Originally created 04/02/97

Why you shouldn't worry that much about security while banking online



Online banking isn't as safe as money in the bank - but then again, money in the bank itself isn't necessarily that safe. But while bank vice presidents might lose sleep over the issue of electronic security, individual consumers need not.

The first thing to know is that bank computers - the mainframes behind the scenes that, you, the customer, never have direct contact with - have been networked together for years. Any time one of these computers is open to remote access over a network, which has been the case since long before the first bank-in-your-PJs ads appeared, you create a security risk. Keeping your checking-account records on your hard drive does not significantly increase this risk for bank networks.

While exact numbers for computer-related thievery are hard to come by (fraud is often undetected or not reported to authorities) there are probably $2 billion to $3 billion a year in "banking losses due to what are called "misrouted transactions,' " says Ira Winkler, technology director for the National Computer Security Association in Carlisle, Pa. That's a lot, but still much less than the $52.4 billion in profits commercial banks made last year.

Says Winkler: "Crooks don't steal enough to make it a big deal ... nothing to make interest rates go up."

One of the few publicized instances of electronic bank fraud came in 1994, when a group of Russian programmers cracked Citibank's systems and "misrouted" $400,000 before being detected.

There's a real risk that somebody somewhere could be trying to do the same thing to your bank as you read this - a risk that applies without regard to whether you check your balance over the Web, over the phone or at a teller window.

But even though your bank's network may not be bulletproof, its PC-banking system is probably good enough; FDIC examiner Cynthia Bonnette could not name any instances of fraud committed through a retail online-banking system. There are a few reasons for this apparently clean record.

Most banks start by keeping their online access separate from the Internet. Both NationsBank and Chevy Chase Bank, for instance, run private networks for their customers - your home-banking program on your PC dials straight into the bank's computer with your modem.

Data sent over these dialup connections is also encrypted to foil snoopers, although neither NationsBank or Chevy Chase will give any details on the strength of their encryption.

Internet access to your bank account need be no less secure, provided your bank uses effective data encryption.

For instance, Citibank's in-development Web-based system will use "128-bit" encryption, the strongest kind available (this figure refers to the complexity of the mathematical keys used to scramble data, with a higher number better). To use that encryption, you'll need a "U.S.-only" version of Netscape Navigator or Microsoft Internet Explorer, which most people don't have - Federal law forbids the export of 128-bit technology, hence the restriction.

NationsBank, however, plans to use only 40-bit encryption when it opens up Web access. "When we looked at the number of customers who did not have a 128-bit key, we decided we did not want to place that barrier," said Samita Quinn, Nations-Bank's senior vice president for PC banking. Given that 40-bit keys have been cracked in under four hours - and that Netscape and Microsoft now offer 128-bit versions of their browsers to U.S. citizens - NationsBank might want to reconsider.

Another level of security comes from the limited features of most PC-banking systems, which often just let you check account balances and transfer money between your accounts. Said Bonnette: "The only way to get money out of the system is through a bill-pay (set up electronically)." That generates paper records, making successful fraud more difficult - although Bonnette warned that money sent overseas can be harder to recover.

Federal law helps keep the banks diligent by holding them liable for fraud committed by other parties pretending to be you. Provided you report the fraud in a reasonable amount of time, you're legally liable for only $50 in losses - and most banks will eat that cost anyway.

So if somebody manages to spirit $2,000 out of your bank account and into a numbered account in the Cayman Islands, your bank is out of the two grand, not you.

But the single biggest security factor may be that, well you probably don't have enough money. Within banks, individual checking and savings accounts are not where the money is. Serious, skilled criminals have historically focused on large-scale commercial transactions, where a missing $10,000 is less likely to be noticed than $500 absent from somebody's savings account. As Winkler says, "If you're going to commit a felony, don't commit a felony for $5,000 - commit a felony for half a billion dollars."

That doesn't relieve individual consumers of the responsibility of keeping track of their accounts and being aware of the confidential personal data, such as Social Security numbers, shuffled to and from their banks every day.

"You want to make sure your information is protected as it's going over the channel; it doesn't matter whether it's the phone or the computer," said Bonnette. "It doesn't have to be money, because information can be just as valuable."