Online banking systems are under constant threat of violation thus security is something that everyone has to be aware of. This includes the bank as a developer of transactional banking systems as well as you, the user of these systems. These roles are listed below.
Across the globe, Standard Bank takes pride in the state-of-the-art security built into our systems. Some of the key security features built into Business Online include:
- 128-bit encryption technology that complies with international standards
- Server protection through sophisticated firewalls and intrusion prevention systems
- Access is controlled through user IDs and passwords
- Numerous system controls are put in place:
- Access limits, which put restrictions in place for different user's according to your unique requirements
- Transfer limits to control what funds can be released from your account
- Customer, beneficiary and account limits
- Segregation of duties among users, which allows you to determine who does what on the system and what data the user has access to.
- Automated functionality to minimise manual input errors including branch and account validation features
- Tracking facilities such as:
- Audit trails to help monitor access and usage by staff, and
- Customer Audit Log usage which can be viewed,.
The User role
In most cases of fraud, user identity passwords are obtained using unscrupulous methods by criminals and then used to transact fraudulently on the victim’s banking profile. There are a number of focus areas you need to be aware of to reduce your exposure. These include:
- Physical environment
- User profiles
- User habits
- Tracking tools, and
Details of each are provided below.
1. Physical Environment
This refers to where people are working as well as the machines they are working on.
You need to make sure that computers that are used for transactional banking are in a secure place and cannot be accessed by unauthorised people. These computers should never be left unattended unless they are locked or shut down.
All machines must be equipped with the latest spyware and anti-virus software.
2. User Profiles
This is one of the most critical aspects of system security and is possibly your strongest line of defence. It is about ensuring that the right people have access to the right information and functionality on the system. It is about defining what they should be able to see and do on the system so, if they don’t need to know what the account balances are, don’t give them access to balances and statements.
Your Transactional Banker will be able to advise you when you are creating you banking profiles to ensure that you created the right profiles for your users. Key things to consider in this process are:
- Limiting access to only the functionality they require
- Segregating duties so that there are multiple people involved in finalising activities on the system such as releasing of payments or adding and updating beneficiaries, and
- Limiting the value of transactions they can process and the amounts they can pay the beneficiaries they manage.
3. User Habits
There are a few really important, secure habits that online transactional banking users need to form and these include:
- Protecting your user ID and password. These should be kept secret and NEVER shared with anyone – not even the bank – and they definitely should not be written down anywhere.
- Selecting strong passwords such as one that includes a combination of numbers and letters (in upper and lower case) and a few characters such as * or # or other options available on your keyboard. Strong passwords do not include names or dates that could easily be associated with the user.
- Keeping your computer shut down or locked whenever they’re away from it so that no one else can access it.
- Changing your password frequently so that if a password has been compromised, it cannot be used for too long (especially if the operator doesn’t realise the breach has occurred).
4. Tracking tools
As mentioned above, the system provides very effective tracking tools that provide information on who has been doing what on the system. Reference should be made to these on a regular basis to identify unusual system activity or user behaviour. They include:
- Audit trails to monitor access and usage by staff, and
- Log usage statistics which can be viewed, printed or downloaded.
Finally, it is really important that you stay abreast of trends so that you are aware of the latest scams and know exactly what to look out for so that you don’t get caught out. Some of the latest include:
- Keystroke loggers, and
- Deposit scams.
This is when unwarranted/ sensitive information about an account is requested through either an illegitimate phone call or e-mail. This is aimed at getting login info from the user.
The only way to curb phishing is for the users to be vigilant, i.e.
- Not to give away personal/financial information on a suspicious e-mail
- Never give out their passwords to anyone including bankers/ superiors
- Authenticate the source of the e-mail (type-in the URL if necessary)
- Each Business Online operator has their own login account (to avoid login details that may be known by more than one person).
These are simple guidelines that all the users of an online-interactive interface need to adhere to, information security is everyone's responsibility, more especially authorised personnel.
Have proper internal/ external network security measures i.e. single sign-on, secure sockets layer, audit logs, email alerts. Business Online already have these algorithms in place, which serves as the foundation for a secure interface. However these do not entirely replace the need for vigilance and proactivity from the business users responsible for information security
b. Keystroke loggers
Logging is a technique used by hackers to record the sequence of key strokes made on a computer. This information is then used to access usernames, passwords and other personal information.
Key logging can be mitigated/ reduced by the company by:
- Installing intrusion prevention systems on their web servers to identify intruders in the system
- Keeping anti-virus and anti spy-ware up to date, to (to track harmful programs)
- Limiting administrative access to users, especially when installing programs
- Ensuring each Business Online operator has their own login account
- Have the users frequently change their passwords, and the complexity of those passwords need to be verified
The company's access to the servers and internal networks need to be clearly monitored, and only authorized people should have administrative access to the networks. This will ensure security and accountability.
Audit logs also ensure accountability, as users are able to see when last they logged in, the duration of the last session as well as the list of transactions which occurred
c. Deposit scams
This occurs when fraudsters attempt to obtain an electronic 'refund' of a false deposit made.
Deposit scams can be avoided by doing the following:
- Contact the entity or institution on a number ascertained from the telephone directory and confirm the request
- Be cautious of clients who want to "keep their distance"
- Retain complete records
- Confirm details of payments with your bank.
- Be pressurised due to urgency
- Relax controls and procedures
- Proceed if you have any doubts
- Use the number provided by a caller or provided on a faxed letter.