Space invaders

While online banking has made life easier for customers it has also exposed them to the menace of cyber crime. Diana Milne reports on the risks and how customers can protect their money and their identities online.

Online banking has opened up a world of possibilities for customers who now have the ability to bank anytime and anywhere from their PCs. But it has also opened them up to new dangers as cyber criminals develop increasingly sophisticated ways of preying on online banking customers. While banks insist customers are safe to conduct their transactions online - security experts warn that without taking proper precautions customers could find themselves the victims of a cyber crime, and their bank accounts cleaned out. But what are the risks that customers should beware of and how can they protect themselves?
Phishing

One of the biggest dangers of online banking is identity theft - whereby cyber criminals obtain a person's internet banking log in and password details. Experts agree that phishing attacks are the most common method currently being used by cyber criminals to obtain customers' details.

A phishing attack is where a customer receives an email which appears to be from their bank containing a link to the bank's website.

The email usually asks the customer to click onto the link and enter the bank's website where they will be asked to enter their log in details and password.

However as Khaled Khatila, senior systems engineer at IT security firm Symantec Middle East explains, this is usually a clever ruse used by cyber criminals to get customers' details into the wrong hands.

"Customers will often get an email telling them that their account has been compromised in some way or that they need to confirm their log-in details. Often it will say that if they don't click onto the website link and update these details then their account will be terminated or they will be locked out and they will have to go though a long process to reactivate it. Most users panic and decide to click onto the link and follow the instructions. The link is crafted in such a way that it appears to be legitimate but when he clicks on it and enters his details he will get an incorrect log in message."

In the meantime the user's details have been recorded and he is then redirected to the real bank's website and will probably think nothing of it.

But by this time the perpetrator of the attack has the user's details so he can log into their account, impersonating the customer and then transfer large sums of money into their own bank accounts.

"Once the phisher has the details he will log in as the customer, and will add himself as a beneficiary then transfer money to himself - often as much as is allowed in a day - then log out and the damage is done," says Khatila.

A number of banks in the region have been hit by phishing attacks - with HBSC and Mashreq admitting they have been targeted.

"Just like any bank we have been impacted a number of times," admits Omar Asghar, marketing director of Mashreq. "What we typically do when that happens is we work with the international cyber security agencies to get these sites shut down as soon as possible."

Nader Haghighat, regional head of direct banking at HSBC adds: "I don't have any specific numbers for the whole region but it does happen globally and it certainly happens in the Gulf region. And HSBC is no exception in having been targeted in the past."

The effectiveness of these phishing attacks relies on the gullibility of online banking customers - and the reason why they are often so successful is that phishing emails and the websites they lure customers to appear to be completely legitimate; so much so that even banking and security experts themselves admit they have almost been drawn in on occasions.

"Even those of us who are working in the industry occasionally receive a very clever phishing email and we think ‘is that a real one or a pretend one?" says Lu Zurawski, director of cards and consumer payments, global financing services, LogicaCMG.

"These attacks are becoming very clever," he goes on to say.

Owen Belman, head of consumer banking for Standard Chartered Bank, adds: "I've been approached in phishing attacks and the email looks legitimate. It asks you to provide your password and your account details and it all sounds quite reasonable."

Those behind the attacks will often send out millions of emails in one go - and even if just a handful of customers respond it makes the attack worthwhile.

"These online attacks are so successful because of the sheer number of targets that these guys have access to," says Khatila. "You can send one email to a million people in one shot - and even a 1% hit rate is considered successful. If someone can get away with stealing a few hundred dollars from thousands of people, then just imagine how much money these guys are making," he adds.

Although technology can go some way to protecting customers from phishing attacks, banks agree that educating customer on safe online banking practices is the biggest deterrent.

The most important advice they give customers on how to avoid being ‘phished' is never to respond to an email asking them to provide password or log in details because banks themselves would never make such a request.

Asghar says: "For starters a bank would never send emails asking for a password or log in details from customers. It has never been a bank's standard behaviour and it never will be. If there were a situation where we needed a customer to change his or her password we would say go to an ATM and use the tools we provide there for you to change your password, or go on the internet and change your password," says Belman.

No Comments

Add your Comment All posts are sent to the administrator for review and are published only after approval. ArabianBusiness.com reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic.
Name *
Remember me on this computer
Email *	(Your email address will not be published)
City
Country
Subject *
Comment *
Notify me of further comments
Security Code *
Please click post only once - your comment will not be published immediately.