Internet banking security.

Apologies if this is "old hat". I tried to search for other posts but found nothing.

I deal with 3 different banks -
1 "Secure" web page and PIN.
2 "Secure" web page and use-once-only PIN from a scratch-it card supplied by the bank, ie scratch to find a new PIN for each web page visit.
3 "Secure" web page and"digipass" which is some sort of electronic gismo they supply to generate safe internet banking. Don't know how it works (yet).

Due to the existence of keyloggers, I don't use internet banking for bank 1 anymore - strictly by phone now.
The bank 2 system seems reasonably safe (to me anyway).
I haven't received the digipass yet, so I can't comment.

Would appreciate comments & recommendations.
/ H

 

Hi/hoi Hans,

Secure webpage is only usefull to be sure that noone can sniff the connection.
1) Everybody can setup a SSL server, so you still have to be sure, that
the host your communicating with is the correct one.
There are several ways to lure you to a fake bankwebsite with HTTPS/SSL
so the little lock in your browser doesn't mean you are sending data to your bank.

2) In most cases, it is possible to view data of your bankaccount with only
a username and password (or PIN).
So if this is stolen, (keylogger/trojan etc) it is possible that others can see (VIEW) what is on your bankaccount.

3) If someone else wants to make a transaction or a payment with your bankaccount it will be a bit harder...at least, for the banks i've worked for..

First of all they have to know your bank,bankaccount,username and password or pin, but they also need a key for each transaction, which is sent to you on paper (Scratch-card) or is generated with a randomreader/digipass or a tool like that.
That is all a little bit more difficult, these keys are used only, so a keylogger
or sniffer that can also decrypt your SSL connection won't help here.

If someone breaks into your house steals your pc and all items you need
for a banktransaction it can be done, so you must keep those tools
(Randomreader/Digipass/Scratchcard etc) far away from your pc.
And you better don't store in your browser files etc.

Some randomreaders also need a bankcard to activate them.

There were some problems in the past, with persons that were making bankpayments on the office-lan etc. that is of course not very clever.
(regarding their privacy).

In most cases your bank can give you more info on how to
prevent any problems with the above.

Personnaly i use a very simple pc that is set up for banktransactions only.
It is a FreeBSD pc with a very good firewall en security tools, up-rev with patches, has a Mozilla browser, and is powered up only for updates and banking.