Phishing And The Future Of Banking

Could phishing kill off online banking?
Probably not, but it’s likely to force greater regulation by central banks and others which will, reckon British-based Internet security consultants mi2g, mean “the next generation of electronic banking may have to rely on deeper layers of authentication that couple passwords with biometric security and smart card authentication.”
Mi2g estimate there have been 110 unique incidents of phishing — identity theft by faked emails and/or keyboard-logging viruses — in less than a year. Here’s an abbreviated list:
  • USA (7 banks; 82 incidents)
  • UK (6 banks; 8 incidents)
  • Australia & New Zealand (5 banks; 16 incidents)
  • Canada (2 banks; 2 incidents)
  • Spain (1 bank; 1 incident)
  • Hong Kong and Singapore (1 bank; 1 incident)
  • Latvia (1 bank; 1 incident)

I have to say I think that’s an underestimate. And it’s not quite clear from mi2g’s release as to whether these are successful attempts, or just attempts. Given banks’ reluctance to admit to breaches, I’d guess it’s the latter. And mi2g point out that it’s not just banks that have been attacked: The Federal Bureau of Investigation (FBI) to eCommerce/information portals and their associated payment systems have all been hit. Mi2g counts 90 unique attacks on eBay.

Mi2g say such attacks are getting more, rather than less, successful: “Phishing scams’ success rate has risen from 0.1% on average to 0.5% in the last six months as the techniques have become more sophisticated,” it says.  This would mean thousands of victims and big headaches for banks: “In some instances the genuine web site has to be made inoperable for several hours or even days whilst the targeted bank investigates the extent of the financial fraud and related losses,” says mi2g. 
Claims by mi2g have not always been taken seriously, particularly their estimates of damage. In this case, mi2g reckon that “worldwide economic damage for 2003 from phishing scams is estimated to have been between US $13.5 billion and $16.4 billion… The damage for 2004 has already crossed $8.9 billion in the first two months of the year. ” I know they have some sort of formula for this, but as others have pointed out, these estimates seem to be more designed for grabbing headlines than serious analysis.

That said, phishing is a problem, and I would agree that online banking is going to have to add layers of security to avoid more breaches. But will customers accept that? If online banking gets too fiddly, will folk just give up? Or switch to something else?