In the end, cyber-security is a partnership between you and your bank
By Olev Edur
How safe is it to bank online? It’s a question we’ve all asked ourselves, given continuing reports of hacking incidents involving major corporations in which the personal information of sometimes millions of clients has been compromised.
To begin with, the good news is that online banking is as safe as—indeed, likely safer than—the average online purchase. Banks have been throwing enormous resources into online security, not out of altruism but for the sake of their own survival. Customer trust is a bank’s only asset—without the use of your money, a bank has nothing (other than perhaps a shrinking real estate portfolio)—so the banks have to be safe.
“We invest in state-of-the-art fraud and security technologies and maintain rigorous security procedures,” says Rami Thabet, the vice-president of digital products at RBC. “We have a team of dedicated cyber-security and fraud experts working 24/7 to prevent, detect, and investigate fraud. With our product Digital ID, we can notify clients when they’re at risk; our mobile app is equipped with the latest encryption technology and sends fraud alerts if there is a suspicious transaction. We have online resources and tutorials on our website, and an RBC advice centre. We never take our clients’ trust for granted and will continue to prioritize our time and money on cyber-security, privacy, and data protection.”
The story is much the same at all banks and indeed at all major corporations—multiple layers of security and scrutiny are becoming the norm as businesses spend billions on technology to counter growing threat levels. According to results from Statistics Canada’s Canadian Survey of Cyber Security and Cybercrime, published in 2018, Canadian businesses spent $14 billion on cyber-security in 2017. That figure has undoubtedly risen considerably since, given ever increasing threat levels.
These efforts have been working for the most part—at least, so far. While reports of hacking incidents aren’t uncommon, cases of successful bank hacking remain extremely rare—the only case revealed in a Google search of “banks hacked in Canada” was one from May 2018, when Bank of Montreal (BMO) and the Canadian Imperial Bank of Commerce’s Simplii Financial subsidiary confirmed that hackers had taken a total of 90,000 customers’ data for ransom. Rather than pay, a BMO spokesperson said the bank would focus on “helping and protecting its customers.” No further news has been forthcoming.
Although it’s not a Canadian bank, US-based Capital One’s six million Canadian and 100 million American credit card clients had personal—but not financial—information compromised in July 2019. An arrest was made shortly afterwards. In neither of these cases were there any reports of financial loss. While the exposure of personal information is always undesirable, any ensuing danger can often be forestalled by simply changing passwords, bank cards, and/or accounts.
Still, the banks remain prime targets. The previously cited Statistics Canada survey found that banks were already the most frequent target of cyber-attacks in 2017. And a February 2019 Global News report quoted Christopher Porter, the chief intelligence strategist at Firefly—a California-based security firm working with Canadian military and public-safety institutions—as saying that “at least a half-dozen organized-crime groups conduct financial crime operations targeting companies and people in Canada with a sophistication once seen only among nation-states.”
In the United States, cybertalk.org, an executive-oriented e-service, concluded that between February and April 2020, cyber-attacks against US banks increased by 238 per cent. The situation prompted a September 1 US House of Representatives hearing at which financial services subcommittee chair Emanuel Cleaver lamented: “In this time of suffering and hardship for so many, we are seeing criminal actors here and around the world redoubling their efforts to target families, financial institutions, and even governments.”
Similar reports emanate from Europe and Asia, but so far, the Canadian contingent has held up well—our banks compare favourably to any industry sector in any country, particularly given the volume of financial business they do.
“Every year, billions of transactions take place safely at RBC,” Thabet says. “Online banking is incredibly safe.”
So that’s the first part of the answer. But hackers and scammers know the banks have formidable defences, whereas you and I, as individual customers online with cyber-defences typically ranging from so-so to non-existent, are much easier prey. Indeed, the biggest danger of financial loss comes not from a bank hack, but from scams and schemes aimed at obtaining crucial information and/or access directly from you. As you can see in the box on page 31, there are many ways they accomplish this.
Recognizing this vulnerability, most financial institutions in Canada will indemnify any transaction you didn’t make or approve using your institution’s online banking service. But there’s a catch: you are obliged to take reasonable care in safeguarding your personal and financial information—in particular, passwords and logon IDs, personal identification numbers (PINs), social security numbers, account details, and the like.
“It’s your responsibility to always keep your banking and online banking details to yourself,” the Financial Consumer Agency of Canada (FCAC) website cautions. “If you give your online banking information to anyone, including your spouse, partner, family member, or friend, you may risk losing the protection against unauthorized transactions offered by your financial institution and be responsible for any unauthorized transactions on your account.”
You also need to keep an eye on those accounts and contact your financial institution or service provider if you find anything amiss. “You may need to take additional steps to protect yourself when banking online,” the FCAC advises. “Read your account agreement and your financial institution’s online banking or electronic access agreement.”
