Tag Archives: Internet banking

Banks To Customers: You Have To Pay For Phishing

Good article in Australia’s BRW Magazine about phishing and banks. It makes some important points, not least that banks are still trying to talk down the problem while at the same time passing costs and risk onto the customer:

Banks are desperate to assure their customers that internet banking is safe. But their actions are not comforting. Three of the five biggest banks have increased or introduced fees for online banking. In May, Commonwealth Bank of Australia linked the introduction of fees for retail customers directly to the $100-million expense of upgrading the online system to improve security and add 20 new services.

The problem with the online banking debate is that the banks, the fraud experts and the security companies contradict each other about the extent of the phishing problem, and whether it is growing or waning. One thing is certain: bank customers need to be increasingly wary and savvy about how they conduct their banking online or they will find costs soaring and, at worst, lose their savings.

The new fees for online banking are just one of the costs that customers are expected to bear for the convenience of banking online. Banks are also educating customers to buy increasingly complex and expensive software to protect their home and business computers. These include anti-virus and anti-spyware software and firewalls, products that experts say many customers, including small-business owners, cannot install and manage without expert help. The banks now say the online banking system is not secure without this protection.

Furthermore, there are signs that the banks are hardening their attitude to reimbursing customers who are defrauded by phishing e-mails. So far, the banks collectively have maintained a generous policy on reimbursing defrauded customers. According to the Australian Bankers Association, those reimbursements are estimated to have cost the banks $25 million.

Overseas, banks seem to have run out of patience. An AOL survey of 2052 internet users released in May this year found that 53% of customers who were defrauded in phishing scams in Britain say they were not compensated by their banks.

Good hard stuff. One stark quote comes from AlienCamel’s Sydney Low, who I know is very critical of how the banks are approaching the problem:

He says online banking is so insecure as to fail the “fit for purpose” test under section 71 of the Trade Practices Act 1974. He says: “Under consumer law, a product or service that is sold must be fit for the purpose it is sold for. Experts are saying that the current state of security is unsafe. The home PC is not designed as a secure terminal; an ATM is very secure. Now the banks are relying on mums and dads to create a secure device.”

It certainly seems extraordinary to me that banks have been so quick to shift customers online, where the savings are huge, and are now reversing engines and charging them. If the banks saved money in persuading users to do online transactions, why should some of those savings not be used to pay for better protection, and, where necessary, to fund compensation?

Internet Banking And The Threat From Within

Saw a chilling presentation today from Fabrice A Marie of FMA-RMS at the Bellua Cyber Security Asia 2005 conference in Jakarta. Fabrice talked about Hacking Intenet Banking Applications, something he does for a living on behalf of banks around the region. Bottom line: They’re easy to hack.

Of 15 banks’ application assessments he worked on in the past 18 months he found 258 vulnerabilities, 429 beta quality scripts, 339 unnecessary files, averaging 17 vulnerabilities per application.

He didn’t go into detail about what kind of vulnerabilities he found, but his presentation explored a dozen different ways of getting past banks’ security measures, including spying on competitors’ transcation histories, stealing money using fund transfer functionality, purchasing insurance for free and buying discounted shares. All you need is an account.

His parting words were: “Nobody will be using Internet banking anymore. If you do just make sure you don’t have much money online.” He told me later he was just joking, and that banks, particularly in Singapore, are safe. But nobody laughed.

He didn’t mention phishing, but a thought struck me: How many phishing attacks are not to clear out an account but to gain access to a bank as part of a broader, longer term attack?

A Glimpse Of The Internet Banking Future?

One bank in my town has stopped offering Internet banking, and suddenly I feel I can see the future post-phishing.

Of course, the bank is not saying it’s abandoning Internet banking. Nor is it saying that the fact that now customers have to dial into a modem in the bank to access their account is because of phishing. The message on the website merely says that to improve capability [sic] and security the bank is “undergoing improvement process to make the service even more convenience [sic] and reliable in the future. Therefore, temporarily please access internet banking through VPN (Virtual Private Network). We apologize for any inconvenience caused.”

It will be interesting to see how quickly the original service is resumed, and, if it is, what changes will have been made. But do we see a glimpse here of the kind of thing other banks may do? Might it just not be worth the hassle in future to offer Internet-based services?

The Phishing War Escalates

The guys at Netcraft, a British security consultancy that has done a good job of tracking, exploring and warning about phishing, say they’ve come across the first case of cross site scripting being used in the wild for phishing purposes. This isn’t as arcane as it sounds, since it allows phishers to make their lure appear to even the wariest eye to be from a legitimate source — your bank.

Usually the weak link in a phishing email is the link itself. However much they disguise it phishers can’t get away from the fact that they are trying to lure the victim to a site that is not the bank or other institution they’re pretending it is. Cross site scripting lets them do so.

