There are some inherent risks associated with using any online service, but nowhere are the stakes higher than in the world of Internet banking. Make a simple security slip up and there’s a chance that the wrong person could get their hands on your login details – or worse, your transaction authentication number (TAN) – and potentially empty your account from anywhere in the world.
Read on to get more insight into how Internet banking attacks work and what you can do to keep your hard-earned dollars safe.
How do Internet banking attacks work?
Criminals typically carry out Internet banking attacks by stealing your login credentials and using them to withdraw your funds or make online purchases. The exact method of attack can vary, but usually involves the use of social engineering or malicious software (or some combination thereof). Here are some of the most common types of online banking attacks:
Phishing remains one of the most common attack vectors. With this type of threat, attackers send out bogus emails that resemble secure messages from legitimate banks. The email usually includes a link to a spoof website that looks more or less indistinguishable from the real deal. When you enter your login details on the site, you’re inadvertently sending your most confidential login credentials directly into the hands of the bad guys. Alternatively, the email may include an attachment that appears to be an important document. When opened, the attachment installs malicious software on your system.
“Man-in-the-middle” (aka MITM) means that the communication between two partners has been intercepted. This makes it possible for cybercriminals who can successfully impersonate each endpoint (in this case, you and your bank) to not only eavesdrop on your communications but also manipulate the conversation for their own nefarious purposes. For instance, you might think that you’re communicating directly with your bank over a private connection, but the messages are actually being sent and received by the attacker. In the case of “man in the browser” attacks, the attack is performed directly in your browser. In this scenario, SSL encryption, which is designed to protect you from conventional “man in the middle” attacks, is ineffective.
Malware designed to steal banking credentials, such as bankers and infostealers, usually inject themselves into running browser processes and thus gains full control. This means that banking malware not only knows which websites you open and exactly what you are doing on these sites – including all user details and passwords that you type in – but is also able to manipulate the website displayed, without your knowledge.
This is particularly harmful to you as a victim if transfers you make are manipulated and redirected to other accounts. Even existing forms on bank websites can be subtly modified so that more than one TAN can be requested. These TANs and the copied login details enable the criminals to gain full control of your account. Some infamous examples of banking malware include:
- Zeus: a trojan that recruits infected machines into an enormous botnet, and uses website monitoring and keylogging to steal banking credentials.
- Qakbot: created by hacker collective Mealybug, Qakbot incorporates worm characteristics to spread and is designed to collect banking credentials.
- Ramnit: a file infector that spreads mostly through removable drives. It collects a variety of login details, including those belonging to online banking.
How to protect your bank account
1. Be wary of your emails
Phishing is such an effective attack vector because it exploits natural human weaknesses. Combat phishing by staying hyper-vigilant when checking your emails. Be wary of any links included in your emails, avoid opening attachments unless absolutely necessary, and remember that a legitimate bank will never ask for your complete password, TAN, PIN or other credentials.
2. Use two-factor authentication (2FA)
2FA provides an extra layer of security by requiring you to input a unique code in addition to your regular username and password. Many banks these days offer 2FA in the form of a small device, which generates a new code that you need to enter every time you log in. Be aware that text messaging 2FA is not a foolproof solution and can be hijacked relatively easily.
3. Keep your software up to date
Many attacks rely on exploiting security flaws in a piece of software. To fix these vulnerabilities, developers release updates that bolster the security of their application. Minimise the risk of becoming a victim of a banking attack by always keeping your software up to date and enabling automatic updates where possible.
4. Don’t enter sensitive information while on public Wi-Fi
Public Wi-Fi has become increasingly accessible in recent years, but that doesn’t mean it should be trusted. Many public Wi-Fi networks are unencrypted and unsecured, and those who connect to them are easy prey for man-in-the-middle attacks. In addition, there’s little way of knowing if you’re actually connecting to a rogue hotspot (a free public network established by an attacker to gain access to your personal information). Never input your banking credentials on public Wi-Fi; instead, wait until you get home to your private network, use your cellular data network, or invest in a VPN service.
5. Enable account notifications
Many banks give you the option to enable notifications that will alert you when certain activities take place on your account. For instance, you could set this up to receive a text if a certain amount of money is withdrawn or the funds in your account reach a specified threshold. Account notifications won’t actively prevent banking attacks, but they can help you quickly detect suspicious activity and give you a headstart on stopping the attack.
6. Choose a good password
Attackers don’t always steal your banking password – sometimes they guess it. You can reduce the risk of brute force attacks, dictionary attacks, and simple guess attacks by choosing a long, unique and random password. Check out our previous blog post for more information on creating and storing good passwords.
7. Be mindful of mobile attacks
It’s important to remember that mobile devices are not immune to malware and other types of banking attacks. With this in mind, always use your bank’s mobile app, as apps tend to be more secure than mobile browsers. Mobile devices are also more susceptible to theft than PCs, so be sure to secure your device with a password, PIN or fingerprint to make it more difficult for thieves to access your data. For the ultimate layer of security, consider investing in proven mobile security software.
8. Invest in reliable anti-malware software
Last but not least, one of the most effective ways of protecting your bank account from digital attacks is to invest in reliable antivirus and anti-malware software. A good product will be able to identify potential threats and stop them long before they can make any changes to your system that could endanger your banking credentials and other sensitive information. For a lightweight solution that provides a high level of protection against both known and unknown threats, feel free to contact us at South West ComputAble to talk about Emsisoft Anti-Malware.