Security of internet banking: bank ranking
Osservatorio Finanziario, an Italian private research centre focused on finance and banking, has produced an interesting ranking of online banks, from a security point of view. Indeed, security threats are manifold: in addition to phishing, of which we have already spoken, it’s emerging the so-called “vishing” (ie phising based on false VoIP calls, in which are asked bank account passwords and codes) . And we shouldn’t forgot “classical” malware risks such as viruses and keyloggers (programs that are able to capture which keys the user presses on the keyboard – and therefore, passwords – and send this information to hackers).
Many banks implemented enhanced securiy systems to protect customers. Among them:
- Smart cards, combined with personal password. It’s the system used in Italy by Citibank, which has completely renewed its service platform after the numerous attacks of the past years.
- One Time Password: a pocket-sized device (security token) creates disposable password, which can usually be used only for a few minutes. The same one-time password generation algorithm is implemented in bank server software, so that passwords can be matched. Sometimes instead that with a security token, the user may recive the one-time password calling a phone number, thus reducing the risk of a loss of the security token.
- Virtual keyboards: the user enters the security code using a graphic keyboard, in which the positions of numbers changes randomly, thus avoiding risk of password-sniffing by keyloggers and mouselogger (programs that detect the position of the mouse).
- SMS notice: the immediate notification of transactions via short message service (or mail). This is certainly not an instrument of prevention, but allows users to immediately realize if there are operations that he didn’t carry out.
- User profiling: creating a profile allows the bank to detect anomalous transaction and then contact the customer to verify that the transaction is legitimate.
Banks can be grouped by their approach to security, and Osservatorio Finanziario suggest some interesting macro-categories.
- “fighters”: banks that have suffered major attacks and thus were forced to invest in security (among them: Poste Italiane, UniCredit, Fineco)
- “dynamic”: those who first have chosen innovative technologies, and consider innovation as key point of their business strategy (among these, Banca Monte dei Paschi di Siena, Banca Sella, IWBank)
- “prudent”: banks which have gradually invested on security , with constant communication to customers (among them, WeBank-BPM and Banca Intesa)
- “aligned”, that during the last year have renewed their websites and put security services in line with minimum standards (eg VenetoBanca, Unipol Bank)
- “firm”: banks that perhaps have a good level of security, but they do not innovate for disparate reasons.
From Osservatorio Finanziario website, you can download the full ranking. Here we report the five safer banks, according to Osservatorio Finanziario ranking:
- Citibank Italy
- Casket (Banca Pop. Sondrio)
- BMPS Online (Monte dei Paschi di Siena)
- BNL and-family (Group BNP-Paribas)
- UniCredit Bank (UniCredit)
Italian translation of this post: La sicurezza delle banche online: la classifica
Banche e Risparmio [http://www.banknoise.com]