28. September 2019

How we protect you against phishing

A few tips about what to watch out for when using online banking and what you can do to keep yourself and your money safe. Before we get started: at neon, a scammer would need your contract number, login code, transfer PIN plus your activated smartphone to steal money from your account. We make it pretty difficult for them.

(By the way: if you want to know what two-factor authentication and deposit protection are, we have all the info for you here. If you’re interested in reading about how we’re protecting ourselves against hackers, you should read our report on a penetration test here.)

In this article, we explain what phishing is: how it works, what we do and what you should do to go through your days free from worries.

Phishing or hacking?

A hack is an attack against the entire bank, stealing data on a grand scale. Depending on the situation, a hacker may then try to initiate payments. Successful hacks don’t happen all that often. You can read here about how we protect ourselves against them. Phishing attacks are much more common, and involve the user themselves unwittingly giving away information. The scammers use clever pretexts to try and worm information out of you and gain access to your account.

How a phishing attack works

For every phishing attack, the scammers first have to find out who the user of the service is, and then overcome the safety measures (usually two-factor authentication).

Creating user lists

First, the scammers try to compile a list of clients for a bank. They might use a «honeypot», for example, which includes data from an address database (from a seller, Facebook, etc.) that has been hacked.
They could also exploit a community feature offered by many banks – this shows you which of your contacts also use the same bank, so you can easily transfer or request money in just a few clicks. By generating random phone numbers and importing them into their list of contacts, they can create a reliable list with potential victims.

What we do at neon:
•    Your information is not simply available for other people to see. At neon, we ask if you want to give the app access to your contacts, which then makes you visible to other users.
•    When it comes to this feature, we also work with a double-opt-in function: this means you both have to be in each other’s contact lists before you can see each other’s details. So you’d have to have the scammer among your contacts.

What you can do: 
•    Check if your banking app has this kind of feature and how it works. A few apps display your name without giving you the option to accept or reject this.

Intercepting the customer login (first authentication factor)

You usually log in using your contract number or email plus a login code. The contract number or email are pretty easy to find, as they’re not private. So the difficulty is getting hold of the login code. This is where the phishing actually begins. Using some pretext (e.g. «We have to verify your account»), they trick the customer into entering their details on a fake website. To do so, they send an SMS or email under the bank’s name. It’s easy to fake a sender’s name – with SMS, for example, various services let you define your name as a sender yourself. Your phone collects all SMS messages from the same sender name together, and it looks as if the SMS actually comes from your bank.

What we do at neon:
•    We always remind you to choose a secure login code. Choosing a date of birth or something that’s easy to guess makes it child’s play for scammers.
•    After three incorrect login attempts, we lock your account. We verify that it’s you before we unlock it again.
•    We don’t send any SMS; all our communications come from an email address ending in Yes, this can be faked. That’s why we say that if you’re ever in doubt, give us a call.
•    There’s no area on the neon website that requires you to log in. And we remind you of that too.

What you can do:
•    Only ever enter your neon info in the neon app. Don’t enter it for anything like «competition promos» or «test purchases». Don’t provide it by phone either.
•    Select a secure code and don’t use the same code for different services.

Intercepting the second authentication factor

You usually need a code to approve a transfer in an app. Common methods include TAN lists and SMS-TAN (m-TAN); these are older methods that are easier to circumvent. A secure but less user-friendly method is to have an additional card reader or additional app. The most modern approach combines it all in a single app – the app is specifically activated for that smartphone when the account is opened, and the customer selects their own transfer code that only works on their own smartphone.
What we do at neon: 
•    The second security factor is your own smartphone, which is securely connected to your account (on the app) when you open your account. You then set your own transfer PIN that you use to approve each transfer. Your transfer PIN only works on your own smartphone: so a scammer not only needs to know your login code and transfer PIN, but also needs to have your smartphone.

Approving a payment with both factors

If the scammers actually succeed in intercepting all your login details and authentication factors, they can then transfer money out of your account. At neon, as we mentioned, they also need access to your activated smartphone.

What we do at neon: 
•    Our partner bank Hypothekarbank Lenzburg manually checks all foreign payments and larger domestic payments. In case of doubt, we give you a call to verify the payment.

What you can do:
•    If you see something unusual, get in touch with us directly.

There’s no such thing as complete security in life. But on this subject, we’re only happy with the best, most cutting-edge solution. If you do your part too, then the risk of you falling victim to a phishing attack is extremely small.

Want to learn more about security?
You can read about what two-factor authentication is and how deposit protection works here.
And here, we explain how we simulated a hacker attack to make sure that the neon app gets full marks on that topic too.

Give us feedback