50 Shades of Banking Security


December 8, 2015
50 Shades of Banking Security

When we used IDs to authenticate ourselves in banks, we were afraid of a situation when someone would steal our ID and take our money. Then bank or ATM cards raised similar fears; the same happened when we went online and started using login credentials. Now, with banking APIs or screen scraping, it’s absolutely OK and natural to ask questions about security, and we have to find an answer to a general doubt: are we safe with any kind of banking – offline and online?

Almost all interactions with financial institutions have one common point: authentication. Whether it’s a physical visit to a brick and mortar branch office, a transaction with an ATM machine, telephone call or an online session, you have to prove your identity. You will have to show your ID or other document registered with your bank, insert a card and enter your PIN, or provide the authorization system – IVR or website – with your username/login and password. As long as these credentials remain safe and intact, your money on your account is secure.


This statement seems to be nothing but a cliché, yet these days, when bank robberies are a thing of the past – and even if they happen, they don’t affect YOUR savings – the only security breaches leading to your losses are those resulting from some kind of a user authentication exploit. As there are virtually no possibilities for criminals to get into a bank other than to use one of its clients’ credentials, it is you who must be aware, cautious and prepared for an attack, not your financial institution.

The latest European PSD2 directive further strengthens security measures in the banking/financial ecosystem in the EU. It specifically targets banking APIs in terms of safe and secure communication between financial institutions and third parties wanting to access the users’ data on their behalf and with their permission. These third parties will also be monitored and controlled by local regulators, just like banks are supervised.

Let’s see what threats lurk for you behind the corner (offline) or under your finger (online).


The oldest trick is to simply steal your identity. The criminals can pretend to be you by counterfeiting your ID and your signature and visit a bank – not necessarily yours – to conduct an illegal operation like money withdrawal or transfer to their account. They can use information found in your garbage or in your mailbox to set up a new bank account or apply for a credit card on your behalf, but with their contact information, so you wouldn’t have a clue about their activities.

In the era of online banking, thieves don’t even have to look for you or dig in your garbage: they will make YOU contact them. For example, they can post a job offer online, and when you apply, they will ask you to provide them your personal data and make a money transfer with an insignificant amount to their bank account – allegedly for verification purposes, as their company needs this to confirm your account number for future salary transfers. In fact, they need your transfer for the final step of setting up an online bank account with you as a theoretical owner, but them being real beneficiaries. This account will allow for money laundering, frauds on bidding sites, shopping with bank loans and credit cards, and more – all in your name.

Speaking of cards, a stolen card can be used by a thief for shopping online until you realize you were robbed and cancel the card. Shopping offline is also possible, especially with contactless payment technologies like PayPass or payWave, which allow several offline transactions (no PIN, no account balance check) up to €20-25 each.


Stealing isn’t even necessary to take advantage of your card and your money: it takes just one use of a card in an ATM or POS terminal to obtain all information necessary to make a copy of that card. This kind of theft is called skimming and involves a special card reader installed in an ATM along with a small camera and a wireless transmitter. The criminals will see how you enter your PIN, so when they transfer the data from your card to a blank one, they will be able to make many transactions before you or the card issuer notices something.


When you go online, you have to deal with lots of threats, but the biggest danger is in you. Cybercriminals know that the weakest link of every security system is always a human being, so they target you in order to take control over your computer and your bank accounts.

They can send you an email informing you about some security changes in your bank, therefore you have to log in to your account with full credentials – but clicking on the provided link will send you to a fake website instead of a legitimate one. Your username and password will go straight to the attackers.

Or they can use email spoofing to make you think you have just received an email from a trusted institution – a bank, bidding site, postal or messenger service – with a zipped attachment you need to open and to see the “invoice”, “parcel details” and so on. Of course, when you do exactly what the attackers wanted to, you’ll end up with your computer infected with malware.

identity theft

There are many ways you can be tricked into installing malware on your device, but the result will always be the same: a compromised security. You would never be sure if you are visiting real, legitimate websites or just their counterfeit copycats since the malware can redirect you to the URL addresses controlled by criminals and you wouldn’t even notice that. Everything you enter on these pages will be intercepted by the attackers. The malicious code inside your device can be everything: from a keylogger recording your keystrokes, to a script, which recognizes a bank account number copied to the clipboard when you want to make a transfer, and then replaces it with a bank account number belonging to criminals, to a fully-featured trojan, which can redirect your URL requests in a browser, capture your credentials and turn your PC into a zombie machine.

Sure, there have been many incidents, when hackers stole sensitive information from different web services – and the Sony breach last year wasn’t even the biggest one, as you can learn from this report or this list of the worst breaches in 21st century: The Home Depot breach affected 56 million customers! This is why, in the so-called Darknet, criminals sell credit card numbers and personal data in volumes of thousands. Fortunately, there are no serious bank security breaches resulting in massive loss of clients’ money. Not yet.

API = Another Possible Intrusion?

Now you can wonder why you should set up another point of failure by providing a banking API your bank account credentials. The answer is simple: you don’t have to worry, since your sensitive login data are stored in a way it’s next to impossible to retrieve or reveal them. The breaches listed above were severe, because the affected companies neglected basic security precautions such as user data encryption. Meanwhile, the banking API service providers typically do not store your credentials, and when they do, they encrypt it heavily. And the PSD2 directive mentioned at the beginning will secure the communication and other aspects of banking API ecosystem to the fullest extent.

another possible solution

If you know the LastPass online password manager service, you probably heard of a security breach it encountered a half year ago. Even though hackers reached the LastPass’ database, the passwords stored in it were practically useless because of a strong encryption. The same applies to your credentials in banking API service providers.

By the way, what sort of password encryption do YOU use?