Three Ways to Improve Your Cyber-Security
User agreements may give you an idea of how much care you must take to protect yourself, and there are numerous sources of cyber-security information available online with FCAC (canada.ca/en/financial-consumer-agency) and the Canadian Bankers Association (cba.ca), as well as individual banks and many security consultants and analysts. FCAC also operates a family-oriented GetCyberSafe.gc.ca public-awareness site. While they may differ in detail, all these guides and safety instructions agree on three key ways in which you can take action to maximize your online safety.
1. Create strong passwords.
Strong passwords are essential, and the tougher the better. Obvious ones such as postal codes, phone numbers, birthdates, and pet names may be easy to remember, but they’re often the first things a crook will try. If your password is really lame—your own name, perhaps—and you’re hacked or scammed as a result, you may even be on the hook for any unauthorized transactions. Password recommendations boil down to the following:
• Use a minimum of eight characters;
• Ensure passwords contain a combination of upper- and lower-case letters, at least one number, and a symbol such as # and @;
• Avoid sequences (abcd, 1234) and repeated letters or numbers (999, fff);
• Use different passwords for different websites—that way, a security breach at one doesn’t jeopardize all;
• Use multifactor authentication wherever available—this involves two separate communications media, typically an online connection plus e-mail or text-message confirmation.
Don’t enable “autofill” to let your computer or cellphone store passwords. It’s a handy feature if you use a lot of passwords, but anyone who gains control of your device can use them, too.
The safest storage repository is your memory, but if you have dozens of complex passwords to remember and don’t want to be constantly going through the process of having to change them (all logon pages have a “Forgot your password?” option), you could write them down on paper and stash the list somewhere well away from your devices.
Some advisory sites use examples of simpler passwords—you might use a small core word that’s meaningful only to you, and then dress it up with different numbers or symbols for different websites, and perhaps then add a couple of initials representing the organization behind the site. “Be creative,” the Canadian Bankers Association website suggests.
If password management becomes an insurmountable headache, consider encrypting a document containing your passwords and keeping the password for that master document in mind—not ideal, but it’s safer than autofill.
In fact, there is no ideal password—a crook with the right equipment can crack even the toughest one.
Finally, it would be wise to change your password(s) after any related incident. Some security experts suggest changing passwords periodically anyway.
2. Be circumspect in your online dealings.
In addition to keeping an eye on your accounts, your account agreement will require that you take reasonable measures to safeguard your personal and financial information. As an example of what not to do, a September 2019 CBC News report on scam victims whose banks wouldn’t cover their losses included one who used his wife’s name as an account password, then (for some reason) posted this information on his Facebook page. The bank pointed to its terms and conditions and rejected his claim on the basis that he was the author of his own misfortune.
In addition to the obvious safety precautions (don’t post personal data on social media pages!), you should take care with e-mails. First of all, no bank or other legitimate enterprise will ever request personal or financial information in an e-mail; any such missives should be viewed with extreme prejudice. Other times, e-mails purporting to be from a recognized company—Microsoft, for example—will ask you to take some action, but if you look at the sender’s e-mail address, you’ll find that while “Microsoft” is in the name, so is a lot of other stuff, meaning that the sender is really someone else.
When shopping online, stick with company names you know, or else investigate the business before proceeding to the checkout. Google for reviews and examine the site closely. Sloppy design elements, broken links, missing or misspelled names—“Microssoft,” or “Rodgers.com,” for example—are red flags indicating that a site isn’t what it purports to be.
Above all, don’t reply to any e-mail or text message unless you’re absolutely sure who sent it, and don’t click on any uncertain e-mail or website links—doing so could unleash demons into your system (see box, p. 31).
Don’t use public Wi-Fi or computers at libraries, Internet cafés, or other public spaces for financial transactions, whether banking or shopping. These facilities are open to all and can be monitored in a number of ways by criminals looking for easy prey.
When it comes to checkout time, always look for the lock symbol on the payment page, or “https://” at the beginning of the page address (“s” indicates that the page is secure/encrypted). Use credit cards or secure payment services such as Interac and PayPal rather than sending cheques or cash. Be wary of unfamiliar online payment methods—these can be faked.
When you’re finished your business, always log out, clear the computer’s cache and browser history, and close the browser window.
3. Keep your devices up-to-date and protected.
Good security software can cost much less than a hack.
Operating system and applications software require ongoing security updates to guard against newly emerging threats; install them and configure your operating system either to automatically check for new ones or to notify you when updates are available, so that you can update the software yourself.
Whenever your computer is connected to the Internet, it’s vulnerable to attack, unless protected by an impenetrable system “firewall.” You could, for example, disconnect your router or unplug the computer, but most operating systems’ security settings also include the ability to turn a digital firewall on and off. Keep it turned on.
Ultimately, there’s no 100 per cent guarantee you won’t get hacked or scammed by a cyber-criminal such as an identity thief, but if you watch your accounts, take care with your online activities, and do everything you can to protect yourself, you can feel a lot more confident about going online and enjoying all of the great things the Internet has to offer.