Customer awareness and education on Internet banking security was a point of emphasis in the guidance published by the FFIEC on June 28th of 2011 titled Supplement to Authentication in an Internet Banking Environment. Increasing customer awareness of effective techniques for mitigating the risk of fraud should be a major part of your customer education program.
When developing educational material for your online banking customers, it's important to keep in mind both the varying amount of technical knowledge and the amount of time an average customer will dedicate to reviewing the information. The majority of your customers are unlikely to spend hours of their time reading through educational materials containing technically detailed descriptions of common attacks and techniques to avoid them. Providing simple and easy-to-understand security tips can be an effective alternative to detailed security information filled with information security jargon.
The following sections outline common security tips that could be included in your bank's online banking customer education material. The tips provided below are not exhaustive, but they should provide a good starting point.
General PC Security
- Update your software frequently to ensure you have the latest security patches. This includes your computer's operating system and other installed software (e.g. Web Browsers, Adobe Flash Player, Adobe Reader, Java, Microsoft Office, etc.).
- Automate software updates, to when the software supports it, to ensure updates are not overlooked.
- Maintain active and up-to-date antivirus protection provided by a reputable vendor. Schedule regular scans of your computer in addition to real-time scanning.
- Update your software frequently to ensure you have the latest security patches. This includes your computer's operating system and other installed software (e.g. Web Browsers, Adobe Flash Player, Adobe Reader, Java, Microsoft Office, etc.).
- If you suspect your computer is infected with malware, discontinue using it for banking, shopping, or other activitiesinvolving sensitive information. Use security software and/or professional help to find and remove malware.
- Use firewalls on your local network to add another layer of protection for all the devices that connect through the firewall (e.g. PCs, smartphones, and tablets).
- Require a password to gain access. Log off or lock your computer when not in use.
- Use a cable lock to physically secure laptops when these devices are stored in an untrusted location.
General Online Security
- Never click on suspicious links in emails, tweets, posts, or online advertising. Links can take you to a different website than their labels indicate. Typing an address in your browser instead of clicking a link in an email is a safer alternative.
- Only give sensitive information to websites using encryption so your information is protected as it travels across the Internet. Verify the web address begins with "https://" (the "s" is for secure) rather than just "http://." Some browsers also display a closed padlock.
- Do not trust sites with certificate warnings or errors. These messages could be caused by your connection being intercepted or the web server misrepresenting its identity.
- Avoid using public computers or public wireless access points for online banking and other activities involving sensitive information when possible.
- Always "sign out" or "log off" of password protected websites when finished to prevent unauthorized access. Simply closing the browser window may not actually end your session.
- Be cautious of unsolicited phone calls, emails, or texts directing you to a website or requesting sensitive information.
Password Best Practices
- Create a unique password for all the different systems you use. If you don't, then one breach leaves all your accounts vulnerable.
- Never share your password over the phone, in texts, by email, or in person. If you are asked for your password, it's probably a scam.
- Use unpredictable passwords with a combination of lowercase letters, capital letters, numbers, and special characters.
- The longer the password, the tougher it is to crack. Use a password with at least eight characters. Every additional character exponentially strengthens a password.
- Avoid using obvious passwords such as:
- your name
- your business name
- family member names
- your username
- birthdates
- dictionary words
- Choose a password you can remember without writing it down. If you do choose to write it down, store it in a secure location.
Institution Specific Information
In addition to generic security tips, your bank should also include tips specific to your bank's online banking environment. Information concerning multi-factor authentication solutions or other controls utilized by the bank would be useful to mention.
Your bank will also need to include contact information to be used by customers to notify the bank of suspicious account activity or information security-related events. Having this information easily accessible can speed up the process of your customers notifying the bank of fraud-related events. The FFIEC guidance also mentions outlining the circumstances and methods with which the institution will contact a customer on an unsolicited basis regarding their Internet banking account.