June 9, 2011 -- Citibank acknowledged that a data security breach has exposed information on about 210,000 of its bankcard customers. While these data breaches seem to be growing more commonplace, experts offer tips to make online banking more secure.
Citi's incident, one of the first known hacking cases at a bank, compromised data including credit card account numbers, names and contact information like email addresses. There have been several other public hacking announcements this year from Sony, Lockheed Martin and Michael's Stores, leaving consumers feeling overwhelmed by security concerns.
Adam Levin, co-founder of Credit.com and former director of the New Jersey Division of Consumer Affairs, said it is best for consumers to carry the mindset that there will be more data breaches in the future.
"The level of sophistication of hacking has grown exponentially," Levin said. "And the bad guys are ahead of the good guys."
Citi told the Financial Times that the incident occurred in early May at Citi Account Online. With over 21 million customers in North America, according to its annual report, the breach may have exposed about one percent of its accountholders. While the bank said information like social security numbers, card security codes and birth dates were not exposed, customers may wonder if secure online banking really exists.
Avivah Litan, security analyst with technology research and advisory firm Gartner, said that for both online banking and online credit card management, consumers have "very good protection" under a rule set forth by the Federal Reserve called Regulation E that limits consumer liability for unauthorized card usage. Though consumers may experience an inconvenience, they will almost always recover financially, she said.
Large businesses usually can afford security protection for their banking.
But Litan said online banking for small businesses is "very risky" because Regulation E does not apply to businesses.
"Businesses are only protected through the fine print with their bank," she said.
To limit the exposure of you or your business in online banking, here are some tips from some security experts:
1. Never accept incoming communications purporting to be from financial institutions you do business with, whether by email or phone call.
"Call them back using only the phone numbers published on your cards or statements," Richard Wang, manager of SophosLabs US, said.
2. Update your security software on your computer.
"Make sure it's malware protection and have the most sophisticated firewalls and anti-intrusion software," Levin said. "Those start screaming at you anytime you're even near something that has a worm on it."
3. Check the security of your mobile device and your mobile banking apps.
Mobile banking and payments are becoming more common, which means hackers may pay more attention in that marketplace also.
Andrew Hoog, chief investigative officer of viaForensics, a digital forensics and security company, found three unencrypted (i.e., less secure) passwords in apps for Foursquare, LinkedIn and Netflix on the Android in a recent round of app security testing. Citibank received a "pass" rating for its app.
4. When logging in to perform online transactions, always enter the website address directly in your browser.
Never click links that claim to take you to banking sites.
"Citi's breach is significant. It's easy enough for a criminal with your credit card number, name and address to make fraudulent charges," Wang said. "Adding in your email address allows them to attack you directly with very convincing phishing emails to try to get even more information from you."
5. Use strong passwords and don't reuse your bank password elsewhere.
"Remember that if you use the same password on multiple sites, then it's only as secure as the weakest site," Wang said.
Use two factor authentication if your bank offers it, such as confirmation numbers by text message to your phone, Wang said.
Levin said you should even have unusual answers to additional security questions.
"If they ask for your mother's maiden name, say 'superwoman,' or something outrageous that you would only know," Levin said.
Litan said another extreme but secure way to bank safely online is to use a locked-down browser, a CD-drive that is "read-only" or have a dedicated computer solely for online banking.
6. Be active in monitoring your financial accounts.
Levin said he does not believe eliminating your online accounts is the answer because they can be the best tools to monitor your financial activity in real time. He suggests you monitor your online accounts at least once a day.
"Some people say that's an outrageous use of your time, but think about how long you spend in email or your Facebook account, and think about how much time you want to protect the financial integrity of your life," Levin said.
While legislators are pushing for legislation to penalize institutions that expose customer information through data breaches, Andrew Hoog said it may take years for laws to pass. And it is unclear how rigorously they may be enforced.
"If regulation was designed properly, that would be wonderful," Hoog said. "But it would be far better if the consumer demanded it. Businesses may listen if consumers said, 'We're going to leave your bank and find someone else because there are other banks that are more secure.'"