News of the Silentbanker Trojan seems to have (rightfully) caused quite a few people to wonder if the computers they use to access their online banking are secure. I’ve gotten some interesting questions about the security of online banking since Liam O’Murchu’s blog about Silentbanker was published last week. Some people I talked to said that they’ll never use online banking again, but I don’t think that’s the answer (just ask anyone who has ever had their bank card skimmed).
Instead, I think people are better off securing their computers and using a few best practices to ensure that their transactions are safe. So, here are a few tips for online banking:
• Use a strong password to access your online banking and change it often. Strong passwords are always good to use, but remember that a keylogger can record any password. Also, don’t use the same password for your online banking that you use for anything else.
• Don’t save your online banking password when your Web browser asks you to. There are plenty of threats out there capable of stealing the passwords your browser stores.
• Don’t get lulled into a false sense of security. Many people think that because their bank uses two-factor authentication that they are safe. Silentbanker proved them wrong.
• Do not access your online banking from any computer other than your own. Don’t use your friend’s computer or even your work computer since you don’t know for certain whom else has had access to it. And under no circumstances should you ever access your bank from a public terminal at a library, Internet café, or anywhere along those lines. Just don’t. Seriously. Trust me on this one. You may as well post your account and password on a billboard in Times Square.
• Always manually type the Internet address of your bank into your Web browser. Never follow a link to it, especially not one that you receive in an email message.
• If you receive email from your bank and want to phone them to verify its authenticity, dial the number located on your bankcard or look it up in the phone book. The phone number in an email message may be a “vishing” number.
• Don’t store your passwords in a file on your desktop (or anywhere else on your computer for that matter). Some people believe copying and pasting passwords from such a file will defeat keyloggers. However, many threats are capable of stealing the contents of your clipboard – the service that stores copied text. Additionally, an attacker who has remote access to your computer through a back door server program could easily steal this file.
While this list is by no means exhaustive, it’s a good starting point for most users. You should also follow other computer security best practices – install antivirus software and keep it updated, use a firewall in combination with an intrusion prevention system, and keep your operating system and applications up to date with patches.