Banking: Online and Mobile Banking Precautions and Safeguards

If you bank online – or through your smartphone or tablet – you can be an easy target for hackers. To improve your odds of outsmarting them, follow these guidelines.

1. Don’t use a jailbroken mobile device for online banking.

When a mobile has been unlocked to give it access to a wider range of apps and customization, some security safeguards are disabled. The operating system is not as secure as the OS on an unmodified device.

2. Only download mobile banking apps from your device’s official app store.

Use the Google Play store for Android devices and the App Store for Apple devices when downloading mobile banking apps. Only use your bank’s official mobile app.

3. Never bank online over public WiFi.

If you're using public WiFi, you shouldn't log in to your bank account (or any other password-protected site, including your email account) because the network’s security is questionable. About 25% of consumers aren’t taking this simple precaution, according to the Federal Reserve’s most recent Consumers and Mobile Financial Services survey from March 2016.

While websites that begin with HTTPS offer some protection, it is easier for someone to steal your login details when you’re on a public network, even a paid public network such as those in airports and on airplanes. Only use online or mobile banking apps in public if you know how to set up a virtual private network with a reputable provider or if you can use your wireless carrier’s secure cellular network. 

4. Memorize your login information.

If you have your login name and password written down anywhere, you're at risk of someone stealing it. If someone breaks into your house and you have the information filed away, it might be stolen. If you email your login information to yourself and the security of your email account is compromised (and email isn’t very secure to start with), your information can be stolen that way.

If you're worried you'll forget your login information, write down some hints to yourself that will help you remember it but that a third party won't be able to decipher. Better yet, use a reputable password manager such as LastPass or Dashlane. Keep in mind that it shouldn't be too difficult for you as the legitimate account holder to recover a forgotten password and/or username by contacting your bank, so it's not the end of the world if you forget your login credentials.

5. Disable automatic login and extended login.

If your mobile banking app or bank website offers to keep you logged in for an extended time, disable this feature. Do the same if the app or your browser offers to remember your login details. You only want to be logged in for the few minutes when you’re actually using the app or website, and you don’t want anyone else who gets on your device to have easy access to your account.

6. Use complex login credentials and two-factor authentication.

Internet security professionals recommend using complex usernames and passwords that include some combination of symbols, numbers and upper- and lowercase letters. As well, you shouldn't use dictionary words or anything that would be easy to guess (so don't use your home address as your online banking password). Avoid using the same password for multiple accounts; use a completely unique login and password for your online and mobile banking activities. Enabling two-factor authentication or two-step verification for websites and apps that offer it can protect you further by requiring you to not only enter your username and password, but also enter a unique code that is sent to your mobile device.

7. Password-protect your phone and your computer.

According to the same Federal Reserve survey mentioned above, 30% of consumers still aren’t password-protecting their smartphones. Again, use a complex password that’s unique to each device. Make it more difficult for thieves to access your accounts if your device is lost or stolen.

8. Make sure your home network is secure. 

The best place to log in to your bank account is from home – unless your home network is not secure. If you don't have a firewall and antivirus software that you update regularly, and if you don't practice safe browsing habits, your home network may be compromised. This may make it easy for hackers to steal your information.

Many routers that come from internet service providers are not as secure as you might think. You can improve your router security in a few ways. The best is to purchase your own router, but if that isn’t an option, you can at least change the router’s default password (the password that appears on a sticker on the bottom of the router).Use the WPA2 protocol for your WiFi password and create a strong password with at least 20 characters that consists of numbers, letters and symbols.

You can also create a guest network for friends and family to use when they visit you; taking this precaution will help protect your network in case their devices are infected. You should also change your wireless network’s default name so hackers won’t know which type of router you have. Use a generic name that doesn’t personally identify you. Heimdal Security has more easy-to-follow tips on securing your home network.

9. Be careful with email.

If you receive an email that appears to be from your bank and asks you for any personal information such as your account number, debit card number, PIN, login ID or password, you can bet it's from someone who wants to compromise your account. Banks do not send emails asking for personally identifying information. You should also not download attachments from emails that are supposedly from your bank, nor should you click on links in such emails.

Even if you think you've received a routine email, such as one notifying you that your monthly statement is available, don't click on any links in the email. It only takes an extra few seconds to open a new browser tab or window and go directly and safely to the bank's website. Bookmarking your bank’s official website can also help keep you secure when banking online; sometimes scammers create look-alike websites at commonly mistyped URLs to capture unsuspecting customers’ login credentials.

10. Beware mobile phishing scams.

Similar to email phishing scams, if you get a text message that is supposedly from your bank and that asks for your PIN or other sensitive information, do not respond and do not click on any links in the text message.

(For further reading, see Tips For Keeping Your Financial Data Safe Online.)

11. Limits on What You Can Protect 

Even if you do everything within your power to protect your account security, you can still become a victim. Many major security breaches have occurred in recent years where criminals have stolen payment and account data from retailers and banks. You can’t prevent such attacks from happening because they are usually the fault of the merchant, one of the merchant’s third-party processors, computer theft, human error or a malicious insider. Here are a few of the big banking and debit card-related data breaches that have occurred in recent years:

Home Depot: In 2014, 40 million Home Depot customers had their payment card data stolen by hackers. (For more, see Home Depot Pays Another $25M for 2014 Data Breach.)

Target: Thieves stole debit card, credit card and personal information on Target customers in late November and early to mid-December 2013. (Learn more in Target Faces Yet Another Lawsuit Over Data Breach.)

JPMorgan Chase: 76 million households and 7 million small businesses were affected by stolen user names, addresses, phone numbers and email addresses in a 2014 cyberattack.

And then, of course, there was the 143 million customer breach at Equifax in October 2017 (see Was I Hacked? Find Out If the Equifax Breach Affects You.) For more examples, see  Wendy’s Breach Worse Than Previously Thought.

12. What to Do If Your Account Is Compromised 

If you are the victim of a data breach, the compromised company will usually notify you in writing (though some states don’t require this) and explain what data has been compromised.

If your debit card number was compromised, request a new debit card from your bank and create a new PIN when you activate it.

If your bank account will remain open, check your account activity daily for signs of fraud.

If your bank account number was compromised, you’ll need to close your bank account and open a new one – a major pain, but a good opportunity to review your banking needs and consider switching banks.

Keep an eye out for phishing scams related to the breach. If you get an email or text message that appears to be related to the breach, don’t click on any links, respond to requests for personal information or download email attachments. Visit the website of the company that experienced the breach to get the latest information on how the company is handling the breach and the steps you may need to take.

Also, keep an eye on your credit reports in case anyone tries to open a fraudulent account in your name using the stolen data.

Scambusters offers additional tips on what to do if you’re been a data breach victim.

That's it:  You've reached the end of our banking tutorial. In the final section, we'll summarize what you've just learned.