Indeed, online banking is one of the most lucrative targets for cybercriminals for obvious reasons. One may ask as to why existing methods do not provide a reliable defense, given so much resources and attention are devoted to get it done?

Let’s start with software – OS vulnerability exploits, insufficient testing, zero-day errors, version / release control mistakes, lack of built-in security protections, and other Software Development Life Cycle (SDLC) weaknesses are quite common. In a way, it is the essences of software business – to bring up a product that has useful functionality and worry about security later. However, this approach is perpendicular to what online Financial Institutions (FI) are looking for. Can it be fixed? May be, but it will be a quite slow process.

There are many of reasons for that. For instance, all vulnerabilities and attack vectors aren’t known ahead of time, requirements for additional testing and built in security modules would necessitate higher caliber employees and extended time for SDLC – all leading to financial losses for software business. Moreover, none of the software company would ever agree to provide any warranties in a Software License Agreement (SLA).

Typically, in addition to a SLA cost, there is also an annual renewable maintenance and service agreement – a part of this agreement cost back credits software vendors to allow FI requesting a software vendor to fix vulnerabilities and patch the software, whereas another part of the cost forward credits software vendors for ongoing security improvements in the upcoming releases.

In summary, currently FI software security, as a non-revenue producing expense component, is lagging behind as compared to cybercriminals’ direct gain from the operations. Growing financial losses at FI, as well as losses of landmark business reputations due to breaches of business sensitive data and Personally Identifiable Information (PII) is slowly but surely changing the notion of security as being a non-revenue producing expense component. Thefts of PII also raise a lot of privacy questions.

The last note is about the central piece of the security technology for online FI - user authentication. Static passwords proved to be vulnerable, security questions as an additional component of the so called layered security are even worse – it is a wrong sense of security.

There are several reasons as to why they are still being used – implementation simplicity, relatively low implementation and service costs, lack of patent protection. Some FI and other businesses adopt two-factor authentication – say a password and a hard/soft token session-only access code, or a password and a SMS message session-only access code.

Certainly, it is better than using a single password. However, there are indications that these technologies, while being an improvement, are still having serious vulnerabilities requiring a substantial enhancement in user authentication technologies to reduce the attack vectors threats. History shows that users’ adaption to new authentication technologies is a quite slow process as well.

There are currently several methods used for verification and some exciting new technologies coming on the market.  

One of the current methods is location IP verification.  If I normally log into my bank from Austin, TX but suddenly try to log in from Mexico City, Mexico, a red flag goes up.  Banks are looking at ways of using social media and travel information obtained from credit cards to track movement.

Another exciting way is by looking at "something you do".  Everyone types or moves a mouse differently.  Online sites can use algorithms to determine if a user is who they claim to be.  There are certainly drawbacks to this method, i.e., hand injuries, arthritis, etc.  However, the old statement of proving identity by showing something you know, something you have, something you are, and something you do is proving to be the basis for modern online security.

PCI security standard might help.

i do not know about you, but for me, it is better not to use smartphone for any online transaction, try to use laptop or computer and do not connect to free WIFI outside which can be TWIN DEVIL. basically, online business/online banking has a group of dedicated staffs monitoring the abnormality generated from payment traffic, e.g.: if the merchant swap amount > credit limit, or if same merchant swap > 1 time, it will trigger the security protection application alert alarm and then online banking staff will call you immediately, before transaction is approved...anyway, be careful as this measure has loopholes. all measures are not perfect, everyday, hacker create better method to hack/steal/destroy..

very pertinent question in field of online retailing. online retailing is growing in leaps and bounds due to advances in technology and versatile tools to efficiently and effectively conduct transactions at customers' convenience and superior experiences . The online transactions need a interactive website storefront, secure payment, and logistic delivery system. The information communication technology(ICT) system has inherent vulnerabilities that are often exploited by cyber-criminals for Rasnsomware, denial of competitive advantage, theft of intellectual property, loss of customers trust and privacy. Therefore, should have secure server and secure payment system complemented by compliance, regular parchment updates, antivirus updates, next general firewall, end-to-end encryption; all backed by intrusion detection system (IDS) and intrusion prevention system (IPS). IPS will alert the teller of unusual external intrusions possible fraud and'or data breach.