I

nternet or online banking is now a popular banking service, thanks to developments in the Internet and in mobile technologies. Accessibility, availability, and mobility are just three of the reasons why more and more users choose to bank online. Apart from established financial institutions like the Bank of America, HSBC, and Citigroup, so-called direct or Internet-only banks like ING Direct and Charles Schwab also offer online banking services.

Online banking continues to grow in the United States, as nearly 60 percent of the countrys Internet population conduct banking transactions online. Internet banking is also growing in Asia/Pacific, particularly in Southeast Asia. The number of visits to online banks across Malaysia, Hong Kong, Vietnam, Singapore, Indonesia, and the Philippines increased by 24 percent from January 2010 to January 2011. The popularity of smartphones and mobile apps is also making mobile banking a popular means to digitally conduct banking transactions. In the second quarter of 2010, 13.2 percent of the total number of U.S. households accessed their bank accounts via their mobile devices. Despite continuous growth, however, mobile and Internet banking users are still quite concerned about security. A comScore 2010 report says onethird of the total number of online bankers in the United States do not pay their bills online due to various security concerns. This fear is, however, not unfounded, as reports of related spam and phishing attacks against Citi, Standard Chartered, the National Bank of Kuwait, and the Public Bank of Malaysia continue to plague users worldwide.

Each step of the Internet banking process exposes users like you to risks of theft of personal information, money, or even your identity. Read on to learn about some of the challenges Internet bankers face and what precautions you should take so you wont become the next victim.

Signing up for an online banking account usually includes options to subscribe to monthly updates, to newsletters, and to other autogenerated promotional email messages. Scammers often use these in phishing attacks to trick you into clicking malicious links or into downloading malicious file attachments. Phishing email messages are usually fake notifications with malicious links that can lead you to malicious sites or that can lead to system infection. Apart from email messages, cybercriminals also take advantage of other technologies like voice over IP (VoIP) to steal your personal credentials even via phone. If they get hold of your phone number via any meansyour online banking, social networking, or other online accountsthey can call you on a budget via VoIP devices and entice you to give out otherwise private information.

Most online bankers access their bank accounts after receiving notification email messages. Cybercriminals deftly spoof login pages to look very similar to the real ones. This is the easiest way by which they can steal your user names and passwords so they can access your accounts. The safest way to access your online bank accounts is to use bookmarks or to type the sites addresses into your browsers address bar. Keep in mind that the links cybercriminals often provide in their phishing email messages are malicious. These lead to spoofed pages that can spell a lot of trouble for you. To address these and other similar issues, online banks have taken to using an additional layer of protection for their customerstwo-factor authentication. Two-factor authentication requires users to provide their respective user names and passwords, apart from other more personal information that the banks send them via a physical device (e.g., a token ID or their mobile phones) or a biometric print in order to prove their identities. In retaliation, cybercriminals started using the so-called form field or Web injection technique to steal information. To do this, they add fields to legitimate login pages, behind which are found JavaScripts that steal the data you type in. To ensure compliance, these scripts even display prompts urging you to fill in the missing information. Even worse, these can hinder you from accessing your account if you leave the additional fields blank. This technique allows the bad guys to steal your secondary passwords that you use to complete financial transactions.

Cybercriminals steal information in various ways. They can insert Web injects anywhereinto the login, bill payment, or fund transfer pageso they can ask for your ATM PIN. This is possible if your system is infected with malware like ZBOT Trojans. Some ZBOT variants can monitor your browsers address bar whenever you access an online banking site. Cybercriminals even recreate several legitimate pages to which they can add specially crafted Web injects. Some malware even change your browsers proxy configuration. This lets the bad guys get the information you input before it even gets to your intended recipients hands so they can hijack your banking session. All of these malicious routines are silent and so effectively fade into the background. Some of the pages cybercriminals use may not even be infected. Sometimes, all a malware has to do is hijack your session IDa temporary unique ID that a certain site gives for the duration of your current visitto steal your credentials. It expires after you log out of that site. Unfortunately, some Trojans can keep hijacked sessions open even after youve gone, which allows cybercriminals to steal from you.

