If all the talk of identity theft has not already made you very cautious in doing your online banking, then a study reported on by Sarah Schmidt in the Ottawa Citizen today should get you very concerned. According to experts, there’s no ‘peace of mind’ for online bank users. Paul Van Oorschot, Canada Research Chair in Network and Software Security at Carleton University, and PhD student Mohammad Mannan, a specialist in Internet security, suggest that complicated security requirements leave clients vulnerable. They contend that Canadian banks mislead their customers about the safety of online banking in their marketing materials and give users a false sense of security about their refund guarantee if hackers raid their accounts.
They surveyed 123 technically advanced users, mainly computer-science students, professors and security researchers. Although most of those surveyed are more security-aware than average customers, they still failed to satisfy common security requirements. They conclude that most average users will be ineligible for the 100-per-cent reimbursement guarantee banks would seem to be offering. In their opinion, doing online banking with ‘confidence’ and ‘peace of mind’ is no more than a marketing slogan which misleads users.
They found weaknesses in a number of areas:
- Despite strong recommendations about password uniqueness, most banks allow weak passwords.
- There are weaknesses in banks’ Secure Sockets Layer, a protocol for transmitting private documents known as SSL certificates.
- Malware can replace a bookmarked login URL with a phishing site URL that masquerades as the bank.
- Most banks’ customer agreements require users to install and maintain up to date copies of anti-virus, firewall and anti-spyware programs.
Apparently Maura Drew-Lytle of the Canadian Bankers Association believes the expectations of banks are fair and are no more stringent than what people should have on their home computers to do simple things like sending e-mails. That seems a somewhat facile suggestion. As an example (although any Canadian bank could have been chosen), here are just some of the steps that the Bank of Montreal suggests for safe online banking.
- Always verify the Bank’s web site name in the “Address” (Internet Explorer) at the top of the browser
- Keep your debit and credit cards and passwords/PINs (Personal Identification Numbers) safe. Do not divulge your passwords/PINs to anyone.
- Change your passwords regularly following guidelines on how to choose a strong password
- Always log off to end your secure session.
- Once logged off, delete all traces of your secure session from the memory of your computer. (Learn more about how to clear your cache)
All that and more is required if you wish BMO to keep their stated promise. We will reimburse you 100% of any losses to your Personal Banking accounts resulting from unauthorized transactions through Online Banking. That word ‘unauthorized’ is according to the Bank’s definition, which is spelled out as follows: (bolding not in the original)
- You authorize us to accept without any further verification, and you agree to be responsible for, all instructions for FirstBanking Transactions via FirstBanking Automated Services, when accompanied by your Card and Secret ID Codes.
- The use of your Card or Secret ID Codes by you, or by any person with or without your knowledge or consent, in connection with a FirstBanking Transaction, binds you legally and makes you responsible to the same extent and effect as if you had given signed, written instructions to us.
- We may verify communications, or the source of the communications, before we accept them, but we are not obligated to do so.
As they say, the devil is in the details. Online Banking can be enormously convenient but be aware that you are responsible for making sure about security. As the Canadian Bankers Association contends, the banks believe that it is only fair to expect customers to read agreements before they agree to the terms.