How safe is Internet Banking?

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › How safe is Internet Banking?

1 | 2 | 3 | 4 | 5

Webhead
3257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1302386 12-May-2015 00:50

dafman:
For your own piece of mind, fair call - however, not required. For eg. Kiwibank don't offer extra token facility (as far as I am aware). Therefore, provided you abide by their terms and conditions in using internet banking, your funds are safe.

Even if you end up not loosing money, having your bank account emptied out and (possibly) no access to founds for a while will be a major inconvenience.

A system where you only use password will be vulnerable is several ways.

1) Man in the middle. If you are on a network where someone can fake being your site, they will get your login and they are in.
2) Weak passwords. If they can easily guess your password, they are in.
3) Reused password. If they hack another site and find your password, they are in.
4) Phishing. If they trick you to try to log in through their site, they have your password and they are in.

Thats not even good enough security for my email, let alone where I keep my money. If a bank is stupid enough to not secure their customers better than that, then what else kind of stupidity are they up to?

Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

PenultimateHop

637 posts

Ultimate Geek

Trusted

#1302399 12-May-2015 03:00

I've been using internet banking for 15 or so years with no problems. I travel extensively, and am regularly on untrusted networks so I only connect to banking services over a trusted VPN, which has the added bonus of ensuring my banks only see connections coming from a single source address (which, when it changed due to a new tunnel, caused one bank to call me).

2FA is great, although can be frustrating when SMS delivered and dealing with unreliable/slow SMS while roaming. I prefer real tokens.

I will echo that yes, many banks do still send legitimate emails with links in them. ASB sharetrading and investment certainly does this, and so do others within NZ and elsewhere. It's bad practice for sure.

Also +1 to the comment about banks that don't deliver the primary site over TLS; leading to potential MITM attacks. Shocking that this is still happening.

RUKI

1402 posts

Uber Geek

#1302438 12-May-2015 08:12

One may be using online banking for years and tell every one else it is OK.
What they will not tell you is that they have mortgage, hire purchased goods, student loan, you name it. They owe tons of money and their account is constantly in debt.
Point is - they have absolutely nothing to loose. Their passwords likely been hacked ages ago and their accounts are monitored from time to time to see if they have earned enough to be a target...
Would be interesting to hear something like: they have $10M in their account, check that it is still there regularly via "secure" online banking and it is still there - all those years!

linw

2849 posts

Uber Geek

#1302440 12-May-2015 08:21

That's two now. Guys, 'lose' and 'loose' are not interchangeable. You lose money not loose money.

dafman

3928 posts

Uber Geek

Trusted

#1302485 12-May-2015 09:21

PenultimateHop:
I will echo that yes, many banks do still send legitimate emails with links in them. ASB sharetrading and investment certainly does this, and so do others within NZ and elsewhere. It's bad practice for sure.

Links to services announcements, or adverts, but banks will NEVER send you an email with a direct link to your internet banking logon or account details.

MikeB4

18435 posts

Uber Geek

ID Verified

Trusted

#1302489 12-May-2015 09:25

linw: That's two now. Guys, 'lose' and 'loose' are not interchangeable. You lose money not loose money.

This is not an English tuition Forum

MikeB4

18435 posts

Uber Geek

ID Verified

Trusted

#1302495 12-May-2015 09:28

I probably had more problems with old school banking and transaction methods, e.g cheques that never turn up or bounce. ATM's that for no reason take your card and not return it or the incorrect money given or recorded. Bank Tellers making
entry mistakes or miscounting.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

PenultimateHop

637 posts

Ultimate Geek

Trusted

#1302499 12-May-2015 09:32

dafman:
PenultimateHop:
I will echo that yes, many banks do still send legitimate emails with links in them. ASB sharetrading and investment certainly does this, and so do others within NZ and elsewhere. It's bad practice for sure.

Links to services announcements, or adverts, but banks will NEVER send you an email with a direct link to your internet banking logon or account details.

The former encourages bad habits for the latter by the consumer. Why is one link worse to click on than another?

And while I don't doubt your global authority on what banks will NEVER do, I can assure you several of my non-NZ banks have done precisely what you say NEVER happens, and I am fairly sure at least one NZ (or possibly Australian) bank has done it too in the past.

MileHighKiwi

782 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#1302621 12-May-2015 11:13

RUKI: One may be using online banking for years and tell every one else it is OK.
What they will not tell you is that they have mortgage, hire purchased goods, student loan, you name it. They owe tons of money and their account is constantly in debt.
Point is - they have absolutely nothing to loose. Their passwords likely been hacked ages ago and their accounts are monitored from time to time to see if they have earned enough to be a target...
Would be interesting to hear something like: they have $10M in their account, check that it is still there regularly via "secure" online banking and it is still there - all those years!

That's a pretty ignorant comment.

I have a mortgage, HP etc...and our accounts usually have several thousand dollars 'credit' as we pay our bills once per month. We have plenty to lose if someone hacked our account.

Whether its $10K or $10M it matters to the people who's money it is.

mdf

3516 posts

Uber Geek

Trusted

#1302676 12-May-2015 12:30

Internet banking is no less safe than any other form of "physically not present" banking transaction (e.g. EFTPOS card, phone banking, cheques). In some cases, it is actually much more safe.

That said, this isn't actually very safe at all from a technical and legal perspective. Practically, you're probably fine, but given it's Geekzone, let's go for the nitty gritty perspective.

Take a simple everyday account that has $1,000 in it. The bank is in debt to you for $1,000. In order for the bank to do anything with your money, it requires your instruction (your "mandate"). So to withdraw $100, you have to provide a mandate to the bank to exchange $100 cash for a reduction in the debt to $900.