The mobile phones of today have become smarter. Smartphones have various features that allow users to do everything they need to, including mobile banking. Increased consumer confidence contributed to the rise in the number of mobile banking transactions in 2010. Keep in mind though that mobile banking differs from making mobile payments or using mobile money. Mobile banking refers to using your smartphone to conduct transactions like checking your account balance or transferring funds. Making mobile payments, meanwhile, refers to using your phone credits as electronic currency or as means to pay for purchases. Your smartphone can serve as key to your online banking accounts. This fact didnt escape cybercriminals attention, prompting them to create malware targeting smartphones. To keep up with technological advancements, online banks are starting to develop apps for their clients use as well. These apps can be Trojanized or be turned into malware downloaders. Cybercriminals can infect your smartphone to steal the information stored in it. They have also taken to hijacking the text messages that banks send to your smartphone as part of their twofactor authentication systems. Doing this allows them to bypass even the banks additional security measures. Mobile user interface (UI) spoofing is another means by which certain malware steal information from victims via their smartphones. Cybercriminals can also send you text messages that require you to respond with your account number, user name, PIN, and other personal information in exchange for enticing promises.

nline banking may bring about a lot of advantages like mobility, convenience, and accessibility. Remember though that these advantages may also prove disadvantageous in terms of security. To ensure safety while banking online, keep these tips in mind.

Be cautious about choosing your bank. Make sure that the bank you want to open an account with is legitimate and that it provides insurance. Unlike actual bank robberies, online fraud takes money from customers like you instead of from the bank. So, its only logical for Internet banks to insure online accounts.

If you can live without monthly newsletters and updates from your online bank, dont sign up for subscriptions.

If you choose to receive email notifications, however, view these over secure Internet connections and on private systems with firewalls enabled. Avoid clicking links in email notifications. Banks do not ask for personal information, especially passwords, via email messages. No matter how legitimate an email message looks, its still best to confirm with your bank if they really need your personal information. To do so, call your bank. Their contact details are usually found on their official site. Dont call the number specified in the email message because this is most probably just as fake as the message itself.

Dont be too trusting of personal calls supposedly from representatives of your bank. Always ask for an incident report or for a trace number. If they cant give you any, hang up then call the banks real number to report what just happened.

Make sure that you keep your access credentials and other sensitive information secret. Avoid sharing these. In fact, dont share these even to close relatives or friends.

Carefully scrutinize your banks login page before entering any information. Make sure that its URL is correct. If your banks URL, for instance, has a w, ensure that the URL on your address bar has a w and not two vs. Note, too, that secure URLs usually begin with https:// and that legitimate online banking pages usually have a small padlock icon on the bottom right corner of your browser.

When filling out your online banks login page, be mindful of any suspicious question. Stay away from login pages that ask you to give out more information than is usually required.

Make it a habit to regularly change your passwords. Dont use a single password for different accounts. Keep your passwords to yourself and use a mix of uppercase and lowercase letters as well as numbers and symbols.

When conducting transactions, pay attention to your systems performance. If it suddenly responds slower than usual, scan it with a reliable security software. Always enable its firewall and activate your OS and applications auto-update feature.

Activate your smartphones personal identification number (PIN) or password lock feature. Avoid turning your smartphone or your systems automatic login feature on. Immediately report the loss of a device to your bank. Like your system, we can help protect your smartphone, too, with Trend Micro Mobile Security. Note, however, that you should always be wary of installing apps in your phone because cybercriminals are now fond of creating Trojanized apps that download malware onto any kind of mobile device.

TREND MICRO Trend Micro, Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our website at www.trendmicro.com. TREND MICRO INC. 10101 N. De Anza Blvd. Cupertino, CA 95014 US toll free: 1 +800.228.5651 Phone: 1 +408.257.1500 Fax: 1 +408.257.2003 www.trendmicro.com

2011 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.