Phishing for security

Phishing for security

The need for better banking security has been highlighted by recent phishing and other attacks. Banks claim their systems are safe, but are they, and who is responsible for losses?

A few weeks ago, a hacker installed keystroke logging software in a Wellington cybercafe and within three minutes, began gathering the user names and passwords of people doing their online banking there. Details of the incomes, savings and spending patterns of numerous Westpac, BNZ, ANZ, National, Kiwibank, PSIS customers were accessed. The police, reported the Sunday Star-Times, also warned the 1.4 million New Zealanders who bank online that such a practice is "very risky".

Phishers targeted Westpac and some NZ banks last year. The popular Trade Me website was also a victim in February, prompting the online auction site to create a new section advising users what they can do to protect themselves from internet fraudsters.

Early last month, Westpac and other banks blocked access to online banking for hundreds of their customers because their PCs had become infected with "spyware" from US company MarketScore, which monitors PC use and sells the information for marketing purposes.

The perils of banking and trading online have been known for years, but the recent Sunday Star-Times report following these and other recent cases, brought banking security to the public mind like never before, with the National Party opposition demanding the Labour-led government "to do something".

Blame game

But just who is to blame should you find your bank account raided by a phishing or Trojan scam? It all depends on the fine print of your banking conditions as much has yet to be set in law.

Reviewing the ASB Netcode authentication system, Auckland-based independent security expert Kerry Thompson notes the conditions the bank imposes on users - conditions similar to those from other banks.

Losing a conventional credit card puts the user at risk from losing up to $50 for fraudulent transactions and the same applies with online banking. However, clauses exist concerning "negligence" in maintaining security and that is yet to be strictly defined, so case-by-case seems to be the way.

The ASB warns users risk losing between $50 and their account balance (plus the amount that can be transferred from the associated credit card or other credit account).

"Put bluntly, if you are not diligent about your online security, you could lose everything - plus all the credit you have available," Thompson writes on his website.

However, he says the banks are responsible for authenticating the person performing the transactions. They must prove you are the owner of the account before you withdraw the money, and since such proof is harder to obtain online, then two-factor authentication is necessary.

In New Zealand, one phishing scam led a bank to settle in secret when $20,000 went missing from an Auckland man's account.

A Sydneysider was recently compensated after A$9000 disappeared from his bank account following online banking in a cybercafe. But in Miami, a businessman is suing the Bank of America after US$90,000 was transferred from his account to one in Latvia.

The US secret service found a Trojan called Corewood was responsible but in a case still pending, the bank blames the businessman for not taking sufficient security precautions.

Safety assurances

Westpac internet business manager Henry Davies claims that subject to the "right precautions," internet banking can be the safest form of banking around, adding that cheque, ATM and other fraud is much more prevalent.

Davies adds that people can also beat keystroke logging software because it does not capture mouse movements. Thus, by moving the mouse around and moving the cursor, backspace and other keys, the logger would not be able to accurately record what has been typed.

Westpac is looking at moving to two-step authentication processes, as is ANZ, but Westpac believes that if security methods make access too complicated, customers will be turned off online banking.

National Bank agrees, claiming this has been borne out by trials with its own customers.

Shona Bishop, general manager of channels, says it uses sophisticated security systems and it advises customers to install firewalls and AV software at home and never to bank online in a public cybercafe.

The bank raised the issue of plastic authentication tokens, but customers did not want the hassle of needing extra passwords and complications.

The issue was not about online banking security, Bishop explains, but internet security. Thanks to the banks own 'sophisticated technology, security and processes" customers need not worry if they took the "necessary and sensible steps" as outlined.

Indeed, banking software can even detect unusual transactions, outside the normal pattern of customer use. Thus, the bank would warn customers, say of transactions in Malaysia, if the user was in Wellington the day before.

The ASB and its sister BankDirect have already gone down the two-step authentication path, launching its Netcode system towards the end of last year, which it developed with the NZ Police E-Crime Laboratory and vendor RSA Security.

A registered Netcode customer enters their user name and password into their bank accounts as now. But when requesting an internet-based pay-away transaction exceeding over $2500 to another bank, a Netcode is sent to the customer's mobile phone via SMS text. This eight digit code must be entered online within three minutes to verify the customer is who they claim to be before they can make the transaction.

Maarten Kleintjes, national manager of NZ Police's E-crime Laboratory, says such a system will "seriously impact on the ability of cybercriminals to carry out successful attacks.

"Netcode will restore and reinforce consumer confidence in the online banking system," he said at its launch, adding two-factor identification will become standard practice.

Indeed, Gartner believes that by 2007, three-quarters of US banks will use two-step authentication, with 70 per cent of global banks mandating hardware tokens.

Last month, as the online banking controversy brewed, ASB Bank's head of technology, operations and cards, Clayton Wakefield, said his bank was "raising the bar" for internet banking with Netcode, which added to the bank's own "world class internet security systems."

Thus, internet banking is safe if customers take precautions and minimising its risk will "always be a shared responsibility between the customer and the bank."

"ASB Bank and BankDirect are proactive in developing measures to reduce the risk to customers. Importantly, customers themselves have a role to play in protecting their assets, just as they would walking down the street with their purse or wallet," Wakefield said in a statement.

Independent security expert Kerry Thompson was last year invited by the ASB Bank to try the Netcode service. Thompson himself developed the internet firewall and e-commerce infrastructure systems for Air New Zealand and other large corporates. Corporate websites in New Zealand are generally safe, he says, though maybe not as much as they would like us to believe.

Thompson says the service works as claimed, though he had some concerns over how long it might take the SMS messages to arrive and what might happen if users were out of cellphone range. He also wanted the service to be available for transactions below $2500, but overall, Netcode was "a good system," he tells MIS.

However, in a report that can be found online, Thompson also quotes New Zealand internet commentator Bruce Simpson warning that two-factor authentication can still be cracked by keystroke loggers, even if the "man-in-the-middle" process becomes much harder and the erratic traffic through web servers would be easy to detect.

In Australia, as banks plan to make two-factor authentication mandatory, other IT analysts also warn new spyware and Trojan technology can make two-factor authentication obselete.

However, Bendigo Bank seems happy with its token-based system introduced recently following a phishing attack at the bank, claiming a fifth of customers have bought its $16.50 tokens.

In place of pin-pad log-ins, as used in Germany, the Netherlands and CitiBank of America, some experts say another option is to use a mouse instead of a keyboard to click on random digits.

Last month's CEBIT trade fair in Hanover, Germany, highlighted many concerns over online security, with Microsoft calling for password-only IDs to be a thing of the past.

Vendors and related security experts also raised the prospect of digital identities allowing users to reduce the number of credit cards, loyalty cards and other proofs of identity that they carry.

Smart cards, digital passports and national ID cards could carry information for many purposes, possibly even using biometric information.

However, even here, while making criminal activity very hard to succeed, experts agree making systems infallible would be impossible.

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments