Customers of HSBC, Bank of America and Washington Mutual may want to think twice about banking online. Quickly. The three banks are identified in a study by a UC Berkeley’s Boalt School of Law researcher as the most victimized by identity theft.
CNet, which links to the study, says that researcher Chris Hoofnagle used numbers received under a Freedom of Information Act request. He ran the numbers from three randomly chosen months in 2006. The results were that HSBC had 21 incidents per billion of dollars on deposit, BoA had 17 and WaMu 16. ING was the most secure, with a lone incident per billion on deposit, the study said.
The story says that the findings dovetail with a 2007 report from Cambridge University that said BoA and WaMu phishing sites usually stayed afloat for more than 100 hours, while Chase and PayPal general got such sites taken down in less than two days.
Reasons to worry about HSBC are validated by a recent NY Magazine post and the consumerist.com post to which it links. The first post, which is in a gossip column, mentions that four cases recently have come to light about the loss of thousands of dollars in online banking scenarios. The consumerist post says the bank’s fraud department is overwhelmed. While the posts seem to have some level of sensationalism, they nonetheless raise legitimate and unsettling questions.
Such information makes the ambivalence most folks feel about online banking seem reasonable. There is a wealth of valuable and interesting information in a recent posting at Security Park by Fortify. The first section highlights the three dangers of online banking. Like everything else on the Internet, the fact that it is global poses as much a risk as an advantage. A thief in England can take a crack at bankers in the U.S. Attacks are more varied than physical attacks and online security is difficult for end users to understand.
This all doesn’t mean that online banking isn’t safe if done correctly – both by the institution and the customer. The writer points out that online banking is growing. Both the perception and the reality is that safety is improving and, for this reason, crackers are beginning to target smaller and less sophisticated institutions. Indeed, it’s possible to argue that online banking is safer than physical banking. The lion’s share of financial fraud is done in the real world and, even if online theft is attempted, alerts are sounded quicker and loss is less than off-line theft.
This University of Washington post provides significant insight into the pros and cons of online banking. It begins by establishing two overall goals: That the application should always be available and that “adversaries” – the bad guys – should not be able to access them. Weaknesses of online banking include the possibility that hackers will seek to disrupt servers and use phishing attacks, keyloggers and man-in-the-middle attacks.
The story offers possible defenses against these attacks and assesses the overall risks. Phishing and keylogging are high risk, the writer says, and man-in-the-middle attacks are of moderate danger. The writer says that he hopes that no banks still are sending passwords in the clear.
Online banking apparently is convincing enough people that it is, indeed, safe, according to a Gartner study conducted in the U.S. and the U.K. during June, July and August of last year. The firm, according to eMarketer, found that 71 million people in the U.S. and 14 million in the U.K. use such services regularly. It’s mainstream, Gartner says.
The trends show that it is more popular among younger and higher-income folks, and online customers don’t abandon traditional channels such as ATMs and the telephone. The use of online in addition to – not instead of – other forms of banking could impact the marketing of these services.