Get CactusVPN for $3.5/mo!
With more and more people making payments and checking their bank accounts on the Internet nowadays, you’ve got to ask yourself - is online banking safe, actually? After all, cyber threats have been on the rise for some time, and with cybercriminals finding new ways to outsmart security software each day, it’s the kind of thing we need to worry about.
Well, if you’re interested in that topic, we’ve got you covered with all the info you need about Internet banking security in this article.
Online banking is an electronic payment system that lets you make payments using your account or credit card on the web by using your bank’s website or dedicated application. The whole online banking system will either be part of your bank’s core banking system, or will just connect to it.
Online banking is more than just financial transactions, though. It can also represent the act of just logging into your account to check your balance or download statements.
Generally, yes it is. It’s true that banks are very often targeted by cybercriminals, and they sometimes manage to steal a lot of money from them too. However, that’s not exactly the kind of online banking we’re referring to now since hackers aren’t targeting you – the bank client – but the bank itself. Also, there’s not much you can do to prevent that other than picking a reliable bank that takes security very seriously.
With that out of the way, online banking tends to be pretty secure. Of course, that’s only the case if you follow the proper security procedures – something not all banks are willing to talk about. We’ll tell you about Internet banking security tips in a bit, but first – let’s see exactly which security threats can ruin your online banking experience:
Dedicated online banking apps can be pretty secure, but they’re not without their faults. Back in 2017, it was actually discovered that many banking applications had security flaws that would have allowed cybercriminals to steal user data.
Not only that, but hackers can also use seemingly-innocent apps that are actually malicious to compromise the banking apps that are already installed on your device. Basically, the malicious app downloads a secondary app which then inserts an overlay window over your banking apps. The moment you enter your login credentials in your bank’s app, they will be as good as gone.
What’s more, online banking apps don’t just have their fair share of security problems. They can also be impersonated with enough effort. Back in 2018, big-name banks (like SBI, Axis Bank, and ICICI) had their dedicated apps impersonated by cybercriminals who used them to steal data from thousands of people.
We mostly use digital money nowadays instead of just cash, so doing online banking over public WiFi is pretty much second nature to us. Sometimes you just have to access your account on the spot to move some money to your credit card so that you can pay the restaurant bill, right?
That’s when public WiFi really comes in handy, true, but there’s just one problem with using it: Your online banking security can easily be compromised. Why? Because most public WiFi networks aren’t encrypted – in fact, around 24.7% of worldwide WiFi networks (so around 106 million networks by 2020) aren’t secured at all.
What does that mean for you? That any would-be hacker can see everything you do on the Internet when using unsecured public WiFi. They can see the login credentials you enter when accessing your bank account, and what your credit card numbers are.
“Okay so I’ll just use secured networks – like the one I have at home. Problem solved, right?”
Not exactly. Currently, pretty much any secured WiFi network uses WPA2 encryption for security. The problem with that is that WPA2 isn’t exactly foolproof. In fact, it’s vulnerable to a specific type of hacker attack called the KRACK attack. Luckily, WPA3 will fix that problem, but according to sources, it will take years for widespread WPA3 adoption to take place.
Sometimes, it’s not just cybercriminals who make life hard for online banking users. It’s actually the banks themselves. And we’re not just talking about security errors on their behalf, though that kind of stuff belongs here too.
No, what we’re talking about is banks suffering data breaches or losing access to sensitive customer data, and not letting their customers know about them. Yes, that kind of stuff has happened before, and the Australian CBA bank is the latest example, losing around 20 million customer records back in 2016 without alerting anyone about it.
It can be a bit understandable why banks might not immediately notify users about stuff like that. After all, they want to avoid mass panicking and account closures while they fix the problem. However, there’s always a chance something will go wrong again, and that your financial and personal data will be exposed because of human or software error. If it already happened once, it can happen twice.
In situations like that, you end up being kept in the dark without realizing cybercriminals could get access to your financial and personal information any day.
Phishing can be defined as a cybercriminal’s attempt at confusing or tricking you into sharing sensitive information with them, like your credit card numbers, bank account numbers, and online banking login credentials. Phishing normally uses email and social media as distribution channels, but it can also be done over the phone.
When it comes to online banking, scammers behind phishing attacks will sometimes try to pretend they’re someone from your bank, and use their position of authority to get you to disclose various data. They’ll very likely tell you there’s a problem with your finances, or that they noticed suspicious activity on your account.
