I have an agreement with my bank that I can view my checking account activity on line, provided I log in with the proper info. If I no longer want to have access to that account, and I inform the bank of that, will it still be available for, say, some hacker to look at? In other words, if I don’t want my banking information to be available on line, will it still be there anyway?
Your banking data resides on a server controlled by your financial institution. If they are hacked successfully your financial information would become available whether you accessed that information or not.
Take for example the hacking of Target. I don’t have an account at Target, but I have shopped their physically. When Target was hacked, the hackers got access to credit card numbers of all of their customers, because that information was maintained on Target’s servers.
I think that what the OP is getting at is the idea that the info about his account, to which he has access, is somehow disconnected from his actual account, and by telling his bank that he no longer needs that access, it will be removed. Rather like it used to be with branch accounts, which only updated during the night.
As I understand it, what I see when I log into my account, is the actual data that is stored by them. This is why it can be so difficult to undo a mistake (as I found out when I transferred some money to the wrong person).
My wife doesn’t trust online banking and refuses to set up online access for our bank accounts. Is it feasible that a hacker could get online access to our account? If they siphon off all our money, would we then have to prove that it wasn’t us that did so?
Or, more likely, CC wants to make it impossible for someone to access his/her bank accounts by guessing the login details.
I’m in the boat with you on this one. I refuse to setup online banking for the same reasons. 25 years working in the computer field. I know all to well what hackers are capable of. All it takes is a keylogger. There’s dozens of other hacks too.
The only way I’d trust online banking is with a dedicated pc. Brand new and fresh from the box. a cheap $400 Walmart PC is fine for this task) Never turn it on except for banking and then turned off. ** No web surfing ever.* Another tip is to shutdown other pc’s in your home network before starting the banking pc. Otherwise a infected pc in the network can attack the banking pc.
Anybody who hacks into the bank itself, has access to everything that the bank has not specifically protected.
If you have never set up online banking with your bank, then there is no username that is associated with your personal account information, and therefore, there is no conduit through which anyone can access it specifically, as opposed to the entirety of the banks accounting. Every mathematically possible group of keystrokes would still not access your account, because no set of keystrokes has been associated with access to your account.
However, once you have made the first move of establishing online banking, it is possible that the bank does not have the power to render that a null access, and may just tell you to assign random codes and forget them. But absent any directive to the contrary, the access information can still be recovered through the lost-password machinery. That may be the gist of your question, and the answer may lie in the bank’s internal policy about how to deal with that.
It is also possible that the bank has assigned random codes to your account right off, and when you establish online banking, you just change the random codes to your choice of username and password. That would be easier for the bank’s webmaster to handle, because then every account has the same structure.
I hope that by working in the computer field, you mean driving a truck delivering computers or something similar. Correct me if I am wrong, but how the hell are you going to do any online banking without using a web browser and, you know, using the WEB?
All of you who are to scared to trust your money on the internet are being either ignorant or paranoid. For reasons stated above, your data is already out there for any willing cyber-criminal to access, unless you keep your money in your mattress. I understand risk mitigation and all that, so if you don’t want to use online banking to be more secure, go for it. But don’t think that you are on either extreme of the secure scale by using or not using online banking services.
Banks deal with fraud daily. If you see a transaction that looks suspicious, inform the bank. The transaction will be flagged and all will be right. My bank just called me the other day and apparently someone was using my debit card number. Transactions were denied, new card was ordered, no big deal.
Almost forgot, shut off the DSL modem and router. Restart that clears out the routing tables.
So, 1. shut off all the home pc’s, restart the DSL and router, then start the banking PC.
Paranoid? You bet. You have to be with any device that touches the Internet.
Of course you have to use a Browser for online banking. You do not and should not web surf. I’d carefully type the banks URL into the address field. Make the bank the home page. That limits browsing activity to a minimum.
Securing the pc at home is only half the job. As others pointed out the bank can get hacked too. But, it’s more likely to be detected by the Bank’s network security. The bigger risk in my opinion is the home pc. Norton and McAffee’s scans give a false since of security. Even Malware Bytes misses stuff. Scans are the first line of defense but not infallible.
I originally was trying to ask if the information is out there, even if I delete my connection to it by eliminating my access to the account, asking the bank to no longer let me log in, or some other method of nullifying the on-line relationship. I understand that my computer is vulnerable. My question is about the notion that there is a web page someplace (the bank’s server?) that shows my checking account. Does that exist absent my requesting access to it?
Actually I figure by going on line and looking at my bank balance daily I eliminate risk because I catch problems immediately. It’s nicer than being paranoid.
Does anyone know anyone whose bank account has been hacked on line? The only person I know who lost money out of a bank account had their new checks stolen out of their mailbox. She caught it because she was checking her account on line…
ETA: your account does not live “on a web page”; it lives on a server. Which can be accessed from the web. This exists at the bank without you doing anything.
