Do's And Don'ts Of Cyberbanking

Deck: Security is much improved, but a few smart steps will make you less vulnerable

Using credit cards to make online purchases makes people nervous. Doing banking online makes people really nervous, judging from the questions I get from readers. With a steady stream of publicity about the security problems of computer networks, it's not hard to see why. But I've always followed a simple rule about assessing the dangers: Banks have a lot more at risk than their customers, so if it's safe enough for them, it's safe enough for us.

Federal law generally limits a cardholder's liability for fraudulent use of a lost or stolen credit card--or card number--to $50. The rules covering debit cards are more complicated, but Visa and MasterCard have voluntarily accepted the same limit for these cards.

SECURITY HOLES. If your bank is serious about online banking, it should be willing to guarantee it will cover any losses in your account from a break-in by a cyber thief. In short, the risk of online banking is more to your privacy than your money.

Banks have taken two approaches to online services. Some, such as Citibank, give you special software that lets you dial directly into the bank's system. Others, such as Wells Fargo, let you bank over the Internet. Most banks are moving toward the Wells Fargo approach.

In theory, the dial-up approach is more secure. Telephone lines, unlike the Internet, are generally safe from snooping. And custom software means that these systems aren't vulnerable to the security holes that keep cropping up in Web browsers, although dial-up systems are open to mistakes by the banks' own programmers.

This may be a distinction without a difference. All financial information that you exchange with your bank, including account numbers and passwords, is encrypted before it goes out on a phone line or the Internet. Browsers indicate that they are in secure, encrypted mode by displaying a lock icon, in the lower left corner in Netscape Navigator and the lower right in Microsoft Internet Explorer. Encryption gives Internet transactions reasonable protection from prying eyes. And good software doesn't store unencrypted passwords or other sensitive information even on your own hard disk, where it could be exposed to prying eyes by a poorly designed browser. (For a thorough but nontechnical discussion of security issues in Internet banking, check out Wells Fargo's Web site at

Most online banking services allow you to check your balance, find out if checks have cleared, transfer funds among accounts, and download transaction records into Intuit's Quicken or Microsoft Money. Many of the services will let you pay bills electronically, usually for a monthly fee, and many allow you to pay all your bills online, even if the bank has to send out a check itself. Some banks also provide for the purchase of stocks or mutual funds through affiliated securities dealers.

The nature of these transactions provides protection. You certainly don't want a stranger who gains access to your account riffling through your online check stubs, but it's some comfort to know that many banks will cover any losses if someone breaks in. At Wells Fargo, "if someone drains your account through no fault of your own, the bank will step up to that," says Executive Vice-President Dudley M. Nigg. That means don't broadcast your password and expect to be protected.

Indeed, passwords and PINs are the weak points in all online-banking systems, and a few simple precautions can work wonders. Don't choose obvious passwords, such as your birth date. The best are random strings of characters. And don't write it in a place where the wrong person is likely to find it.

CARD SMARTS. New technologies will eventually make passwords obsolete--and online banking and other transactions much safer. On the horizon: the smart card, a plastic card with embedded microcircuits. Slipping your smart card into a reader in your computer, together with a password, gives a much higher level of security than a password alone.

Soon there will be additional advantages. VeriFone, a Hewlett-Packard subsidiary, has developed a product called Personal ATM that allows you to download cash from your checking account onto a smart card. The card could then be used like currency for purchases, including those, such as vending machine transactions, that are too small to be practical with credit cards.

Improved security will make possible bigger--and therefore riskier--online transactions, such as large electronic funds transfers. Meanwhile, you can rest easy that today's online banking is a low-risk convenience.

Before it's here, it's on the Bloomberg Terminal.