Probing Question: Is it safe to pay my bills over the Internet?

Lisa Duchene
January 16, 2006
computer mouse on hundred dollar bill

Managing your money is no easy task. While television commercials make it look easy to do all your banking online in just five minutes, on the next channel, insurance companies warn of crooks that will steal your identity and your money. What's the deal? Is it safe to pay your bills online?

No, not yet, says John M. Jordan, executive director of the eBusiness Research Center at Penn State's Smeal College of Business. "There are lots of ways it can go wrong," says Jordan, who does not use the Internet to pay his bills or do his banking. Thieves are proficient at outsmarting the technology banks use to provide online access to your accounts. Online crime is a multi-billion dollar global business.

"You hop, they take two hops. You hop again, they take two more," says Jordan. "So far the bad guys are ahead."

A few ways crooks can get your account information and use it to steal your money include:

• The "man in the middle" scam, in which thieves use a fake web page that looks identical to your bank's Web site to intercept information you think you are giving to your bank.

• "Key logging" software—installed onto your computer without your knowledge—that records every keystroke made on a machine.

• Fake e-mails carefully crafted to look as if your own financial institution is requesting your personal information. Called "phishing," this scam stole about $929 million from 1.2 million U.S. consumers from May 2004 to May 2005, according to Gartner, a technology research company in Stamford, Conn.

In addition to having your money stolen, other dangers of online banking include identity theft, damage to your credit rating and the mountain of paperwork involved in straightening out a mess.

"Every time [banks] make online bill-paying easier to use, [they] may be making it easier to break into," says Jordan.

Behind the scenes, banks are scrambling to build security into their systems so that nobody but you can touch your money.

The root of the problem, says Jordan, has to do with authentication, i.e., how banks verify a consumer's identity. In the online arena, banks use only one way to authenticate identity, instead of the two ways used in every other transaction arena.

People prove their identity in three basic ways, he explains: with something they know, like a password or PIN number; something they have, like an ATM card; or something they are, like a fingerprint or photo ID.

Most transactions, says Jordan, involve two of these methods. To take money out of an ATM machine, you provide the bankcard and a PIN number. But online banking uses only one way to verify identity.

"Banks are trying to figure out a second factor of authentication," says Jordan. They have to do it soon, since the federal government wants to see greater security in electronic banking by the end of 2006.

In mid-October, the Federal Financial Institutions Examination Council issued new guidance to banks, declaring that the single-factor method of verifying identity for online banking falls short and urging them to better protect consumers' money and identities. The council's members include the Federal Deposit Insurance Corporation and the Board of Governors of the Federal Reserve System.

Banks can offer further security in many different ways, says Jordan. They may use a "shared secret" method, in which customers send their bank a picture of their dog, then are asked to identify their dog from a canine lineup whenever they want account access. Or banks may provide battery-operated identification cards that automatically issue a new, unique pass-code to their online banking Web site every 30 to 60 seconds.

Or, you may soon have to use your fingerprint to log in to your account. A fingerprint-reader device generates a unique multi-digit secure number that can't be hacked, says Jordan.

Banks must find solutions because a lack of consumer trust threatens online banking and e-commerce itself, says Jordan. "If you lose trust in the instrument of money, then there is no money because money is a trust system."

John M. Jordan, Ph.D., is executive director of the eBusiness Research Center in Penn State's Smeal College of Business. He can be reached at

Last Updated January 16, 2006