I have decided that I would like to take advantage of my bank’s online services. However, I am concerned at how safe it is to do online banking. I know that there are protection and security features in place, but can I still be vulnerable? Is online banking only for fools, or do I have nothing to worry about? I’d appreciate it if you could share your experiences.
I’ve been using online banking for years. In fact, my current bank, Presidential Bank, is almost a virtual bank - they have a few branch offices, but they’re primarily an Internet bank. (And they pay excellent interest on checking, by the way - currently 2.75%.)
I go online to move funds between my bank and my brokerage, to see if electronic deposits and payments have taken place on time (they always do, as it happens), and so on. I use my bank’s bill payer service for the few obligations where an electronic payment isn’t possible. My credit card, electric bill, gas bill, cell phone bill, mortgage, health club dues, almost everything, are all paid electronically. There are often months in which I don’t ever write a check. A box of 200 checks lasts me for years!
In all the years I’ve been doing things this way, I’ve never had any problem whatsoever. In fact, I’d say that taking care of your finances electronically is considerably safer than relying on pieces of paper and the U.S. mail. Things can’t get stolen from your mailbox, and things don’t get lost in the mail.
What aspect of electronic banking do you believe subjects you to risk?
I would say it’s safe or you would have heard horror stories. It is as safe as writing checks and probably more. I have been doing it for some years and I still have my money (the little I had that is).
I’ve been checking my account and such online for 3 years with no problems. It’s as safe as buying stuff online, I’d say.
I guess that I’m most worried that I could get a virus or a hacker that could somehow get my online banking information (passwords, etc…) and then login, and take all my money. I do have a firewall and anti-virus software. Am I being too paranoid?
I think that the difference for me with worrying about online banking and making purchases online, is that if my credit card info were compromised, I’d have protection against that. With the banking, it would be all of my money that would be compromised, and I’m not sure what sort of protection there could be if all of it were stolen.
I should add, by the way, that not only do my bills get paid electronically, they get paid automatically. In other words, I don’t have to go online each month to issue a payment to, for example, my credit card company. They just electronically draft the amount due from my checking account. Ditto for most of my utility bills. The ones that can’t do the electronic draft, I’ve simply set up as automatic charges to my credit card; since the credit card gets paid automatically every month, that takes care of those bills, as well.
As a result, I can go away on a long trip and not have to worry about things being taken care of at home - it’s all automatic. I’ve never, ever, had a payment get loused up.
I’d say that is an unnecessary worry, but I would suggest you not have your passwords written down in cleartext anywhere. They should be simple enough for you to remember, while not so simple that they can be guessed or are vulnurable to a dictionary attack.
As long as you keep your anti-virus software up-to-date, and have a decent firewall, you’re very safe. Alereon is right, however - it’s a good idea not to store your passwords anywhere but in your head, or in a locked desk drawer (depending, of course, upon your living arrangements). That gives you an extra layer of protection.
Use only your own computer which you keep safe and clean. Do not use computers you don’t know, much less public computers.
Do not store your passwords in your computer (or any sensitive information). The risk may be not so much a hacker but a burglar. My neighbor’s computer was stolen with all their sensitive information.
I keep all my sensitive files encrypted using PGP and I do not keep the PGP keys in the hard disk. If my computer is stolen they will just get a bunch of encrypted files.
I keep passwords and other sensitive information in a Word document which I keep encrypted. I can print it in tiny print and it comes out to the size of twice a credit card which I can then fold in half and keep securely with my credit card. That way I do not have to open the password file every time I need a password. But of course, you have to be sure it will not be stolen).
Over five years for me, and zero problems so far.
Online banking rocks, IMO. I don’t like auto pay, though, so I do manual. The payees have no access to my accounts.
Hey, I’m old. Gimme a break. 
Peace,
mangeorge
I too have been using online banking and bill paying for years. I love it. It seems banks are getting into the FREE bill paying services. Since very little in life is actually free the banks are making money off the deal. What they do is require up to 5 days before a bill is due. Then on the date you selected to pay the bill they will have a check sent out to the payee. 5 days is normally more than enough time for a check to get where it’s going on time. The bank however debits my account on this date and gets a free float for the amount of time it takes the check to actually be cashed. Since we’re not talking more than a few cents, at most, on the few bills I pay with the service it’s well worth it to me. I had initially used the USPS bill paying service but they charge different monthly fees depending on the plan selected.
About the only added info I can recommend is make sure ALL the account info is included for each bill you will pay. I have an ubstantiated feeling that a lot of places are not set up to receive these bill payments without the bills you used to send to them with your check. I’ve had some real pains in the butt with Newsweek and Time Life that finally got straightened out. But as I said overall I LOVE it. I even pay my credit card online by making transfers from a savings or checking account to the CC.
One added bit, I use a program called RoboForm that tracks passwords and submits the log on info to web sites seemlessly. It encrypts the data on your hard drive and I’ve decided to save the data on a ZIP disk for a little extra safety. They have a free version and I highly recommend checking it out.
I worked at a Swedish bank’s online department for four and a half years, so I may have some insight. Not all this will be applicable to your bank or even your country, but I think most of it is pretty universal.
First of all, it is impossible (literally) to create perfect security. Can’t be done. What can be done, however, is make the security so good that the rewards for getting in don’t match the effort needed to get there. It takes a lot of work to break security, and if someone can do that, do you really think they’ll go after the account of a private individual such as yourself? Hell no. All banks have big corporate clients that are much more attractive targets for thieves.
