“Education is one thing, but I don’t think there’s a silver bullet,” says Ingram. “Criminals are starting to mix things like hacking techniques and keyboard loggers with financial fraud and spamming,” he says. “We’ve got a fairly interesting mix that I don’t think we’ve seen before.”
Westpac’s executive electronic channels manager, Paul Jennings, agrees. His role puts him in direct control of the bank’s internet banking service. The company is attacking online fraud on several fronts. Big-business customers are already provided with RSA SecurID hardware tokens to lock down transactions, and the fraud detection techniques usually used on credit card and cheque accounts have been extended to cover online transactions. Westpac has even engaged the services of a writer to pen layman’s security guides for its customers, which will be available on its website.
The bank is currently negotiating with software vendors to provide discounted security and anti-virus products to its customers, and is considering the wider use of tokens.
“We’re looking at greater use of those tokens and other forms of identifying customers that go beyond an ID and a password,” says Jennings. “One solution is a smartcard, but that’s not something that’s ready now.”
By combining the new technology with an awareness campaign being conducted through mailouts, press ads, media campaigns and other channels, and by closely scrutinising unusual transactions, Jennings believes online fraud can be tamed. The bank also works with telecommunications and IP providers, as well as the authorities, in having offending scam sites shut down.
At this stage, he says, 0.02 per cent of Westpac customers have been affected by online crime. Westpac did not anticipate the new fraud’s rapid growth, says Jennings.
“With some hindsight, we would have been a bit less quick to add some of the payment functions,” he says, describing the addition of features versus security as a “trade-off”.
Technology aside, CEO of the Australian Bankers’ Association (ABA) David Bell believes educating the public is a vital first step. The ABA is working with all the banks on an education strategy.
Describing consumer education and awareness as “the number one weapon” against online fraud, Jennings points out the criminals cannot commit the crime unless the customer hands over their personal information that gives fraudsters access to targetted accounts.
AusCERT, which claims to deal with up to five phishing scams a day, issued an alert on 16 February this year about a particularly nasty online scam. It consisted of a spam email that would trick recipients into visiting a malevolent website. Pages on the site were loaded with malicious code that would exploit a security vulnerability in unpatched Internet Explorer browsers and automatically install a Trojan on the victim’s computer. That Trojan was loaded with key-logging software designed to capture online banking passwords.
Alarmingly, the scam targetted a number of Australian financial institutions such as Westpac, Macquarie, Suncorp Metway, National Australia Bank, the Commonwealth Bank and many others.
Scammers have found a way to be surgical and it’s going to keep up, according to Ingram, who points out online fraudsters will not give up while the crime is still profitable.
David Banes, who was recently appointed to the board of the Internet Industry Association, argues the losses caused by the scams go beyond the actual cash siphoned away by criminals – there’s potential for significant brand damage too. Because phishers are going after organisations with brand presence, the reputation of the targeted organisation suffers.
“It’s an emotional thing ... the victim will be upset with the bank as well, even if it had nothing to do with it,” says Banes.
While phishing may be on the rise, Bell says the ABA hasn’t noticed a slowdown in the uptake of internet banking, and points out there are more than seven million Australians registered for online banking – a figure that is on the rise.
Westpac’s Jennings agrees, saying consumers seem quite comfortable with online banking, despite having reservations in other areas. While some are reluctant to give away their credit card details to merchant websites, when it comes to signing into the bank, security comes up as a concern, but there’s been no downturn whatsoever in registrations.
End users ignored?
The average computer user has been neglected for too long, according to Ingram, which has to a certain extent been an enabler for online fraud. “The end users have been ignored almost from the beginning. Computers were never designed, as far as I can see, for the end users. They were designed for people who knew about computing ... I don’t think they were ever thought about and the impact is horrendous.”
The problems are fundamental, Ingram adds. Less-than-savvy internet users could be using a secure system but, “It doesn’t matter what security you have, if you click on an executable email attachment, it’ll do something bad”.
Anti-virus and security software, while recommended by Ingram, aren’t the be all and end all of staying safe, either. Consumer security software is often oversold.
“Every vendor is dishonest about what their product can and can’t do ... that’s one of the things that needs to be addressed,” he says. “But I think you’re going to see that changing in the near future.”
Jennings agrees software designed to help users is limited in appeal to the average user. End-user firewall products are too technical, he argues. “We need to assist by demystifying that.”
Ingram and Jennings all say reducing online fraud will require cooperation between victim organisations, law enforcement agencies, the government and lawmakers. An improvement in operating system security, as well as boosted authentication measures and better security software is also a must.
“The risks are there but they’re not insurmountable,” says Banes.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.