By Greg Kelaart-Courtney
With just under 50% of the population of Europe, North America, ANZ and South East Asia utilising online banking, one would think the concept has matured into a safe and secure environment.
|~|Greg-WEB2.jpg|~||~|Online banking is part of e-commerce and provides interactive services such as accessing account summary information, paying bills and accessing other banking products. While internet banking can provide considerable convenience for users who require out of services banking facilities, we as the user also unwittingly make ourselves venerable to a multitude of potential risks such as virus attacks, key loggers, unauthorised access, fraudulent transactions, identity theft and more recently phishing.
Phishing can be described as a scam where the potential hacker will send e-mails to an end user with the representation the e-mail originated from a legitimate establishment such as a bank, but the darker intent is to gather personal customer information with the intent to fraudulently using the information. A phishing attack succeeds when users click on the supplied URL and update their personal and banking details as instructed. One of the reasons why phishing has been so successful is the site users have been redirected to looks and feels like their online banking site.
This is achieved by the hacker interchanging letters from a different character set for the legitimate character in the site name. For example, www.onlinebanking.com could be shown as www.?nlinebanking.com where the subtitle difference is that the ‘o’ in online is different. Although phishing is a recent phenomenon in online banking it has already reached disquieting proportions. In June 2004, phishing and identity theft exceeded an estimate of US$2 billion dollars, with the financial industries becoming anxious this could just be the tip of the iceberg.
Another security threat is credit card fraud, which has continued to be a growing problem for e-commerce. During 2002, online merchants lost approximately US$500 million due to fraudulent orders. According to Gartner Group, when you compare e-commerce organisations with their brick-and-mortar counterparts, online merchants are facing a risk of fraud that is 19 times higher. However, despite these inherent risks and the increased visibility given to identity theft, consumers are increasingly turning to the internet for their shopping. While concerns about fraud are increasing, most consumers feel they are doing their part through “secure” passwords.
While 84% of end users feel their passwords are at least somewhat secure, 44% of respondents never change their passwords. The longer consumers have been shopping online or using online banking, the more likely they are to change their passwords. More importantly, what security solutions and methodologies are financial institutions putting in place to ensure their customers do not fall victim to internet fraud?
According to Celent Communications, European banks spend on average two to three times more per online banking customer on fraud prevention technologies than their American counterparts. The annual amount lost to online banking fraud in Europe pales in comparison to the combined budgets banks devoted to prevention.
European banks continue to spend on prevention technology primarily because of cultural attitudes towards the perceived risk and the potential damage to the brand image from any fraud incident. Alex Brutin, an analyst for Celent Communications states unlike the American market which predominantly uses a username/password combination to authenticate consumers, European banks have deployed a wide variety of authentication solutions to serve both corporate and retail users, such as TAN list, software PKI, symmetric keys with a hardware token and hardware PKI.
A multitude of banks worldwide including the Middle East still wrongly believe the confidentiality of their customers’ personal and banking information is protected with just the use of a user ID, password and secure socket layer (SSL) 128-bit encryption. All it takes is for a simple key logger to be installed on your computer and the hacker has a total control of your online banking.
Today, the banking industry is taking great pains to ensure the security of their customers by implementing secure online banking models such as token devices with login procedures that will bring to customers higher level of security than traditional methodologies. For a customer to logon onto his or her online banking site, they would require a token, which has a six digit number that changes every 60 seconds and four digit PIN, which unlocks the token.
Although the token authentication method has provided a higher level of security between the user and the bank, a potential hacker can easily hijack a users’ session. In order to combat this vulnerability, the token security authentication should be coupled in what is called ‘two factor authentication’ by using the “challenge – response” authentication model for all online banking sessions. Every financial transaction user will have to confirm his or her identity and transaction again by generating a new password. This way, session hijacking can be avoided as each password can only be used once.
Although this ‘two factor authentication’ model has provided a more secure online banking capabilities, some banks have thought it prudent to take their online security to a higher plain. For instance, the Mitsubishi Tokyo Financial Group will be releasing a new Visa credit card, which will encompass a biometric verification system.||**||