Security Policy for On-line Banking

If my last post made you want to tear out your Internet connection and go back to burying your money in coffee cans in the backyard, despair not.  Here is a really great idea that will allow you to secure your online banking in ways that will be hard to defeat.  This comes to us courtesy of Krebs on Security.

Cyber-criminals gain a foothold on your business network by infecting your computer with some sort of malware, usually starting with a Trojan horse program that allows them remote access, and then they follow up by installing a key logger or other spyware.  The malware is delivered via an email attachment, or more likely, a link to a website where the malware is downloaded automatically via your web browser.  Once they have your banking user name, password, and other credentials, it is a simple thing to logon and clean out your account.

The first key to total banking security is to access your bank account via a dedicated system that is never used for anything else, especially web surfing or email reading.  This system has a web browser, and web filtering via a service such as openDNS that only allows the browser to access the bank website. 

Even better if this system is running a non-Windows operating system, something like Ubuntu Linux, since malware is rarely written for the Linux platform.  It is possible to have a “system on a disk” that would let you boot into Linux from the CD drive, fire up your web browser, perform your online banking, and then reboot into your normal (and possibly infected) Windows operating environment.  Another way to do this would be to set up a Linux virtual machine on your computer.  Another option is to use an inexpensive Google Chromebook which uses the Chrome operating system.

Another best practice is to navigate to your banking website via a saved bookmark, rather than possibly mistyping the address and landing on a clever look alike site by mistake. 

NEVER EVER go to your bank via a link provided in any email, no matter how realistic looking it is.  The email may be a clever fake, and the destination website will be a look-alike site designed to collect your logon credentials and other personally identifying information.

If your bank offers it, consider using ACH Positive Pay, which allows you to pre-authorize regular payments, and will notify you by email of any rejected transactions.

If your bank offers two-factor or three-factor authentication, you should use it.

There are a few other good suggestions on the original article at Krebs on Security that are worth the read.

A quick meeting with a computer and network security specialist should make this a short and simple project to implement, with lasting benefits to your company and it’s financial security and well-being.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.