Skip to main content
rob carrick

We should all be a little more cautious about online banking.

Let's be clear – the Heartbleed online security bug that made headlines globally appears not to be a risk to people who do their banking and investing online. "The online banking applications of Canadian banks have not been affected by the Heartbleed bug," the Canadian Bankers Association (CBA) said in a news release. "Canadians can continue to bank with confidence."

But as news of Heartbleed spread, a couple of disquieting facts emerged. One is that the bank security guarantees are not an air-tight defence against hackers and scammers. Another is that online banking complacency is no longer permissible. We all need to be more active and vigilant in protecting ourselves.

New viruses, malware and other forms of security threats are constantly being developed by hackers and scammers, and occasionally they make the news. Mostly, these threats fade quickly and have little real world impact. But Heartbleed's ability to defeat commonly used online security measures made it more of a concern.

This was demonstrated on Wednesday when the Canada Revenue Agency shut down its portal for filing tax returns online "to protect the security of taxpayer information." CRA wouldn't do this lightly because the April 30 tax deadline is three weeks away and the website was operating at peak levels. Kerry-Lynne Findlay, the federal Revenue Minister, says consideration will be given to people who can't file their taxes on time as a result of the website shutdown.

CRA made the right call on closing its portal because confidence in online tax filing depends on personal information being kept private. But we file our taxes just once a year. We bank online daily, or at least weekly.

So what were the banks doing to reassure customers about Heartbleed, a story devoured by the media and the subject of the Top 3 most read stories on the Globe and Mail website on Wednesday at mid-day? The CBA comment arrived at 3:07 p.m., which in an age of instant information is on the late side. Though all the banks watch carefully for their name appearing in social media, only Toronto-Dominion Bank responded promptly to a late-morning tweet in which I asked for word on whether Heartbleed affects online banking or credit cards. "Our banking sites and customer data are protected," the bank replied. "TD customers can continue to bank securely without risk to personal data." Head office for the country's credit unions issued a similar tweet, saying "we're not vulnerable to this issue."

The vast majority of banks and financial firms have online security guarantees that say clients will be reimbursed fully for any losses due to unauthorized transactions. The question all online banking clients need to have answered: Would this guarantee apply due to losses associated with a bug like Heartbleed? "Banks have to look at any reported fraud on a case-by-case basis, but customers are not liable for fraudulent transactions resulting from circumstances beyond their control," a CBA spokeswoman said in an e-mail.

Here's why you should still be cautious about online security guarantees: They put a lot of responsibility on account holders to prevent fraud. One bank says its online banking agreements place a responsibility on users to use up-to-date anti-virus and anti-spyware software and a firewall, while another says clients must install and maintain an up-to-date firewall and virus protection on a PC or a wireless device.

Read your online banking security agreement (they're online), and meet your obligations to the letter if you want your bank to have your back in case of fraud. Most importantly, be smart about passwords. Most of us would rather have a cavity filled than redo all our passwords every six to 12 months, but there are few better defences against hackers trying to steal your data.

Put some effort into choosing your login and password so that they don't use obvious number combinations like your birth date. You must also keep your password and login confidential, and report to your bank within 24 hours if your client card is lost or your password and login have been obtained by someone else.

It's common for online security agreements to require people to immediately notify their bank immediately if they see unauthorized activity. Consider this motivation to check your accounts daily if possible.

Tips for preventing hackers and scammers from seeing your personal financial data:

1. Log into your account every day to ensure there are no unauthorized transactions.

2. Change your banking passwords immediately if you're concerned about Heartbleed, and on a six- to 12-month schedule thereafter.

3. Use different passwords for your financial accounts.

4. Increase the security of your passwords by combining upper and lower case letters, numbers and keyboard symbols such as # or @.

5. Don't allow e-commerce websites to store your credit card data – input it each time you buy something online.

Follow me on Twitter: @rcarrick