Robin Arnfield, newsfactor.com
Online banking is suffering through a withdrawal phase. A study last
fall by I.T. security firm Entrust found that 18 percent of Americans
who bank online plan to do so less often because of security concerns.
A third of the respondents said they were worried about their bank's
Web site being spoofed by a fraudulent facsimile that would trick them
into divulging their logon information.
"Consumer confidence in online banking security has been damaged,"
said Chris Voice, vice president of technology at Entrust. "This is
bad news for banks. If consumers start defecting from online banking
to call centers or branches, this will put banks' costs up."
According to Voice, a call-center transaction costs a bank 10 times as
much to process as an online transaction. And if people start beating
a path back to the branches, where a transaction is even more expensive
than at the call center, banks will have to hire more staff, he said.
Banks are reluctant to share hard data on the scale of online fraud.
But in response to the growing threat, financial institutions around
the world are stepping up their user-authentication systems and
strengthening their risk-monitoring technology.
In the U.S., the federal government has given banks until the end of
the year to install better online-security measures. Some companies,
such as Bank of America and E*Trade, have gotten a head start by
introducing two-factor authentication technologies to complement the
traditional user name and password required for accessing online
services.
A SiteKey for Sore Eyes
Two-factor authentication combines something you have, such as a
hardware device or a software application, with something you know,
such as a password.
Bank of America's new authentication system, called SiteKey, is now
mandatory in all markets across the U.S. in which the bank offers
online-account services, with the exception of Washington and
Idaho. The bank said it will roll out SiteKey to its online customers
in those two states by April.
SiteKey, developed by PassMark Security in Menlo Park, California, is
designed to prevent account holders from falling prey to bogus Web
sites that troll for sensitive information. It does this by asking you
to select an image and a phrase that only you know. If this image and
phrase are not displayed on the Bank of America Web site when you log
in, then you know the site is fraudulent.
SiteKey uses cookies -- packets of information commonly used as
tracking devices -- to check whether or not customers are accessing
the bank's Web site from their usual computers. If, for example, they
are using a computer at an Internet cafe, then they are given some
challenge-and-response questions that only they will be able to
answer.
"SiteKey allows our customers to know that they are accessing our Web
site and not a fraudulent site, and it enables us to know that we are
dealing with genuine customers," said Betty Riess, a spokesperson for
Bank of America.
E*Trade chose a hardware-based route to stronger authentication. Since
April 2005, it has been offering its customers devices known as
SecurID tokens, which are made by RSA Security in Bedford, Mass.
For customers who are frequent traders on the site or who hold over
$50,000 in assets with E*Trade, the SecurID tokens are free, and a
one-time $25 charge for everyone else.
These tokens calculate a one-time "passnumber" to enter when logging
on. The number has to correspond to an identical one-time passcode
that is simultaneously generated at E*Trade's back-end server.
"We have been very pleased with the adoption rates for the tokens,"
said Greg Framke, E*Trade's CIO. While he would not disclose how many
tokens have been issued, Framke said adoption numbers have been
doubling regularly since the program started. "There is a pretty
reasonable proportion of users who log on every week to E*Trade with
the tokens," he said.
The company has enough confidence in SecurID to offer its customers a
guarantee that they will be reimbursed if they suffer online fraud,
whether or not they are token users. "We expect other financial
institutions to follow our lead in issuing tokens to their customers,"
Framke said.
Methods of Deceit
Avivah Litan, a financial-services security analyst at Gartner Group,
said that a rise in online banking fraud attempts has followed banks'
efforts to step up their security systems for debit and credit card
payments. "It's too early to tell how the criminals will respond to
the new security systems that banks are installing for their Web
sites," Litan said.
Two scams commonly used today are phishing and pharming. In a phishing
attack, a victim is tricked into divulging a password, user name, or
other confidential data by an e-mail that purports to originate from a
bank or credit card company. The message typically steers people to
fake Web sites under the pretense of having them update security
information. Once the sensitive data is obtained, the victim's money
is there for the taking.
Phishing e-mails might also ask customers to reconfirm their ATM card
number, expiration date, and personal identification number
(PIN). These details are then used to manufacture a bank card, which
the fraudster then uses to drain the victim's account.
"No legitimate bank or e-commerce company is going to send its
customers e-mails requesting security information," said Amanda Pires,
a spokesperson for PayPal. "Nor is a bank going to send out an e-mail
warning that a user's account will be suspended if they do not
immediately provide their Social Security Number."
Pharming works much in the same way as phishing, except that e-mail is
now out of the picture. In a pharming attack, your Web browser is
hijacked so that you are diverted to a false site when you attempt to
visit your bank. Unaware of anything out of the ordinary, you divulge
your password and user name to criminals.
A variant of the two above scams is known as a "man in the middle"
attack. Here, once a person is fooled into visiting a bogus bank
site, a real-live hacker watches as the victim types in logon
information. Criminals also have employed Trojan programs -- hidden
applications that disguise themselves in order to avoid detection by
antispyware software -- that wait for people to go to their banking
sites and then capture passwords.
