Frankfurt The Volks- und Raiffeisenbanken want some of their customers to make their own passwords for online banking more secure. The corresponding online banking PIN should be as long and complicated as possible.
“The VR banks are asking all affected customers to change their PIN if it does not meet the current security standard,” said the IT service provider for the around 730 cooperative banks, Atruvia, on request. The IT company did not reveal how many customers were involved.
According to Atruvia, the current standard requires passwords to have at least eight characters, consist only of numbers or contain at least one capital letter and one number. The safety aspect is a key argument for the step. The older PIN formats made customers more vulnerable to attacks in cyberspace.
“We have seen that cybercrime attacks have been used more and more for years to gain access to sensitive data,” the IT service provider stated. Fraudsters are relying on more and more unusual scams, so password security is an important aspect of data protection.
For example, there are hacker attacks in which passwords are cracked by automatically trying out many different combinations of numbers and letters in a short time. The longer the password, the more time it takes for a computer to come up with a hit.
BSI: One password per access
In order to prevent such an approach, the Rhineland-Palatinate consumer advice center advises that a password meets certain quality requirements and is only ever used for one access. It also makes sense for a password to contain at least eight characters and also different types of characters, because these character combinations are more difficult to crack, explains Andrea Steinbach, an expert at the consumer advice center. “This is actually a first step towards more password security.”
The Federal Office for Information Security (BSI) also uses the motto for passwords: “The longer, the better. A good password should be at least eight characters long.” It also recommends using a password for only one access.
>> Read more here: Big business with the fake self
The security experts point out that a so-called second factor also increases security when logging in, this extra protection is called “two-factor authentication”. With online banking, you usually have to enter such a second factor, a transaction number (TAN), every 90 days when logging in and also to confirm a transaction.
There are various security procedures for online banking. Some financial institutions continue to offer SMS TANs, while Volksbanks and savings banks said goodbye to them last year. The app-based push TAN procedure is being used more frequently today, as well as photo TAN and chip TAN. The chip TAN procedure, for which customers need a so-called TAN generator, is considered to be particularly secure.
The cooperative banks give another technical reason for the request to change the passwords: Different PIN formats would cause a lot of maintenance work. Therefore, they want to convert all online banking PINs to a standard, according to Atruvia.
Password theft via bogus websites
At other banks, eight-digit passwords are provided for new customers and in the event that customers want to change their PIN. Postbank, which belongs to Deutsche Bank, refers to the internal IT migration: In the new online banking, to which all customers would be switched, “the change or reassignment of eight-digit passwords is already specified as soon as the customer wants to change his password”. This conversion is also planned for Deutsche Bank’s online banking.
New customers at Commerzbank also have to use an eight-digit password. The requirement also applies to those who want to get a new password or change an existing one, the bank said.
In contrast, the savings banks, which are the market leaders in business with private customers, are satisfied with a minimum length of five characters for passwords in online banking. But: Your IT service provider, Finanz Informatik, also recommends at least eight digits. However, he does not consider a five-digit password to be insecure per se, “since it is blocked if it is entered incorrectly three times”.
However, complicated passwords do not help with another type of cyber attack. Fraudsters are trying to intercept access data or secret numbers with increasingly sophisticated methods. They lure consumers to fake websites that look very similar to those of a bank, for example – with a request to enter passwords. This attempt to swindle money with stolen identity data is called “phishing”. Phishing is made up of “password” and “fishing”, meaning “to fish for passwords”.
According to the BSI, 90 percent of fraudulent spam emails related to “finance phishing” in the past year, i.e. banking transactions. “They only aimed to steal access data for online banking.”
The BSI is aware of cases in which, in a first step, bank access data was stolen using phishing and, in a second step, two-factor authentication was also undermined using social engineering. For example, under the pretense of an alleged account blocking or dubious account transactions, the fraudsters would ask customers to confirm their identity or allegedly activate the account again by handing out the TAN they had previously received. According to the BSI, the perpetrators then use the TAN for a previously hidden transaction, such as a bank transfer. The North Rhine-Westphalia Consumer Advice Center offers an overview of current phishing attacks.
More: This is how you can protect yourself against phishing and cyber attacks