Businessman protecting piggy bank with sword and shield. Conceptual business illustration. Isolated

According to the  The non-profit Online Trust Alliance (OTA)—a part of the Internet Society that promotes “business practices and technologies to enhance online trust and the vitality of ecommerce and online services”—  a large majority of websites for major financial institutions in the United States failed based web security testing and privacy analysis audits.  Specifically, after auditing more than 1,000 banking websites, the Online Trust Alliance’s annual Online Trust Audit handed out failing grades to 65 percent of the top 100 financial institutions in the U.S.  According to OTA’s analysis, financial sites failed because of the “increased number of data breaches, observed site security vulnerabilities and inadequate privacy disclosures” that plagued the sites over the last year. As a result, no banking site appeared in the top 50 most secure sites.

Editor’s note:  The analysis from OTA comes just weeks after a study conducted by online privacy company eBlocker found ten of the top financial institutions operating in the U.S. have third-party trackers on their website that can record a surprising amount of information, including personal information typed into forms or even account balances.

The American Bankers Association (ABA) has questioned the results.  According to the ABA, the analysis from OTA overestimates the number of banks that suffered data breaches in the past year, although we can’t help but add a delicious morsel to that mouthful:   the  ABA itself suffered from a hack that resulted in a data breach in 2015.

So what is an online banking customer to do?  It may be worth a peak at the OTA report, as it lists some of the companies that do financial security correctly.  These include: Ally, Bank of American, Capital One, City National, Umpaqua, Discover, US Bank and Bank of the West.   Unfortunately, some of the larger online banks, such as Synchrony, Bank of Internet, Simple, Everbank, Bank5, Radius,and First Internet were not on the OTA honor roll.  That’s not promising.   So here are some steps you can take to protect your account while the banks get their security act together:

  • Check your bank account every few days to make sure something untoward isn’t going on.  It’ll take 1 minute but it may save you hours of hassle and $.
  • Choose a worthy password.  That means using a difficult password with a three-, four- or five-word phrase followed by a number and a symbol, such as an exclamation point.  Two-factor authentication (sometimes called two-step authentication) requires you to take an extra step to authenticate who you are when you sign in or when you are doing a transaction. It’s sometimes also referred to as two-step authentication.  If you have a lot of money in your account, it may be worth your while.
  • Avoid mobile banking apps, as they’re less secure than browser-based apps.  Just because you can download them from a Apple or Google app store doesn’t mean that they are secure.  Downloading third-party apps not issued by an authorized bank is highly dangerous.
  • Require the bank to send you paper statements.  This seems counterintuitive in a cloud-based world, but paper statements make it a lot easier to keep track of your financial life, and if you’re ever in a situation when you need proof of something, you’ll have a hard copy to back you up.
  • Banking on a shared computer or tapping into outside Wi-Fi networks is also dangerous. Don’t use Wi-Fi networks in airports, cafes, trains or taxi cabs, with some exceptions for any financial transactions unless you’re given a password to get onto a wireless network.
  • Watch out for smishing.  Smishing occurs when you get a dubious text message from a fraudster posing as a bank representative. The message may warn you of security breaches and ask you to call a toll-free number. Then you’re asked for your account number and PIN.  Next thing you know, your bank account has been emptied and you may be on the hook for the loss because you inadvertently gave your banking information away.
  • Malware infiltrates your computer without your consent or your knowledge. And malware software types have been exploding recently.Your computer can get infected in two different ways. You can click on an online link and download a poisoned program. Or you can click on an infected e-mail.Once malware is installed on your computer, cyber criminals can track your every move on the Internet, including your online banking transactions.