The Equifax data breach left many of us with questions about cybersecurity. A big one: If a credit bureau can be hacked, how safe is our information stored in other places, like banks?
The good news? Major data breaches at financial services providers aren’t as common as they are for companies in other kinds of industries, like health care and government.
Still, you have some reason to worry.
SecurityScorecard grades banks based on the health of their security systems. Its recent report found that among the top 20 commercial banks in the country by revenue, 19 received a network security grade of C or below. Fifteen out of 20 banks had an expired Secure Sockets Layer (SSL) certificate — which enables encrypted communication between the bank and your web browser — leaving them susceptible to man-in-the-middle attacks and other security threats.
“When the SSL certificates expired, what could happen is those endpoints become vulnerable to such types of attacks,” says Alex Yampolskiy, CEO of SecurityScorecard. “So it allows the possibility of somebody snooping on your communication.”
If your checking or savings account is with a big bank, here’s what you should do to protect yourself.
Your role in avoiding identity theft
You can’t do much to control how your bank goes about protecting all of the information it collects about you. And it collects a bunch of your personal data, from your Social Security number to your income and assets if you’re a borrower at a particular bank.
It’s also not particularly easy to choose a bank based on its security protocol. Banks and credit unions aren’t very vocal about everything they’re doing.
“People don’t like sharing. The truth of the matter is, there’s a lot of skeletons hidden in the closet for many companies,” Yampolskiy says.
That’s why consumers must step up to keep their identities safe.
“Customers need to monitor their accounts on an ongoing basis and get free credit reports,” says Doug Johnson senior vice president, payments and cybersecurity policy at the American Bankers Association. “Those are the kinds of individual actions that the consumer needs to take in conjunction with what the bank is doing.”
Enable two-factor authentication, especially when dealing with riskier transactions. And if your bank has special features designed to make your banking experience safer, you should use them.
Another way to protect yourself is to be more cautious about the personal details you’re sharing. Ask why you need to release certain information and be more reluctant to hand it over.
If you discover account fraud and report it in a timely manner, you generally won’t face much, if any, liability.
How your bank protects you
While banks don’t share everything about how they protect your money and your data, there are some pretty common protocols they follow.
Data, for example, is typically secured with 128-bit SSL encryption (which is considered unbreakable) to prevent others from accessing it.
Banks run tests, too, checking to see how safe their databases are from hackers.
When it comes to individual account access, many of the biggest banks rely on biometrics to verify customers’ identities. Fingerprint scans and voice recognition have replaced passwords. Accessing your account with an eye scan may soon become the norm.
As technology advances, banks must continue updating security controls. Apple’s iPhone X, for example, has a Face ID function rather than Touch ID, which many bank customers use to log in to their accounts.
“Banks now have to scramble and think about how does that impact my mobile app and which security feature do I replace this with?” says Genevieve Gimbert, a partner in the financial crimes unit at PwC. “These banks need to really be more strategic in terms of how to become more agile and flexible in deploying authentication and security controls because some of these controls have a shelf life.”
Security changes to come
Another challenge is ensuring the security of services provided by third parties, Gimbert says. And knowledge-based authentication, or personal security questions, may have to be replaced.
“Clearly with the increasing occurrence of data breaches, that is no longer a secure control,” Gimbert says. “The banks these days are in the process of redefining their authentication strategy across all channels and products, as well as defining what the architecture should be for identity verification and authentication.”