Making SENSE of Internet banking security
Banking over the Internet can provide much needed convenience. However, there are fraudsters and scammers out there that prey on us and are ready to take our money. Here are some tips to protect yourself and your money.
Increasingly, many people are making use of Internet banking to conduct financial transactions such as fund transfer, payment of bills, online shopping, etc. Therefore, it is not surprising that progressively more cyber crooks, thieves and scammers are devising ways to access customers’ Internet banking accounts and make a profit at the expense of Internet banking consumers.
Read on to find out how you can take simple steps to safeguard yourself from becoming a victim:
CASE 1: Mr Wong received a call from a person named Siebel allegedly from ABC bank. Siebel explained that there was a security breach and Mr Wong’s banking account had been compromised. Siebel told him that as a preventive measure, the bank had suspended his account. Siebel advised Mr Wong to go to the nearest bank branch to reactivate his account. When Mr Wong expressed his displeasure, Siebel offered to assist Mr Wong in activating his account. He then requested Mr Wong to provide his user ID, Internet banking PIN and One-Time Password (OTP) from a hardware token or SMS for verification. Mr Wong quickly rattled off his details and hung up. Two days later, Mr Wong was shocked to discover that his entire savings were depleted. When he queried the bank, he was told that no one from the bank had contacted him.
In this case, Mr Wong should not have given away his login credentials (e.g. user ID, password, OTP). Your PIN and OTP are confidential and should not be disclosed to anyone. This applies even to requests purportedly from people claiming to be employees of banks. A bank will not ask customers to reveal their login credentials.
Below are some tips that you can adopt to protect your PIN and OTP:
- Keep your PIN confidential and do not divulge it to anyone. This applies to the PIN for your ATM card, credit cards and Internet banking, etc.
- Memorise your PIN; do not write it down anywhere.
- Change your PIN regularly and do not reuse old PINs.
- Use separate PINs for different online accounts, applications or services.
- Choose a difficult to guess PIN with at least six alphanumeric characters.
- Do not choose a PIN that is based on your user ID, telephone number, birthday or other information that may be known by others.
- Do not share your PIN with anyone.
One-Time Password (OTP) security
To further strengthen the security of Internet banking, banks have implemented two-factor authentication (2FA) system at login. This means that bank customers are required to enter an OTP generated by a token or received through SMS via a registered mobile phone number in order to use Internet banking services. Users of Internet banking services should continue to be vigilant even with the increased security afforded by 2FA.
CASE 2: Mr Lim uses Internet banking services frequently to make online transactions. With the implementation of 2FA, Mr Lim’s bank decided to issue hardware security tokens for all Internet banking users. For convenience, Mr Lim wrote down his user ID and PIN on his security token which was kept in his desk drawer. While he was on holiday, a thief broke into his house, found his Internet banking security token and used it to access his bank account. When Mr Lim returned, he realised that his savings had disappeared from his bank account. He immediately alerted the bank and made a police report. However, his monies could not be recovered as under the bank’s Internet banking terms and conditions, it is not liable for any losses incurred due to his negligence.
In this case, Mr Lim should have kept his security token in a safe and secure place and not have casually placed it in an unlocked drawer. Mr Lim should have memorised his user ID and PIN, and not have written them on his security token.
CASE 3: Ms Tan received a congratulatory SMS message indicating that she had won a lottery sponsored by XYZ bank. Soon after, she received a call informing her that she needed to open an Internet banking account to enable the prize money of $20,000 to be credited into her bank account in XYZ bank. In addition, she would need to inform the caller of her Internet banking user ID and PIN as well as register a mobile phone number provided by the caller. Being eager to receive the prize money, Ms Tan was quick to oblige. A week later, she checked her bank account at the ATM and realised that some funds had been withdrawn from her account.
Here are some MoneySENSible tips to safeguard your security token and OTP:
- Always keep your OTP security token in a safe place.
- Do not allow anyone to keep, use or tamper with it.
- Do not reveal the OTP to anyone.
- Do not write your user ID and PIN on your token or anywhere else.
- Do not divulge the serial number of your security token to anyone.
- Always register your own mobile phone number to receive SMS OTP and alerts.
- If you lose your token or registered mobile phone, inform your bank immediately.
Phishing (pronounced as “fishing”) is a technique used by fraudsters to obtain sensitive personal information such as your account details, PIN, OTP, credit card number, user ID or password through the Internet. Once such sensitive information is obtained from you, the fraudsters may be able to access your Internet banking account.
Many tricks are involved in phishing scams. Some phishing scams involve fraudsters sending you an e-mail purporting to be from your bank, credit card company or service provider. Usually, the bogus e-mail appears to come from a bank or payment service provider, requesting confidential account information for verification. Other scams may involve infecting your PC with a malicious malware which redirects you to a bogus Internet banking website or displays deceptive information to trick you into revealing confidential information such as your login user name, PIN, OTP and transaction authorisation code.
CASE 5: Ms Rashid received an e-mail allegedly from her bank notifying her that the bank was conducting an online lucky draw containing a hyperlink to the lucky draw website. Upon clicking on the hyperlink, she was brought to a page that looked identical to her bank’s Internet banking login page. She quickly keyed in her user-ID, password and OTP generated by her security token to participate in the lucky draw. Days later, she was shocked to discover money had been taken out from her account. When she contacted the bank about her losses, she learnt that the bank had not held any lucky draw. Ms Rashid became one of the many victims of an identity theft scam.
You should heed the following advice from your bank:
- Always remember that your bank will never send you e-mails asking you to divulge any confidential or personal information. You should report such e-mails to your bank and then discard them.
- Do not use your SMS transaction authorisation codes for login or other purposes.
- Be suspicious and contact your bank if your browser or PC behaves abnormally (eg. slowing down, hanging or crashing) when you perform Internet banking.
- Do not download, install or execute programs, scripts or attachments from unknown sources.
- Enable instant notifications such as SMS or e-mail alerts for all payment or fund transfer transactions.
- Do not click on any link to log in to bank websites
- Do not open attachments in e-mails purportedly sent to you by your bank, credit card company or service provider.
- Always enter the full URL or domain name of your bank or credit card company into your browser address bar. If you are unsure of their Web address details, contact them for the information.
- Always check your credit card and bank account statements for any suspicious or unauthorised transactions. If you detect anything unusual, contact your bank immediately.
- Do check your bank’s website for more information on Internet security. In the event that you think you have become a victim of a phishing scam, contact your bank immediately.
- Install firewall, anti-virus and anti-spyware in your computer and update them regularly.
- Do not perform online banking using computers in public places such as cybercafés and airports.
Remember to log off each time you finished your online banking activities.
Internet banking has brought much convenience and many benefits. However, we must always be mindful of fraudsters and scammers who try to defraud us. We should always exercise vigilance and safeguard our login credentials, security tokens and registered mobile phones.
This information is provided by the Monetary Authority of Singapore as part of MoneySENSE, Singapore’s national financial education programme. For more information, check out: www.moneysense.gov.sg.
(PHOTO CREDIT: HARD AT WORK © Raycan | Dreamstime.com)