No offense but you sound like some of the banks did in the very early days of PC banking. Some simply refused to allow access over the Internet, so the only way to do PC banking was over a dialup modem. Further back, there was a time for many banks when TCP/IP itself would never have been used in any banking application even on an internal network; if it wasn’t SNA, it wasn’t secure! Banks eventually caught up to the 20th century, and then the 21st. 
I suppose it depends on the bank’s specific implementation and policies, but in my experience all it takes to create an online access account if one doesn’t already exist is some basic information and your bank card or debit card number. It’s undoubtedly harder for a hacker to create an online account than to hack into one that already exists, but perhaps not much. The information that you’re accessing is really not fundamentally different than what the bank teller is accessing through the bank’s internal network, though it’s usually hosted differently and certainly firewalled differently. It’s somewhat like when you call an automated system to get your credit card balance and other info – you’re talking to a front-end IVR with limited functionality but it actually has direct access to the backend credit card system. And that system is always there, whether you choose to use it or not.
Of course it’s feasible. Imagine the hackers have a profile of your wife, obtainable on the black market for less than a dollar. They set up an account at the bank with their own email and obtain access.
Is it probable though? I don’t know: it depends. Presumably the bank will send a letter to your home address stating that an online account was opened. Or not: I dunno. Feasibility is easier to answer than probability. I do have the distinct sense that some banks have better security procedures than others.
I don’t know the details, but I gather from Brian Krebs that individuals have better protections than small businesses: the latter can and do lose hundreds of thousands of dollars at a time from cyberattacks originating in Russia and the Ukraine.
I’m guessing that an individual would be made whole if attacked in the manner described by Carlarm. (In fact I would think that a business would be protected as well, given that they had never signed any online contracts under this scenario.)
Warning: To fully answer your question, you’ll need to understand some details of how web sites work that’s only relevant and useful to people who do this stuff for a living. That being said, here goes:
There isn’t a webpage anywhere that contains your specific account details. Everybody uses the same information and login pages (just like each customer can use the same bank teller). However, the section (of the page) that shows your data is actually just a script that:
[ol]
[li]Checks with the banks server to ensure your web browser is authorized to access that information at this point in time (i.e. that the person using the computer right now is authorized to access the account). [/li][li]queries the banks database* for your information[/li][li]formats the information received from the database and displays it according to a standard template it’s already received as part of the page[/li][/ol]
Needless to say, banks spend the most effort on the authorization and data integrity (to ensure you’re not receiving somebody elses’s data) portions of the infrastructure. That’s the most sensitive part of the process, and the other stuff is fairly easy (it’s the same sort of stuff done by most websites in every industry).
*
- there’s a lot of detail to this step involving cookies, key exchanges, authorization tokens and such, but basically, once you’ve proved you’re a valid user, you get a key that grants you temporary access to the appropriate information
** This is effectively the same database bank tellers and ATM’s use for their activities.*
I do do this kind of stuff for a living. Not with consumer online banking itself, but in similar endeavors. The information above is correct.
Your data might live temporarily on a webserver as a part of its transferring the data down to you, but your data really lives on a day-to-day basis on a server somewhere else, probably either at Corporate HQ or a professional Data Center/Co-location provider.
It may be possible for a hacker to gain control of the webserver and use that access to compromise your account by using the website as an intermediary to mount attacks on the main account server, even if you don’t have online banking enabled. There are security steps that the bank can do to help prevent this - they are almost certainly not going to tell you what specific steps they have or have not taken.
Not having online banking can provide some security to you because you won’t have a username and password that can be easily stolen and used to login. But not having online banking isn’t a 100% guarantee of no loss.
Just to add: a large bank will likely have two or more fortified redundant data centers (literally, military-grade fortified) which look like ordinary nondescript office buildings, and this is where the core databases reside. To reiterate what I and others already said, the customer accesses these same facilities just like the bank does internally, the customer through front ends on separate web and IVR platforms, the bank, increasingly, also in separate front end servers supporting web-based thin-client platforms, usually different ones for teller vs. back office functions.
So ultimately the only difference in whether someone has set up online PC banking access or not is whether they’ve created an online account. Not having an online account might offer some modicum of extra security as there is no account password that a keylogger could capture, but that’s about the extent of it. A hacker could still, in theory, easily create his own access account if he had the right information.
They could do it by stealing your identity - for example, somehow convincing the bank that you live at a different address, then corresponding from that address for the signup process for online banking.
But none of that is peculiar to online banking. They could also withdraw money at the counter, perform transfers at branch, or issue checks by stealing your identity, instead.
That is damm good question, and you would hope that your bank did in fact run the internet transaction system on a “only has the data it needs” philosophy.
While the banks do not publish details about their security details (or philosophies) for security reasons…
Correct.
Online banking doesn’t represent a new kind of security vulnerability. It is a vulnerability, but a vulnerability of the same type as carrying your ATM card and checkbook with you (you could get mugged!).