As online criminals and hackers develop ever more
sophisticated Trojans, spyware, botnets
and attack vectors, are the banks, online stores, social networking sites and
others really doing enough to keep their customers safe and secure?
In today’s modern
world, an 18 year old teenager sitting in his bedroom in New Zealand
can be the ringleader of an online criminal gang responsible for creating botnets, installing spyware on
consumers PCs and skimming millions of dollars from bank account holders
worldwide. That 18 year old has been caught, the result of a global
sting against growing numbers of online criminals and an explosion in online
Are online stores, credit card companies and banks doing enough to ensure our
online transactions are secure and our confidential details safe? What about
the ever more popular social networking sites who are people targeted by
online criminals who aim to steal confidential details that people may also
use when accessing their bank accounts?
Online Banking security is only part of the problem,
we need to change the mindset of banks, business and consumers in general.
On a relatively regular basis, concerns about online security in general and
online banking fraud hit the news. The latest is the aforementioned 18 year
old NZ teenager, but only a couple of weeks ago, the
Queensland University of Technology (QUT) published a study on hackers
being able to “infiltrate SMS banking passwords”.
Another article from News.com asks “Is Bank of
America lying to its customers?”
Online banking has had a massive boom worldwide, as consumers rapidly took up
Internet connections for their computers. Millions of new online users meant
that banks needed to upgrade their systems, and forced them to implement
better security systems that look for fraud in real time, and investigate
technologies such as two factor authentication.
Again in most cases banks have only actually rolled out this extra level of
security to only a small percentage of their overall customer base, due to
the inconvenience to customers and the added cost to banks.
Two factor authentication is achieved by using
keychain sized number generators synched with the banks systems, containing
an ever changing code that must be entered along with your username and
password, or by sending an SMS message to your phone containing a code that
must be entered into your online banking login to proceed to your online
Unfortunately if your computer has already been compromised by crimeware then the extra security provided via your phone
SMS token or key chain token is now irrelevant. In a world of crimeware that includes Trojans, spyware
and botnets lurking unsuspected on consumers’
computers worldwide, becoming ever more sophisticated, what are the banks
really doing about it? After all, it's obvious that the weakness lies in the
consumer's PC, not in the bank's heavily fortified back end - that is still
clearly being compromised!
So, what do banks and online stores do today when it comes to security, and
what should be done instead? As it currently stands, banks and most online
stores today only protect the account holder or the customer up to the front
door of their computer. In addition, banks have specifically enticed
customers to utilise online banking and access
their online accounts anywhere they may be in the world at virtually anytime.
Naturally, this has driven efficiencies and profit gains for all banking organisations.
However banks should
be looking at how they can protect the customer’s confidential details even
if the criminal has already accessed the computer as is the case for millions
of customers unwittingly infected by malware and
part of a botnet.
The US was one of the first countries to recognised
that the banking industry is only going to move on talking online security
seriously when they are being put under pressure by Government - and really
only then when the US Government released the FFIEC banking guidelines that
mean banks needed to provide more than one factor for ‘authenticating
US banks were given a deadline of December 2006 to increase the security of
their Internet banking sites. However, as can be expected in a world of ever
changing security issues and challenges, alongside the ever growing bottom
line cost of security, US and global banks have failed to adequately address
the issues and have mainly done as little as they had to in order to satisfy
the heightened security requirements.
As an example, virtually no major US bank has issued hardware
tokens or implemented SMS security for their customers, with noted security
journalist Brian Krebs of The Washington Post discussing this in great
detail in his blog.
The Banking industry has gone through virtually all the different types of
security issues around today, starting from simple phishing
attacks (which are still successful, believe it or not!), internal fraud,
cross site scripting vulnerabilities, denial-of-service attacks, very
targeted malware, big scale malware (such as mpack + torpig) and even sophisticated attacks against hardware
two factor authentication.
Banks have done only as much as they had to, to protect their pristine and
‘safe as money in the bank’ image. Joining the long list is now a study from
the Queensland University of Technology (QUT), linked above, that stated that
“Using SMS passwords won’t protect people from internet banking fraud”, and
that 61% of the users were successfully duped in a stealthy attack performed
during the study.
