We have fallen into the cycle 🙂 of giving out our hard earned knowledge to the world…if not on tv its in the newspapers. Immaculate Karambu hunted down Bwana Salim and got him to say a couple of things on online banking, the opportunities / benefits and the all important issue of security and fraud. Here is the piece as appeared in page 27 of the Business Daily on 5th May 2010.
More and more people are embracing online banking both locally and internationally.
Most banks are using this technology to attract large numbers of customers especially to busy businesspeople owing to convenience that the service offers them.
Online banking not only allows customers to enjoy the comfort of banking at their own convenience, but also offers a solution to a number of challenges that are common with the traditional banking.
For example, people can transact business anywhere, any time as long as they have an internet connection.
Through online banking, customers are able to fit their bank transactions into their busy schedules because it does not involve visiting banking halls that often have set working hours.
For customers of online banking, it is all about being able to issue cheques, stop cheques, authorise cash transfers both to and from their accounts, pay bills as well as trade online.
However, despite its growing popularity security concerns are a major headache for those involved in online banking.
And daily, banks are grappling with this challenge in order to ensure that their clients are guarded against fraud.
Just like the name ‘online’ suggests, this is a business carried out purely over the internet and therefore there is no physical prove of identification which makes it more prone to cases of fraud.
Salim Idd, the chief technical officer at symbiotic media consortium, a local IT security consultancy firm, reveals that online bank customers are faced with many risks, most which they are never aware of when opening online bank accounts.
According to Mr Idd, the online banking risks originate from the fact that many banks rely on internet service providers (ISPs) to connect to their customers.
“Locally, many banks do not have a direct connection to their customers. Many have hops– which are connections in between the bank and its customers and an example of this is the internet service providers. What this means is that in the case a bank has not set up proper security measures, there is a high possibility of the system being hacked therefore exposing the customer to fraud,” he says.
He adds that banks that practice a closed system that allows their customers to transfer money only to accounts in the same bank are less exposed to fraud than those that practice an open system that enables funds transfer between accounts in different banks.
Mr Idd says it is the duty of the bank as well as the customer to ensure that online banking is a safe avenue for doing business.
Some of the risks that online banking is faced with have to do with the bank itself.
These are technical issues to do with the connection between the bank and its customers.
Normally banks rely on internet service providers (ISPs) to connect to their customers and this means that as customer, any instructions you issue to the bank on your account are first received by the ISP then relayed to the bank.
A bank that secures information from your end is preferable as this will ensure that no one in between can access your information hence reducing the risk of your account being tampered with.
“To avoid man in the middle attack (MiTM), some banks put codes to encrypt the message from the customer and decrypt it when it is recieved at the bank. This way no one in between can access it. It is easier to tamper with a plain text than one that is encrypted,” adds Mr Idd.
When doing online banking, the basic assumption between you and the bank is that whenever instructions are issued on your account, then it means that it is the account holder who is online.
Not all banks will go a step further to back up this assumption with a security check.
This means that they rely on the single response that is given by the account holder to complete a transaction.
In case a fraudster is operating your account, then you are likely to lose your money as the transaction will be cleared by the bank.
However some banks will always offer a second level security, for instance, by sending a message or even an email with special characters that the customer is expected to key in to complete the transaction. Such a system helps to check fraud.
When replying to email messages from your bank, carefully look at the link used in the email to avoid replying to the wrong link.
Fraudsters easily hack the system by changing the wording in a manner that most customers can hardly notice by, for example, omitting a single character or even replacing it with an almost similar one.
When this happens you are likely to log in and land into a ‘dummy’ bank interface which in many cases will have the look of your usual bank interface.
Without suspicion a customer goes ahead and transacts and this information lands into the hacker’s server and it is captured to manipulate the account.
According to Mr Idd, many banks do not test their online systems before releasing them to customers.
This is mainly because of the ever-growing competition in innovations in the banking industry which often leads to a failure by banks to pilot new products before releasing them to the market.
In such cases, due security measures fail to be exercised therefore leaving loopholes for system hackers.
Most banks offering online banking facilities have security certificates put in place to check fraud attempts.
Apart from this acting as an anti-fraud measure, it also gives confidence to the customers because many of these certificates come with warranty so that in cases of customers accounts being tampered with, compensation can then be arranged.
As an online account holder ensure that your bank has a security certificate for its online system.
Mr Idd explains that it is easy to tell for a secured bank because when logging in to online banking system the first thing you will is a warning that you are attempting to log in to a secured location. Another test for security is on the address bar.
For secured banks, the address bar in most cases turns to green or blue depending on the quality of the certificate the bank has put in place.
In the case where the address bar is red this could mean that the certificate is either forged or expired.
Unsecured banks have no colour change on the online web address bar.
In addition, a secure online bank page, the address is normally followed by letter (s) e.g https://www and at the foot of the page is a symbol of a padlock.
In addition to these features one can be able to access the security certificate from their bank’s online page and view the issuer of the certificate, date of issue or even the expiry date.
It is important to note that a single security certificate is used at a time so there is no chance of having multiple security certificates issuers at the same time.
Experts advise that the risk involved in online banking should not deter customers from opening online bank accounts, but urge for caution when operating them.
* First ensure that all your passwords are secure enough so that someone else doesn’t gain access to your online account. Avoid using nick names, dictionary words, alphabetical combinations, car number plates, favourite hang-out places as these are easy to guess.
* Some banks put expiry dates for passwords so as to encourage their customers to keep changing their online passwords often.
* Avoid careless spelling mistakes when banking online as this could lead you to a hacker’s server thereby exposing your account to fraud.
* Put limits to your online bank accounts so that you can manage all debits to your accounts. This reduces the chance of having withdrawals beyond the set limit being made from your online account.
* Logging in to your online banking from a cyber cafe is highly discouraged. Public places like a cyber cafe or shared computers expose your account to more risk because of lack confidentiality in these machines.