Keeping a Close Watch
Amir Orad, executive vice president of marketing at New York security
firm Cyota, said that it is not enough for banks to step up their
authentication procedures. "Just as a home owner has a gate, a lock on
the door, an alarm and a safe, so banks need to have multiple layers
of security," he said. In addition to stronger authentication, banks
need to be monitoring their customers' transactions for abnormal
events, according to Orad.
"If I log on and simply pay my monthly car insurance bill, then that
is a normal event which does not need any verification," Orad
said. "But if an online payment is made out of my bank account to
someone that I have never made a payment to before, then maybe the
bank needs to ask for some additional security information before
authorizing the transaction."
A challenge-and-response mechanism is a good idea for high-risk
transactions such as an online payment or a change-of-address
notification, said Jonathan Penn, an analyst at Forrester
Research. "If I ask my bank to change my address on its files and then
ask for my card to be canceled and a replacement issued, then the
bank's Web site should ask me a security question," he said. "It
should not ask for something that is likely to be in the public domain
like my Social Security Number, but for something that I have
pre-agreed with it, such as my favorite football team."
Cyota has developed a real-time monitoring system that looks globally
for fraudulent attempts to access online bank accounts. Its E-Fraud
Network has 50 major banks as its members, including Barclays Bank of
the UK and ING Direct of the Netherlands. "As soon as a suspect
Internet Protocol address tries to access an account at one bank, this
IP address is blocked, and its details are relayed to the other
members of the network," Orad said.
Cyota was acquired in December by RSA, the security vendor that makes
E*Trade's SecurID tokens.
Smart Hardware
Hardware devices represent an additional layer of security on top of
software-based authentication and risk-monitoring systems. In the UK,
banks are investigating the use of smart cards for accessing online
banking services. Since the beginning of 2005, every UK bank customer
has been issued a debit card that contains a chip as well as the
standard magnetic stripe. The chip, which is designed to prevent the
card from being cloned by crooks, can be used to authenticate the
cardholder when logging on to a bank's Web site.
How the card manages that feat is the one drawback to the technology.
Banks have to issue smart-card readers to the cardholders. When the
smart card is inserted in the reader, and the person types in the PIN,
a passcode is generated. The person then enters that passcode when
logging on to the bank's Web site.
According to Colin Whittaker, head of security at UK banking
association APACS (Association of Payments and Clearing Services), it
would cost banks in Great Britain the equivalent of $5.40 to issue a
smart-card reader to each of their Internet-banking customers. "The
banks have agreed to pay the cost of issuing these readers," he
said. "What is not known yet is whether the banks will use the readers
to authenticate cardholders when making online debit or credit card
payments on the Web, or also for online banking security."
One company has developed an alternative hardware-based authentication
system to using smart cards or one-time passcode-calculating tokens.
Meridea, in Helsinki, Finland, has developed software that allows
cell-phone users to use their handset as an authentication device.
"An online banking user registers their cell-phone number with their
bank and the bank then sends them a text message," said Justin
McAuley, vice president of financial products at Meridea. "Once the
customer has downloaded this message, they click on a link in it to
download an application."
After downloading the application, the customer has to enter an
activation code provided by the bank, and create his or her own secret
PIN. "The cell phone has now become an authentication device," McAuley
said. "There is no need for banks to issue their customers with online
authentication tokens or smart cards."
When performing a transaction, the user is presented with a one-time
challenge code on the bank's Web page, and is asked to provide a
response code. "The user types the challenge code into the mobile
phone, which validates that the challenge code is genuine," McAuley
said. "After the user has entered their PIN into the phone, it
generates a response code. The user types the response code into the
Web bank screen, and the transaction is confirmed."
Knowledge Is Its Own Reward
Recent efforts to fight fraud have stressed the importance of consumer
education. Too many people, it seems, neglect to take the elementary
step of running security software on their computers.
But some companies are encouraged by what they see as increased
vigilance on the part of consumers. Amanda Pires, a spokesperson for
eBay and its PayPal payments service, said that the online auction
company has seen a rise in the number of phishing e-mails forwarded to
it by users.
"We think greater user awareness about phishing is the reason for
this," Pires said. "EBay and PayPal work with Internet service
providers and law enforcement to shut down spoof Web sites. We have a
very good success rate in the U.S., but it takes longer to shut down
spoof Web sites when they are located abroad."
Still, people who bank online should not be lulled into a false sense
of security.
Frost & Sullivan analyst Rob Ayoub said that many Internet users are
more careful about their personal information in the physical world
than they are on the Web. "No one would hand over their credit card
information to a shady-looking guy hanging around outside their bank,"
he said.
"People should be even more careful on the Web."
Copyright 2006 NewsFactor Network, Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
http://telecom-digest.org/forum (or)
http://telecom-digest.org/chat/index.html
For more news from News Factor Network, please go to:
http://telecom-digest.org/td-extra/tech-news.html