Were this study done with a computer illiterate group, the figure would more
likely be 99%. For any bank using SMS authentication or thinking of rolling
it out soon, this latest study is bad news indeed.
But is this latest attack on banking security really news?
Not if you’ve been listening to what the security experts, such as Professor Bill Caelli from
Australia’s QUT, Graham Ingram, the General Manager of AusCERT
or Andreas Baumhof from TrustDefender
have been saying.
To start with, it’s foolish to believe that one particular technology will
solve all problems. So, what is the solution?
technology can solve all problems is like believing in a silver bullet
solution – and in the real world where things are constantly changing,
especially when it comes to security, a different approach is required.
What is needed is a
multi-layered approach to provide security measures at all different levels.
Banks have an obligation to protect your money and should therefore provide a
protection on all fronts. But what does this mean and is your bank doing
Every Internet banking session is done between the bank’s backend system (1), the user’s computer (2), over a public
internet link (3). Perhaps banks should start protecting these key
components, and while they are at it, should provide security and reliability
measures in the following adjacent areas: the backend systems,
transaction monitoring, encryption, identity/authentication, the network, consumers computers, and in user education.
An effective security solution has security components for all these
different parts of the system. If a bank misses just
one part, the whole security chain can be compromised, just like a chain will
collapse if even only one link breaks.
Now don’t get me wrong - banks worldwide are doing something – they’re just
not doing enough from my point of view.
Most banks provide an adequate protection for their backend systems by using
firewalls, and other technologies. Some banks (but far from all!) are using
transaction monitoring (e.g. ANZ in Australia
use their Falcon System, while CBA, also in Australia, use
a system called Hawkeye). While everybody uses encryption, Identity
Protection Programs in use by different banks vary heavily.
But what about the network itself? Virtually no bank is protecting the
network, as most just use the public Internet to connect their customers to
the banking IT infrastructure.
Last but not least nothing is done by the banks for the consumer’s computer,
where rootkits, spyware,
Trojans and botnets reside, opening up a massive
security hole that online criminals are learning to exploit faster than
security experts can plug the holes and issue patches.
Given the gaps, security can collapse like a house of cards – and if you
believe the well-documented reports from various security researchers around
the world, this is where hackers are going to break into the banks and all
existing security measures will fail.
Don’t believe me? Try googling for torpig, sinoval, anserine, mpack, gozi, 76service and
storm worm, just to name a few, and see what you find. You may find yourself
So, what’s the banking industry’s typical response? We usually hear that
online fraud is relatively small compared to other types of fraud. While this
is relatively easy to say if you hide the real figures very carefully, the
truth is that online fraud is exploding.
So, what can we do about it?
This is a good
question and it seems clear that banks will only do something if they are
forced to do so by legislation like the FFIEC guidelines in the US. Hey, APRA
and ASIC in Australia
– and banking and regulatory authorities worldwide - where are you?
Another surefire way
to get attention is for customers to scream heavily and get some much needed
attention. As another noted security journalist, Bruce Schneier,
recently wrote in his blog “Future of Malware”: (scroll down to 18 Oct 2007)
“And yet banks push online banking to customers with one hand while the other
hand pushes problems like Gozi away, into
acceptable loss budgets and insurance -- transferred risk. As long as consumers
don't raise a fuss, and thus far they haven't in any meaningful way, the
banks have little to fear from their strategies. But perhaps the only reason
consumers don't raise a fuss is because the banks have both overstated the
safety and security of online banking and downplayed negative events around
it, like the existence of Gozi and service”.
Pretty damning stuff. What else can we add? Perhaps the only way to make
banks take far greater responsibility for the customers and the ENTIRE online
chain, from a consumer’s computer through to the bank’s central computers,
can banks truly take control of their networks and truly keep their customers
secure, instead of just giving lip service to security issues.
And if that doesn’t happen, remember – it’s your money. Want better online
security from your bank? Let them know you want it. It seems to be the only
way to get some real action on banking security. Don’t be soothed by words
from banks and regulators that say all is ok. Global authorities might be
catching teenagers in their bedrooms ripping off the banking system, but
surely that’s just the tip of the iceberg.
Every act of fraud committed against banks and online stores ends up costing
us all with the fight against online crime only set to intensify.