More often than not, though, they’ll just try to convince you to access a shortened link. Said link will lead to a fake website they set up to resemble your bank’s website. Back in 2017, phishing messages that directed users to bank-related malicious websites were the most common, and it’s not very likely that that trend has disappeared.
Overall, if you fall for a phishing scam, you can rest assured that:
Pharming is similar to phishing, but instead of relying on tricks and deceit, it automatically redirects you to malicious websites. Basically, you type in your bank’s website address, and you’re redirected to a fake website posing as it without you even knowing. Obviously, the hacker behind this will get access to all your bank-related info once you start typing it in.
Pharming either relies on malware to alter the Hosts files (the files that link an IP address to a website domain) on your computer, or on poisoning your ISP’s DNS servers so that all users who use them to connect to a specific website are redirected to the cybercriminal’s own site.
A keyloggers is a type of malware that infects your device, and starts logging all your keystrokes on it. All that info is compiled into a log file which a hacker can retrieve any time. So, basically, whoever exposes you to a keylogger will know every single thing you type on your computer – including your online banking login credentials.
Your device can get infected with keyloggers if you interact with phishing messages and malicious websites, but someone can place the keylogger on your device if they have direct access to it as well.
Other types of malware might be used to compromise your Internet banking security too (like spyware and viruses, for example), but keyloggers are normally the most dangerous ones in this situation.
Some people claim that a virtual keyboard keeps you 100% safe from keylogging malware. That is true since there is no signal sent to the physical keyboard, as you’ll just be using a software-powered keyboard that shows up on your desktop to type in your login credentials.
However, we don’t recommend using a virtual keyboard as the ultimate solution. While keyloggers might not be able to steal your login credentials (and other data), spyware would manage to do that. How? By taking screenshots of your desktop, essentially seeing what you type on the virtual keyboard.
Now that you know the dangers of both unsecured and secured WiFi, it’s pretty obvious you’re better off doing your online banking without using it. Of course, that’s easier said than done, and it can definitely be pretty inconvenient.
Overall, your best bet is to either use your mobile data plan to check your bank accounts, or to make sure your Internet connection at home comes directly from the router, not from a WiFi connection.
Of course, there’s another thing you can try to completely eliminate the risk of WiFi putting your Internet banking security in danger, which we’ll discuss below.
“Wait – is VPN safe for online banking?”
Yes, it certainly is. A VPN is an online service that encrypts your online traffic, making sure that nobody can monitor it to see what you’re doing on the Internet. That also means cybercriminals won’t be able to eavesdrop on your Internet connections to steal sensitive online bank account data from you.
A VPN is so secure in fact that you can even use it to do online banking while conveniently using public, unencrypted WiFi. You can even set up a VPN on your router to make sure you don’t need to worry about online banking security threats at all.
We’ve got you covered. CactusVPN offers a high-end VPN service that protects your online traffic and data with military-grade encryption and strong VPN protocols like SoftEther, IKEv2, and OpenVPN.
On top of that, we also offer DNS leak protection, a Kill Switch that makes sure you’re always safe on the Internet, and a no-log policy.
And once you do become a CactusVPN customer, we’ll still have your back with a 30-day money-back guarantee.
Multi-factor authentication is a great way to offer your bank account an extra layer of security. Normally, this feature requires you to enter an extra code when logging into your account online – right after you type in your login credentials. The code will either be generated on your mobile device (through an app like Google Authenticator), or you’ll receive a text message with it.
“What if my bank doesn’t offer multi-factor authentication?”
That’s a pretty big red flag, honestly. You’re better off changing banks in that case. Otherwise, there will be nothing standing in the way of hackers if they ever manage to steal your login credentials.
How can you tell whether or not your bank’s app is legit? Well, here are some things you should try out:
But if you’re still not 100% sure the banking app you found is not compromised or fake, then just use the bank’s website instead.
Your bank will probably tell you this anyway, and most banks make it mandatory for you to create strong passwords. Still, if you’re not sure how to do it, here are some pointers:
Learn more about password security.
Sure, automatic login can be convenient – especially if you use a strong password, and you have multiple bank accounts. It sure beats having to manually type your long password while double-checking the notebook or paper you wrote them on every 2-3 seconds, right?
That’s true, but it also opens you to other potential dangers. For example, if somebody were to steal your phone or laptop, or break into your home and access your computer, they’d have instant access to your bank accounts.
So, it’s best to avoid automatic login. But that doesn’t mean you’ll have to manually enter your passwords every time you want to check your account balances. If you use a password manager (like Bitwarden, KeePassX or LessPass), it will auto-complete any login forms you allow it to.