Your banking terms and conditions will always include the following (see parts 6-8 of the Code of Banking Practice):

(1) the bank is entitled to assume that you have provided a mandate in a wide variety of situations, including by way of card plus PIN, or internet banking log on and password (and in some cases, a second factor authentication)
(2) you are obliged to keep pick a good PIN, password etc., keep it secret, and make sure your computer/virus software is up to date etc.

From the banks' perspective, any transaction authorised by your card plus PIN, or internet banking log on and password is either:

(a) made by you (i.e. you've provided the bank mandate)
(b) made by someone else using your PIN and password (i.e. no mandate, so the bank isn't actually entitled to debit your account)

There are two ways (b) can occur:

First, you've told someone else your PIN and password - but the only way for that to happen is if you have breached your obligations under (2) above - e.g. you've told someone, not been careful enough when entering your PIN and been shoulder surfed, clicked on a phishing link etc.

Second, the bank's told someone else your PIN and password. But no, that can't be, because the banks use "secure" systems.

So from the bank's perspective, either you've authorised a transaction or you've been negligent/breached your terms and conditions by not picking or good password or not keeping it secret. So the bank doesn't have to pay you squat. Unless you're a good customer in which case they might make an ex gratia payment. I'm not making this up.

But what are the "secure" systems the bank actually uses? No-one really knows the detail of the back ends ("security reasons"), but you often see reference to things like "secure 256-bit encryption" and "check for the padlock on your browser". This is actually SSH, which uses asymmetric/public key cryptography. SSH is very good at a couple of things:

- knowing that the person on the other end of the internet connection is who they say they are (i.e. the website you are entering your private details into is actually the bank)
- keeping communications secure in transit (though for speed reasons, this is usually downgraded to shared key cryptography once the initial session has been initiated)

SSH does *nothing* to ensure that you are who you say you are. This is just a log on and password.

As for ATMs and PINs, the security is awful.

But as I said at the outset, so long as you're careful you're probably fine. And if you do get stung with an unauthorised transaction, raise merry hell until the bank agrees to pay out.

--//--

Letters, numbers and bullets. All in one post. That has to be a bad thing.

andrew027

1286 posts

Uber Geek

#1304621 13-May-2015 15:59

mdf: (1) the bank is entitled to assume that you have provided a mandate in a wide variety of situations, including by way of card plus PIN, or internet banking log on and password (and in some cases, a second factor authentication)
(2) you are obliged to keep pick a good PIN, password etc., keep it secret, and make sure your computer/virus software is up to date etc.

From the banks' perspective, any transaction authorised by your card plus PIN, or internet banking log on and password is either:

(a) made by you (i.e. you've provided the bank mandate)
(b) made by someone else using your PIN and password (i.e. no mandate, so the bank isn't actually entitled to debit your account)

There are two ways (b) can occur:

First, you've told someone else your PIN and password - but the only way for that to happen is if you have breached your obligations under (2) above - e.g. you've told someone, not been careful enough when entering your PIN and been shoulder surfed, clicked on a phishing link etc.

Second, the bank's told someone else your PIN and password. But no, that can't be, because the banks use "secure" systems.

Or your card was skimmed, which is sometimes very difficult for the card holder to detect.

frankv

5680 posts

Uber Geek

Lifetime subscriber

#1304635 13-May-2015 16:31

mdf: Internet banking is no less safe than any other form of "physically not present" banking transaction (e.g. EFTPOS card, phone banking, cheques). In some cases, it is actually much more safe.

Agreed... Banks are *much* more concerned about fraud done by bank employees than by third parties. That is where the big risk is.

ObidiahSlope

260 posts

Ultimate Geek

#1304681 13-May-2015 17:29

johnr: and don't fall for emails saying ' click here to reset your banking password '

I allways do, if it is an American bank I tell them my login is JohnDillinger and if an Australian bank I tell them NedKelly.

Obsequious hypocrite

richms

28191 posts

Uber Geek

Trusted

Lifetime subscriber

#1304710 13-May-2015 17:59

Excerpt those links are also good places to put any zero day exploits they know about as well. So no, clicking them and putting BS details isnt a good idea.

Richard rich.ms

RUKI

1402 posts

Uber Geek

#1304919 14-May-2015 09:31

.... Here are some tips that I like to share with you:...

Make a strong password with special characters
Change password after some time period
Don't share your password

Well, online banking only starts at your fingertips. Transaction is undertaking a long journey.

How confident are your about what you plug in your laptop does not have exploits already? - e.g. USB flash card, USB cooler pad, external hard drive, web cam, etc.

It is behind firewall already and any of your anti-whatever tool treats that with less scrutiny if looks at it at all ....

Your smart phone has few free apps you've downloaded – how confident are you that the only reason they are free is that the fishing has already started and you are on the hook? You don’t have access to the source code, right?

What you are suggesting about password is like "when start your car - make sure you've fastened your seat belt and you'll be safe".

Yeah right, you can't see what is happening around the corner or inside the gearbox or perhaps there is a nail already in the tyre or the road conditions along your journey are about to get nasty or the airbag is one of those dodgy ones which can explode and kill.

Do not be naive of thinking password is your solution. It is no safer than using your seatbelt if I may use that analogy.

Password is like the tie on the hotel room door – it is the polite message for honest people – “do not disturb, please”

100% to avoid a car accident is not to drive the car at all.

100% to avoid money being stolen (when you have enough for crooks to be bothered) is to not use online banking.

1 | 2 | 3 | 4 | 5