Skip to main content

Sitting Duck Syndrome: How Security Shortcuts Put Online Banking at Risk

Yesterday, I watched a friend use online banking. All the classic mistakes were there. The post-it note with her passwords—stuck right to her computer. And not just any passwords—nearly identical ones for everything. She sent her security access code by email “because it’s easier,” and she refuses to try push notifications because, as she puts it, “That’s too hard for old ladies like me.” From now on I will call her "Sitting Duck."

Don't we all know we're a little like Sitting Duck ourselves? We all know we’re supposed to “be secure” online, but we also don’t want our lives bogged down by security access codes, security alerts, and password resets. We all have our shortcuts. Maybe it’s reusing that one favorite password (with an extra ! at the end every time we are asked to update) or saving usernames across multiple platforms. The truth is these shortcuts make life easier for us—and for attackers.

We all know of the security concept “something you are, something you know, something you have.” (You haven't heard of this? Time for some security training!) This means to be secure online, we all need something like a login name that represents who we are, a password or a PIN that you know, and a phone or email address that you have access to. Biometrics can take "who you are" much further these days with fingerprints, facial recognition, and understanding human delays.

Passwords can become passphrases (Google "correct horse battery staple" to see why that's a great idea), and push notifications are an advance over email and SMS. But there's a problem: people, me included, often make these “somethings” way too easy to find.

The hints you give—maybe without realizing it 

We’ve all got our favorite approach to generating passwords. The trouble is, when you use them in multiple places, a breach on one site can open doors everywhere. So if you’re using the same password on an artisan pottery website as for online banking, and the artisan pottery site was hacked without the artisan potter's knowledge, and the artisan potter had the 19-year-old intern store the passwords in plain text in the first place, well, you might just be handing out the keys to the kingdom. 

We don't stop there. Ever notice how many people mention the devices they use in email signatures or on social media? It’s like putting up a “Welcome, Hackers!” sign. When attackers know which device someone’s using, they can target it specifically, making it way easier to slip in undetected. 

Plus, it's not just obvious things like passwords and device details. There have been so many breaches that each of us should assume our critical private information like Social Security numbers (SSN) and date of birth (DOB) is available if someone wants it. It would add a sense of authority if someone asked, "Can you confirm the last four digits of your SSN is 1234?," wouldn't it? What about if they knew the serial number of your laptop? Or your passport number? Or your medical history? Or the number of times you have stayed with a particular hotel chain? Or details of your credit application for your mobile phone bill? All this information has been lost in various known breaches. 

To lay it out plainly, we often give away much of "something we have," we re-use "something we know," and others are hacked and lose "something we are," leading to a situation where there's very little required to break through our defenses. "Sitting Duck" doesn't even know this much.

The balance between service and security

Financial institutions walk a tightrope every day between making the experience smooth and keeping it secure. Security in this context is the balance between adding steps to make life harder for the hacker, while also making life harder for the end user. No one likes being bombarded with security checks, but many of us now actually expect security layers, like multifactor authentication or an extra nudge to verify who we are, when we log into important accounts. With more stories about breaches popping up, end users today often appreciate a financial institution that puts security first.

You can set a clear tone for what good online behavior looks like and offer tips to get there. But just reminding people to “be careful” won’t cut it. Some will listen, sure, but for those who don’t, you might need to get creative—or, dare I say it, take a firmer tone. But you may (some say “will”) have to enforce stronger rules, like extra steps for sensitive transactions, much longer passwords, password resets every few months, and mandatory security alerts. It’s about creating a safer environment for everyone, especially those most at risk.

Here are some ideas for education campaigns for your end users.

"We will never ask you for your password" is burying the problem. It might be better to call out the issue by stating, "If someone asks for your access code or password, they want to gain access to your account" and then adding, "We will never ask you for your password." Or you could be even more direct with, "To protect your money, never share your password or security access code.”
"We will never ask you for your password" uses a passive voice. Instead, take focus on action. "If anyone ever asks for your password or security access code, reach out to us immediately. Be vigilant! We will never ask you for this information" makes it clear how to react in the moment.

"We will never ask you for your password" cannot be acted upon ahead of time. It's a statement about you (the FI) compared to being a call to action about what an individual can do. It's possible to turn this around 180 degrees with a campaign headline of, "Do you want to help your family and friends? Show them how to be safer when banking online." With this approach, you can provide hints and tips that your end users can use to help others.

"We will never ask you for your password" assumes a single method of approach to learning more details from the end user. "If someone gives you a link to change your password, they want to gain access to your account" helps protect against more sophisticated scenarios where copycat sites are used. 

"We will never ask you for your password" does not show you are taking action to protect the end users. "We are doing more to help protect you. You will see more security alerts for activity on your account. If it's not you, tell us immediately."

Set up the must-have alerts

There are several security alerts that really should be enabled for every end user:

Alert me when:

  • An invalid password for my login ID is submitted
  • The "forgot password" process is attempted for my login ID
  • The "forgot password" process is attempted unsuccessfully
  • The "forgot password" process is successfully completed
  • An invalid secure access code is submitted
  • My login ID is locked out
  • My login ID is changed
  • My login ID is disabled
  • My password is changed
  • Secure access code contact information is changed
  • A computer/browser is successfully registered
  • My security alert preferences are changed
  • My user profile is updated

You might want to enable these as well, on the basis that if the end user isn't logging in at the time, then they really do want to know that someone else is.

    • A valid password for my login ID is submitted
    • A valid secure access code is submitted

The real takeaway here? It’s all about partnership. Security shouldn’t be a hassle; it should be a built-in part of banking, like having a lock on a door. The best user experience now is one where security doesn’t just feel like an extra step but like peace of mind. Financial institutions and end users can work together to create a safer experience by following these best practices, building a secure environment for everyone. So, to all the “Sitting Ducks” out there: Let’s raise the bar a little! Banking securely isn’t just a nice-to-have; it’s essential. And the good news is, with a few simple tweaks, we can all make online banking a whole lot safer—while still convenient.

Want to learn more? Contact Q2 Advisory Services.