With so many users making the jump to internet banking, it's no wonder that hackers are on the hunt for login details. What may be surprising, however, are the lengths that hackers go to in order to access your finances.
Here's a look at how hackers target your bank account and how to stay safe.
These days, you can manage all of your finances from your smartphone. Usually, a bank will supply an official app from which you can log in and check your account. While convenient, this has become a key attack vector for malware authors.
The simpler means of attack is by spoofing an existing banking app. A malware author creates a perfect replica of a bank's app and uploads it to shady third-party sites. Once you've downloaded the bad app, you enter your username and password into it, which is then sent to the hacker.
The sneakier version of this is the mobile banking Trojan. These aren't disguised as a bank's official app; they're usually a completely unrelated app with a Trojan installed within. When you install this app, the Trojan begins to scan your phone for banking apps.
When it detects a banking app being launched, the malware quickly puts up a window that looks identical to the app you just booted up. If this is done smoothly enough, the user won't notice the swap and will enter their details into the fake login page. These details are then uploaded to the malware author.
Typically, these Trojans also need an SMS verification code to complete the hack. To do this, they'll often ask for SMS read privileges during install, so they can steal the codes as they come in.
When downloading apps from the app store, keep an eye on the amount of downloads it has. If it has a very low amount of downloads and little to no reviews, it's too early to call if it has malware or not.
Likewise, be careful with what permissions you give apps. If a mobile game asks you for SMS read permissions with no explanation as to why it wants them, stay safe and don't allow the app to install. Never install apps from third-party sites, as they're more likely to contain malware
Obviously, if an email address looks suspicious, treat its contents with a healthy dose of skepticism. If the address looks legitimate but something "seems off," see if you can validate the email with the person sending it---preferably not over email, in case the hackers have compromised the account!
Hackers can also use phishing, among other methods, to steal your identity on social media.
This method of attack is one of the quieter ways a hacker can gain access to your bank account. Keyloggers are a type of malware that records what you're typing and sends the information back to the hacker.
That might sound inconspicuous at first, but imagine what would happen if you typed in your bank's web address, followed by your username and password. The hacker would have all the information they need to break into your account!
Install a stellar antivirus and make sure it checks your system every so often. A good antivirus will sniff out a keylogger and erase it before it can do damage.
If your bank supports two-factor authentication, be sure to enable this. This makes a keylogger far less effective, as the hacker won't be able to replicate the authentication code even if they get your login details.
Sometimes, a hacker will target the communications between you and your bank's website in order to get your details. These attacks are called Man-in-the-Middle (MITM) attacks, and the name says it all; it's when a hacker intercepts communications between you and a legitimate service.
Usually, an MITM attack involves monitoring an insecure server and analyzing the data that passes through. When you send your login details over this network, the hackers "sniff out" your details and steal them..
Sometimes, however, a hacker will use DNS cache poisoning to change what site you visit when you enter a URL. A poisoned DNS cache means that www.yourbankswebsite.com will instead go to a clone site owned by the hacker. This cloned site will look identical to the real thing; if you're not careful, you'll end up giving the fake site your login details.
Never perform any sensitive activities on a public or unsecured network. Err on the side of caution and use something more secure, such as your home Wi-Fi. Also, when you log into a sensitive site, always check for HTTPS in the address bar. If it's not there, there's a good chance you're looking at a fake site!
If you want to perform sensitive activities over a public Wi-Fi network, why not take control of your own privacy? A VPN service encrypts your data before your computer sends it over the network. If anyone is monitoring your connection, they'll only see unreadable encrypted packets. Picking a VPN can be difficult, so be sure to read our guide on the best VPN services available.
