Saturday, 29 August 2009

How safe is your online bank?

When Which? Computing asked me to help evaluate online banking services, I expected to find very similar results amongst the ten banks they selected. However, as their press release says, there were some pretty big differences. Although we only looked at the visible security measures in place, some banks appeared to offer little to help defend against simple keyloggers.

I know that there are some sophisticated banking Trojans around, using man-in-the-browser attacks, but surely that's not an excuse to ignore defending against simpler malware and physical keyloggers?

Obviously banks need to balance good security against usability, being concerned that consumers may be put off by complex authentication processes. But with the vast increase in the number of Trojans, and more and more people using public WiFi and shared computers, Barclays' approach of using a PINsentry device seems like the most secure option.


Vik said...

I agree, hardware and software key loggers are a lot more prevalent, as are rouge hotspots. It appears that the institutions want you to authenticate but do not do the same in return.

There are numerous solutions bubbling under the surface but it will take a huge rise in identity theft/crime or a couple of high profile cases before hard dollars are spent.

Brian Honan said...

Putting in the appropriate security measures at the moment is probably more expensive than dealing with the current level of fraud. Until the volume of online fraud becomes so high the banks cannot ignore it they will continue to provide the "least cost" to the bank options.

If we look back in history it wasn't until armed robberies against banks became so common that they installed the security measures that are currently in place.

At the end of the day banks are there to make money which does not necessarily translate into protecting your money.