Online and mobile banking provide great convenience for consumers, who no longer have to visit bank branches to deposit money, take out money or perform other transactions. Online banking also provides an easier and faster method for paying bills, with traditional checks virtually obsolete now in many countries.

However, online and mobile banking can also provide rich picking for criminals who are abandoning traditional crimes such as burglary in favor of identity theft and online fraud. Online fraud can be easier to perpetrate than traditional crimes, and there is less of a risk that the criminal will be caught.

Criminals have a number of tools at their disposal to con online banking users. These include man-in-the-browser (MitB) and man-in-the-middle (MitM) attacks in which criminals intercept data as it flows between a user and an online banking application and can be used to take over accounts. According to the Aite Group, such attacks will be responsible for losses of $794 million to financial institutions globally by 2016, an increase of 75 percent over 2012.

In many cases, consumers are covered for the majority of their financial losses if they are defrauded, but only if they notify the institution concerned within a specific time period and the fraud can be traced. However, criminals can extract all sorts of data from online transactions, some of which could be used to perpetrate identity theft, with which losses can be considerably higher — both financially and in terms of the distress caused.

The dangers are real, and all online and mobile banking services should take steps to boost security and guard themselves.

Commonsense Steps to Take

As with almost any application, a password is generally required to access online and mobile banking applications. Consumers should not only choose a sufficiently complex password, but they should also ensure they follow safe password practices, such as not writing it down, not using the same password for other applications and changing the password regularly. Consumers should also ensure they log out of any banking site once transactions have been completed or should at least close down the browser in order to prevent unauthorized access. Some banks provide customers with hardware tokens that provide a one-time password for each banking session, which provides a more secure form of authentication than just a password.

Banking customers should also make sure the device they are using is adequately secure, using and regularly updating anti-malware controls and installing patches and operating system upgrades when they are made available. They should avoid using public computers or insecure Wi-Fi connections when making banking transactions, as well.

It is also recommended that banking customers regularly monitor their accounts to check for suspicious activity. This way, the bank can be notified of anything found in a timely manner to avoid being held liable for the activity. Some banks offer customers alert facilities so they can stay abreast of transactions and be alerted when, for example, a bill payment is due.

Consumers should also be wary of unsolicited messages supposedly from their financial institution — especially those asking them to provide personal or account-related information such as their PIN. They should also never click on links that point to websites since such links could also take them to websites that have been hijacked or spoofed. It is far better to manually type the URL into a browser, even when a realistic-looking logo is included in the message.

Use Specialized Software

Perhaps the best step consumers can take beyond the commonsense measures listed above is to download and use specialized software that is often provided for free by financial institutions and is designed to protect both the financial institutions themselves and their customers against cyberattacks.

One such software is IBM’s Trusteer Rapport, which provides an additional layer of protection against phishing attacks and redirections to fake websites. Designed to work alongside anti-malware controls and firewalls, Rapport protects information that is inputted by users, such as account numbers and PINs, from being stolen by malicious software such as Trojans. It can also protect consumers against other exploits, such as phishing, through the use of specialized algorithms and MitM attacks by preventing malware from being installed on a device. Rapport provides an additional layer of protection when it is downloaded and checks devices for the presence of existing malware before attempting to remove it. Many financial institutions worldwide encourage customers to download and use software like Rapport.

Many of the precautions that consumers should take when using online and mobile banking services apply to other services they use and are really commonsense precautions. However, given the nature of banking, it makes a great deal of sense to download and use specialized software provided by a financial institution in order to add an extra layer of security that will prevent consumers from becoming a victim of crime.

More from Banking & Finance

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today