“But isn’t that the same thing as someone having access to my phone or PC with automatic login turned on on my browsers?”
No, because a reliable password manager will authenticate you every time you want to autofill your login credentials for a certain account. Yes, that means you’ll still be typing in a password, but at least it will be a single master password.
Just like you shouldn’t do online banking on public WiFi without using the proper protection, you shouldn’t do that on public computers either. Why? Because there’s always a risk the computer has been infected with spyware, or had keyloggers uploaded on it.
If that’s the case, and you access your bank account, whoever placed the malware on the computer can always just come at the end of the day and retrieve the logs containing your login credentials – that’s if they don’t have remote access to the computer, in which case they just need to monitor what you do while you use it.
Phishing is one way cybercriminals aim to steal your online bank account login credentials. Basically, phishing represents a hacker’s attempt to trick you into revealing that info.
They will usually send fake messages claiming to be a representative or an IT support technician from your bank asking you to confirm your account by providing them with information like account name, account holder, password, or credit card number. Alternatively, they could do the same thing, but ask you to access a link, or download an attachment. If you do any of that, you’ll either be redirected to a phishing website, or have your device infected with malware (spyware or keyloggers, most likely).
Those are just some possible scenarios, but you get the idea. Basically, if you receive any message from someone claiming to be working for your bank asking you for sensitive information or access to your account, don’t respond to them. Your bank will never ask you for something like that. To be 100% sure, contact your bank to ask them about the message to see if it’s legit.
In case it isn’t, delete them, report them as spam, block the sender address, and get in touch with the local authorities if your country’s laws allow that.
If you’d like to learn more about phishing (especially how to protect yourself from it), here’s a guide we wrote about it, alongside other threats too.
What does your ISP have to do with online banking? It’s simple – an ISP that has lax security standards will likely fall victim to DNS poisoning, a form of pharming attack that will change the tables on the DNS server. Basically, the DNS server your ISP uses will be hijacked and, as a result, you and all other users accessing websites through it will be redirected to fake, malicious websites instead.
You won’t ever be able to take a tour of your ISP’s server rooms, and monitor how their IT security teams maintain the servers and data, of course, but you can always ask your ISP what measures they take to protect their DNS servers from pharming attacks. If they take the time to explain what procedures they follow, and don’t try to blow you off with generic jargon, that’s a good sign.
In case you’d like to learn more about pharming, just check out the article we linked above.
Malware and viruses can often endanger your bank account. So, it’s important to keep your device safe from them. After all, it doesn’t matter if your ISP and bank are doing everything they can to offer you top-notch online banking security. If you aren’t doing that too, and your device is infected with malware, it’s game over.
There are plenty of antivirus/antimalware software providers to choose from, but our recommendations are Malwarebytes and ESET.
Oh, and be sure to install their dedicated apps on your mobile device(s) too.
Regular updates can be a bit annoying since they always seem to get in the way of what you’re doing. But without those regular updates, you’d be at the mercy of cybercriminals.
You see, updates can often contain critical tweaks that patch minor vulnerabilities in an OS or browser, vulnerabilities which a hacker could exploit. Also, regular updates make sure your antivirus/antimalware program can keep up with the new forms of malware that keep popping up almost every 10 seconds according to security experts.
If you use your mobile phone to do online banking, and end up losing it or having it stolen, there’s a chance the person who ends up finding it/stealing it could use the info on your device to compromise your bank accounts.
That’s why you need to make sure your mobile device is properly secured, so that it can’t be accessed by anyone but you. Here are three ways to do that:
Besides that, you should also keep Bluetooth turned off when you’re not using it. This isn’t something that will secure your phone if it’s lost or stolen, but it will help keep it safe otherwise. Why? Because Bluetooth actually has had serious vulnerabilities over the past years. One of them made it possible for cybercriminals to silently hack mobile devices that had Bluetooth turned on. Another one allowed hackers to compromise your device’s cryptographic keys with MITM attacks.
This isn’t much of an advice since it’s pretty obvious, but what exactly does a “reliable bank” mean? Well, it should be one that meets the following requirements:
So, how safe is online banking?
Generally, it’s pretty secure, but there are plenty of risks associated with it, such as phishing, pharming, data breaches or errors the bank doesn’t mention, fake or compromised banking apps, keyloggers (and other types of malware), and WiFi vulnerabilities.
Fortunately, there are some things you can do to make sure you get to enjoy decent Internet banking security: