Keep your software updated
Most of the software contains security vulnerabilities. Once discovered by researchers and fixed by developer, they are subjects of public disclosure. Later anyone can find them and use to break in.
Run your operation system updater as often as possible, keep an eye on critical security updates, read about newly found security breaches on the internet. Reboot your PC if it's required when updates done. Upgrade your system to newer version if it's considered stable enough.
Update your browser, antivirus and other frequently used software as often as possible. It's as important as system updates.
Use antivirus software, firewall, intrusion detection systems
Any protective measures are good. Antiviruses don't guarantee your protection in case of "zero patient" accident, but once a malware tripped into antivirus laboratory it gets investigated and its signatures will be added to antivirus database.
Avoid social engineering and fishing attacks
Social engineering is the fastest and cheapest way to trick people into giving away sensitive information to a scammer. However, some prudent scammers use a combination of social engineering + fishing as the most effective method to steal your funds. Usually it's about sending emails or SMS messages "from your bank". They contain external links pointing to fishing sites emulating your banks' look and feel. When you send your password to such a site, it trips right into the hands of cyber-criminals. Don't click on those links, fishing sites might be dangerous even to look at! Be aware of phone calls from a bank, banks may call only if you asked them to call you back.
Avoid banking from a public WI-FI hotspot or any other guest networks.
It may sound obvious to avoid public networks but lots of people still make this mistake, especially if they don't have another choice being far away from home. If you have to use a guest network you can establish an encrypted VPN tunnel to your private network. VPN makes a point-to-point tunnel so your machine will get an IP address from remote network. Additional encryption layer can hide request headers and other details from the public network you work with.
Use incognito/private mode
Incognito mode uses a temporary cookie jar and doesn't safe any information whether it's forms data, downloads list, or browsing history. Also any extensions tracking your activity, changing look and feel or preventing scripts to run will be disabled, so the site will be working in normal mode. Once you done with the banking session, close a current window and open a new one if needed.
Use search services to find your bank-client
Search for your banking site, don't use bookmarks to save it, don't type it manually. If you type it manually you have a chance to make a subtle mistake and trip on a fishing site. Bookmarks can be outdated or modified by malware.
Check connection protocol in the address bar
It should be "https" protocol, not "http" or anything else. If you see "Not secure" text in the address bar or red crosshair upon a padlock, or untrusted certificate dialog, it's probably a good idea to recheck address and certificate.
Always check SSL certificate data of your banking site
If someone managed to poison DNS cache on a public DNS server, any HTTP sites can't be trusted, however HTTPS sites should supply a signed SSL certificate, so if you visit a correct site using correct protocol, you will get a security alert about untrusted certificate, so it's not an issue unless attacker holds banks' private key. Anyway, it's recommended to check the certificate manually and validate its expiration date and fingerprints.
If you are using Chromium or Google Chrome press Ctrl+Shift+I to open developer tools, choose "Security" tab, and Press "View certificate". In the newly opened dialog find SHA fingerprints. In Firefox click on a green padlock icon, then on the right arrow, and finally press "View certificate" button. Remember a few characters in the end of those hashes. They should remain the same during the certificate lifetime. Sometimes, though, a company can change certificates, so you'll need to use "SSL checker" sites to compare the certificates on your machine and in the cloud.
Use virtual keyboard to type in your password
If your bank-client service has a built-in virtual keyboard, use that keyboard instead of physical one. If your machine has some sort of low level key logger malware listening to keyboard events, it won't get anything useful. In order to get your password it should take a screenshot and mouse pointer coordinates of each click. That makes its goals too obvious, so it might be undesired for such a malware. If your bank-client doesn't have one, you can use a system-wide virtual keyboard as well.
Use strong unique password
If an attacker has a large botnet, brute force attacks using dictionaries can be deployed. That's why it's not a good idea to use "password" as a password. Your birthday as the password is even worse, if someone knows when you were born, he or she can guess your password immediately.
Avoid using the same passwords for multiple sites. If one of them keep plain text passwords in database, or even worse, if the site uses HTTP protocol, then any node on the way can sniff it.
Use two factor authentication
Two factor authentication stands for a combination of multiple factors e.g. "something you have" plus "something you know".
Use 2FA to mitigate illegal access risks. Most of banks enforce users to use it by default, so you will have to get one time password from SMS message, special application or USB dongle carrying your own private keys. In general SMS messages are not as secure as apps and USB dongles because they involve a third party company responsible for the transmission of sensitive data over mobile network.
If you use Google Authenticator or similar app, turn on airplane mode. It'll help to keep your phone isolated from outside world, thus preventing possible data leakage.
If you have got two messages in a row don't proceed with login, wait some time and try again. If your messages have a sequence number, it helps to ensure you won't type in an unsolicited password.
Of course 2FA is a solid improvement in security, but it prevents only creating a session, not manipulating with funds (at least not for all operations). Ideally your bank should require an additional 2FA check whenever you move a relatively large amount of money, and should send those amounts and addressees in confirmation messages.
Don't use a smartphone to receive one time passwords
Android and iOS are complex systems consisting of lots of potentially vulnerable libraries. Traditionally iOS is conceded more secure due to AppStore software audit but iPhones also can be compromised. Don't count on them, use a simple phone with custom firmware and choose the most solid mobile network provider. Don't use this SIM card for any other purposes, let it serve for the only purpose.
Finally, log out right before you close a tab
Most of banking sites use auto-logout if user is inactive for a couple of minutes, but it's strongly recommended to logout manually when you finished your banking session.
Thanks for reading.
Congratulations @qrious! You have received a personal award!
Click on the badge to view your Board of Honor.
Do not miss the last post from @steemitboard:
SteemitBoard and the Veterans on Steemit - The First Community Badge.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Congratulations @qrious! You received a personal award!
You can view your badges on your Steem Board and compare to others on the Steem Ranking
Vote for @Steemitboard as a witness to get one more award and increased upvotes!
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit