Monday, December 8, 2008

Online Banking Security

Myths Debunked

If you're ever online, the chances are good that you access Internet banking services (83% of Internet users in Australia do, according to Sensis). And because it's your money that's involved, you know that security is important. However, there are plenty of myths and misconceptions surrounding Internet banking security. Read on to learn where the risks are.

Myth: Phishing is the biggest banking security risk

Your junk mail folder is doubtless filled with spurious messages asking you to confirm the details of accounts you've never held. Given the prevalence of these phishing attempts, it's easy to assume that fake email is the online bank thief's favourite weapon. However, while these messages certainly should be treated with suspicion and promptly deleted, they're no longer the main attack method for criminals. "Criminals are going to do away with phishing," said Chia Wing Fei, security response manager for security software developer F-Secure's APAC security labs, during a media briefing on security trends. "People are not going to fall for them anymore." The favoured approach is now "drive-by downloads": injecting malicious code into popular web sites in order to infect users. The randomness of phishing attacks is also being replaced with much more sophisticated techniques. "In their attacks, they have metrics built in," Fei said. "They have excellent analysis capabilities in terms of which trojan is effective against which bank.

Myth: Australian banks are too small to be worth attacking

The endless phishing messages for European and American banks might leave you believing that Australia isn't yet on the criminal radar, but that's far from the truth. An analysis of 2300 banking-specific trojans by F-Secure found Australia was the sixth-most common target country for attack. The Commonwealth and ANZ were the most common target, followed by NAB, St George and Westpac. Westpac's relatively low position on the list is partially because it uses an on-screen keyboard for entering passwords. While not totally secure, that approach means hackers have tended to ignore it. "Criminals have a real history of picking the lowest-hanging fruit," said Graham Ingram, general manager for national tech security agency AusCERT. "If it's difficult, why bother?"

Myth: Two-factor authentication will keep you totally safe

Two-factor authentication -- needing not only a password, but also a one-time code either generated electronically or sent via SMS -- is an increasingly common element of bank security. It's a useful additional step, but you shouldn't assume it provides total security. "Users can do everything right and still lose their bank account," Fei said. "Two-factor authentication is not a foolproof thing; you won't prevent your bank account from being stolen. It only changes the tactics the bad guys use." There's also a cyclical problem with adding new layers of security. "One of the dilemmas is every time we introduce a counter-measure, we're raising the level of attack," Ingram said. "There is a chasm developing between the people who get it and the people who don't, and the people who don't are really exposed."

Myth: Account details change hands for large sums of money

While there's a large criminal market exchanging bank and credit card details, it isn't purely about cash. According to Fei, the approach used is often one of barter: details of a bank account with $6000 in it might be traded for 30 active PayPal logins, for instance.

Myth: Your credit card is useless without the CVV

Most online stores demand the three-digit code off the back of your credit card as an additional means of verifying you're the owner. However, there's a healthy black market for software which can reverse-engineer the relevant CVV from a given number, Fei said.

All this doesn't mean that criminals are inevitably going to win. Banks are far more alert to electronic security issues than most other organisations. "In many respects, the banks have this well under control," Ingram said. "It's everyone else who doesn't understand the implications. Think of all the government services online. These are more exposed in my personal view than the banks will ever be."

Being aware of your behaviour, and keeping a close eye on your bank balance and credit cards, remains the best defence. Constant alertness is essential, as Fei explains: "Criminals are getting away with this. They don't have anything to lose. Whatever they're doing, the money's really good."


Roger Halbheer said...

Hi Shoaib,
I like your post. However, I only partly agre with your suggestion. "Just" to be careful will not be enough - even though it is important. Personally I am convinced that there are three very basic things a consumer should to technically to protect:
1. Switch on your Firewall
2. Keep (all) your software updated
3. Run an Anti-Malware software and keep it updated

Shoaib Yousuf said...

Hi Roger,

I agree with your comments and your tips.

If consumer start using these three basic things to protect, we would be able to solve lot of problems in a overall picture.

Unfortunately, most of the consumer don't and that is a worry, possibly lack of security awareness?