Second of all, let’s say a cracker gets in. He gains complete and total access to your online banking account. What can he do? He can move your money around, but his every movement is logged. If he moves all your money to his own account, we know who he is. He can move it to someone else’s, but where’s the point in that? Furthermore, it is the law (at least in Sweden; I believe most developed countries have an equivalent) that a person receiving money must know where it’s coming from or be prepared to pay it back, so he can’t transfer the money to his account and claim he doesn’t know where it comes from. He’ll have to give it back.
Third of all, while all banks (like all other corporations) disavow all responsibility, in practice it’ll be the bank taking the hit rather than you. They do not need the bad PR of computer criminals stealing their customers’ money, so they’ll cover your losses. Confidence is restored and their customers don’t stampede away.
To sum up, it’s safe. Go ahead and join the 21st century.
Yes! This is worth thinking about. “Draining the cash” out of someone’s account is an awful lot harder than it sounds. No matter what scheme you come up with to pull it off, even with all the account info and passwords, it’s pretty tough to figure out a way to do it without leaving a trail that leads right back to you. After all, there’s no way to get a PC in an Internet cafe to spit out a bunch of 20s.
All the cracker could do is transfer your money to another account somewhere, or have the bill payer service cut a check to someone. But it’s virtually impossible to open an account somewhere anonymously, and a mailed check is certainly traceable (who cashed it? who benefited from it?).
Anyone clever enough to figure out a way around this problem ain’t going to waste his time on the accounts of penny-ante folks like us!
The only slight problem I’ve had with online banking is that somehow, someone out there figured out who my bank is. I was sent a very realistic looking e-mail that appeared to be from my bank that asked me to call a certain phone number. There was a misspelled word in the e-mail and also something that was phrased very oddly. I was already suspicious and that confirmed for me that something was wrong. I reported it to my bank and it was definitely a scam. So use common sense and don’t assume that e-mail with your bank logo (or anyone else’s for that matter) on it is legitimate.
I use the HBCI system here in Germany, and I am very confident that no one is going to pass himself off as me and get my money online.
I have a special bank card with an embedded encryption chip. The codes that it uses to encrypt the data are known only to the card and my bank. It does triple DES, so brute force cracking is a bitch. It has its own PIN, and giving it the wrong one three times causes the card to self destruct (data-wise, it doesn’t explode.)
When I do my banking, GnuCash generates the data packets and sends them to the card to be encrypted. The card asks for the PIN, and GnuCash gets that from me and gives it to the card. The card encrypts the data, and GnuCash sends it to the bank along with a clear text (actually a number) that says who I am supposed to be. The bank uses the number to retrieve my keys from their database. These keys are then use to decode my encrypted packets. If the packets don’t decode properly, then I’m not me and the bank refuses the transaction.
To masquerade as me, someone would have to get both my card and my PIN and know my account number. The PIN is on one piece of paper that I’d be hard pressed to find and also in my head, and the card lives in my wallet. Not even the bank knows the PIN.
That, or else crack the packets and determine the keys used and do the encryption themselves.
Ain’t gonna happen.
As a backup system, my bank has what is called a PIN/TAN system. I can use this if my card dies or if I can’t use GnuCash (or other HBCI program) for some reason. The PIN/TAN system goes over a normal https internet page. Here I have a PIN that verifies that I am who I say I am, and a list of transaction numbers (TANs) that can only be used once each - basically a one time pad. Every transaction that involves moving money requires that I use a TAN to authenticate the transaction.
Again, the PIN is on a well hidden piece of paper and in my head, and the TAN list is on another piece of paper that is kept far away from the PIN.
Not likely that anyone will have both, so I’m secure there, too.
What the others said. I use online banking since 1988 (at first using Btx, a now-defunct online service), using the PIN/TAN system described by Mort Furd and I have had no security problems. Arguably my money is more secure because I look at my account statements online much more often than I get an account statement on paper, and I can quickly move when something doesn’t look right. (Twice in that period companies did an unauthorized direct debit from my account, a risk not connected to online banking. In one instance the company went bankrupt shortly after, and I could not recover the money, but in the other instance I could quickly instruct the bank to reverse the debit.
I also have an amount limit in place for online banking orders per order, and an amount limit per day. Just in case. This gets a bit annoying once every one or two years, though, when I pay a big invoice and have to split the payment.
freshprince:
Bear in mind that if you’re a US Doper, the law covering losses in checking account fraud (which is going to be the Uniform Commercial Code) basically says that the entity in the best position to have prevented the fraudulent loss is the entity who is out the money.
The upshot of this is that unless you, let’s say, are particularly careless and reckless with your online banking habits, any successful attacks will be judged to be more closely the bank’s fault than yours.
This being said, try to remember not to tape your PIN and username to let’s say… your PC monitor at work.
Unrelated hijack: If you’re robbed at gunpoint in the US at an ATM machine, and are forced to withdraw cash to give to said robber, the bank actually takes the hit. You can file a police report and fraud report and they’ll have to credit your account.
It depends on your bank account and bank. If you got my login/password, here’s what you could do with it: See the last four digits of my checking account number, my balance, and statement. Ditto for my savings account. I don’t have the Bill Pay set up, so I suppose you could do that, but I think they only send it to certain companies. You could transfer funds between my accounts, but that wouldn’t do you any good. You could send a message to customer service and reorder checks. That’s about it. Not too exciting. You’d do better dumpster diving for old checks.
And I forgot to mention: It’ll probably help you catch fraud sooner than you otherwise would. If you’re logging in to do stuff every few days, my bank shows your current balance right after you log in. So if you’re down $500, you’ll notice it in a few days, go “Huh?!”, then go check it out. At least, that’s how it works for me.