Online banking makes paying bills and transferring money easy and fast.  But are you sure that you are protecting yourself and your money?  What would you do in the “real world”?  First, you would want to make sure you were really at the bank, and that it is open.  You  would want to hand your checks and money to an official teller and get receipts of all of your transactions.  In addition, you would probably get fairly suspicious if someone were looking over your shoulder or if you had to conduct your business through a third party (not someone who works for the bank).  You would be wise to ensure that your records were accurate and that no one was stealing your signature or banking documents.

If we are going to take advantage of the benefits of online banking, we need to translate those practices into the virtual world.  First, you should have a unique and strong  password for your banking account.  If you are not sure how to get a strong password, look at my previous post on the topic.  Second, you should avoid using a public computer for your online banking because it might have installed software to log your keystrokes or to remember your passwords without your permission.  Third, you should keep information about your account and password quite secret.  Fourth, of course, you should always be running up-to-date virus protection and malware protection to ensure that your computer is doing what you intend.  Your bank may have additional software and/or devices that provide additional security for your transaction.  Fifth, you must update your operating system and browser as recommended, especially if you use Windows and/or Internet Explorer.  Both products have features that are often

Even if you follow safe computing practices, you may still be at risk thanks to a new kind of trojan (similar to a virus) that might have infected your computer,  called a “Man-in-the-Browser” (or MitB) trojan.  The trojan is a piece of software that does not install itself on your computer, but rather installs itself as an add-on program within your browser, without your knowledge.  What happens is the MitB alters what the user and the bank see during the transaction.  So, for example, the bank does not get correct information about how much money to pay a vendor, and you do not see how much money was actually reported.  In fact, it might transfer money to another account and you might not be aware that it happened.

Your virus protection examines all of the software on your computer by comparing it to known problems or peculiar behavior.  Just as your police officers fingerprints and now DNA samples to compare to evidence at the scene of a crime, your virus protection compares strings of computer programs to those known to be viruses, malware and trojans.  If those do not identify the perpetrator of the crime, they look for people who are behaving strangely.  Likewise the virus protection examines programs for unusual activities, like replicating themselves,  growing quickly, or accessing a number of services on the computers. Generally these strategies work well.  However, MitB trojans are particularly difficult to detect since they change their appearance and behavior tens of thousands of times each day.   A particularly good (and easy to understand) description of this phenomenon was aired on BBC News.  Since they are hard to detect, it might take some time before your virus protection understands that there is a problem and by then it might be too late.

There are some warning signs for this kind of problem.

  • If it takes your computer longer to process requests
  • If your financial transactions take longer than normal
  • If you are asked for more information than normal during your financial transaction, especially if you are asked for passwords or sensitive information such as social security numbers.

What do you do if you experience one or more of those symptoms?  You should call your bank as soon as possible and give them the date and time of the transaction.  Do not email your bank because the same software that interferes with your financial transaction may interfere with the sending of the mail.  Your bank may have monitoring software that catches and disallows unusual transactions to protect you, so you may not have a problem.   If you do, you will need to rely upon your bank’s policy as to how much you are responsible.