility when I had to speak my credit card details to the hotel reservation clerk over the phone instead of doing a transaction online. Now a human has all the details (like card security code) for going and making their own purchases, that the computer does not. (Credit card rules forbid merchants from storing the security code - it should be forgotten when the transaction is complete.)
If you mean the online automated answering services - well again, the security of a code of digits 0-9 is a lot easier compromised than a word or jumble of letters, numbers, and punctuation.
This. The human is likely the weakest link. Who answers phones? Minimum-wage transient employees. Who designs online security systems? Embearded industry veterans (ideally).
Less human, less risk. If you can generate a one-time credit card number (a lot of banks do this) or use PayPal, it’s much safer just because it’s much less human.
Skype is encrypted. It is safer than an email.
This:
2) Call a phone number answered by the bank’s computer voice and then go through the “Press 1 for transfers, 2 for balance inquiries”, etc. process to do your business.
I realize one accesses the same database as when using a PC. My question is not about database security; it’s about the relative security of the **connection **for the transaction.
That’s EXACTLY what I thought the OP was asking.
Ditto for paying a bill via a connection from my landline at home to the computer of the company that I’m paying.
OK. Now we’re getting somewhere.
I’m going to say there’s almost no chance bad guys are monitoring that voice-to-computer-to-voice access channel. So the odds of them capturing your particular transaction are very low, much lower than that they might be monitoring the WiFi you’d otherwise be using at Starbucks or whatever. BUT …
Most of those telephone access systems require you to enter an account number and a PIN to authenticate yourself to the system. And the PIN is vastly shorter, simpler, and therefore much more guessable than a typical password.
So the act of you subscribing to the telephone access feature at your bank greatly increases the size of the security hole through which a bad guy could access your account on his own.
On the off chance you’re not asking just about what you can do:
I want to re-iterate that the most likely way for your account to be “hacked” is an attack on the banks systems. They’re a much more rewarding target for attackers (hundreds of accounts vs. a small handful from hacking your PC or connection), have systems that are much more complex (more places for possible weakness), and are always handling transactions.
Encrypted data is generally more secure than non-encrypted data. The land line is not encrypted, but any Internet connection to a bank will be.
Yes, it’s easier to catch online data in flight than to wiretap a phone line, but if the encryption is good, catching it in flight won’t matter.
The main problem with online use would be making sure your computer is secure–as keyloggers are more common than wiretaps. Two factor authentication would beat keyloggers, but not if malware is also tracking cookies and everything–unless your bank requires two factor authentication every time you log in.
But you also have the less secure pin–although I would hope any bank would keep track of the phone numbers you’d normally use it on, and not give you too many attempts before locking your account out. Otherwise, brute-forcing (trying all pins until one works) would be trivial.
Personally, I trust online banking more. But I also know how to keep a clean computer.