This is done by phishers exploiting a vulnerability to ‘inject’ their own code into the legitimate website. It’s this code that the link will appear to go to in the phishing email — and so will begin with a legitimate bank URL — www.citibank.com, or whatever. The URL will then, without the victim’s knowledge, load some JavaScript from somewhere else to redirect the user to another site. This is what some fraudsters have done with a SunTrust bank phish, which Netcraft says was sent in large numbers in recent days. Netcraft says SunTrust has so far failed to reply to their emails:

Careless application errors and inadequate testing are believed to be an industry wide problem for internet banking, and even though it would seem to the man in the street appalling that someone could run a fraud from a bank’s own site, SunTrust competitors are unlikely to be strongly critical through fear of similar problems with their own facilities.

If true (and I’ve no reason to doubt it; Netcraft know what they’re doing) this is a pretty sad state of affairs. I have two main concerns: Firstly that banks still don’t seem to understand what they’re dealing with, and don’t respect security companies enough to keep up a dialogue with them so these problems are nipped quickly in the bud, and secondly, I suspect these kind of attacks render most ‘anti-phishing tool’s useless. This is not only annoying, but dangerous.

Something I’ve noticed in recent months is a shift on the part of anti-virus manufacturers to push out software that will protect the user from phishing attacks. This is just bad marketing, and foolish. Nothing can protect the individual from phishing attacks than their own wariness and savvy. To suggest tools can will just give people a false sense of security. Examples like this SunTrust case prove the point, which I’ve banged on about for nearly a year now, that phishing is a war of escalating technology and that pushing out some feeble toolbar and suggesting it will protect the user from all such attacks is irresponsible, and thoroughly underestimates the scale of the problem and the kind of adversary we face.

Phear Of Phishing Doesn’t Just Hit The Bankers

Beware The Fear. The blizzard of coverage about phishing (usually involving some awful pun) has done a lot to raise awareness about the problem, but is it enough?

A survey by Insight Express for Symantec of 300 people (no URL available yet, sorry) shows that while three quarters of folk are aware of spyware only a quarter of them have heard of phishing. This cloud of ignorance creates confusion and fear: 44.2 percent of respondents thought they had visited a fraudulent Web site but were not sure. 19.3 percent said they had definitely visited a fraudulent Web site. A little over half are somewhat concerned about online fraud, while 42 percent are ‘very concerned’. In other words, nearly everyone is worried.

This fear is already having an impact. Three quarters of folk will now only purchase purchase products through secure sites. That’s encouraging — and not bad for business — but the following figures are: nearly half will not now provide confidential data over the Internet while nearly a third won’t use the Internet for online banking. About 15% said they don’t trust the Internet.

This fear and distrust is not going to go away. More than half of respondents felt they knew how to protect themselves from online fraud and/or online identity theft, while a bit under half didn’t think they knew how to protect themselves. Taken with my own unscientific dabbling and MailFrontier’s recent survey which found that 28% of American adults “inaccurately identify phishing emails”, I’d say we have a problem. Or in fact several.

First off, many of those people who think they know how to protect themselves are easy prey. They are going to continue to be duped as phishing attacks grow more sophisticated. That’s going to keep the problem going, in part because of weak or misleading ‘solutions’ such as browser tools and software that supposedly ‘identifies’ fraudulent emails or links. These tools only raise people’s comfort levels and lower their guard.

The broader problem is this: As the number of victims rises, the number of people not giving confidential data over the Internet, not using Internet banking, and ‘not trusting the Internet’, is going to rise. This is already hurting retailers who have found major cost savings by shifting business over to the Internet. A piece yesterday by The Register’s John Leyden quotes a recent survey by LogicaCMG as saying that one in five British users would ”hesitate about booking trips online because of mistrust of the ability of travel companies to keep their financial and personal details secure”. Given it costs a travel agent 40 times more to take a booking by phone than online, this is hitting their bottom line hard. This will only get worse as more victims succumb, and phishing attacks are no longer one of the bad things that happen to other people.

Then there’s the banks. It’s been suggested to me that banks don’t really care about whether people use Internet banking, since if people start going back to their branches to do their business banks will make their money anyway. But, while appealing, that conspiracy theory fails to take into account the link between online commerce and online banking. If people don’t trust the Internet to do banking, it’s very unlikely they’ll buy something online. That will hit credit card business hard, a mainstay of retail banks. Like it or not, the fate of banks is inextricably tied to the fate of online retailing. So banks don’t have much choice.

Bottom line: The future of online commerce is not just about whether it’s viable for retailers to do some of their business online. For many retailers it is their business, or at least it’s the difference between being profitable or not. Phishing is not just an attack on banking and financial sites. It’s an attack on the future of online commerce, which, believe it or not, is still vulnerable because it relies on trust. And trust is not just about reassuring customers, or launching vague ‘education campaigns’ to give people a vague idea about whether they’re safe, and what to do to make themselves safer. It’s about making transactions secure, policing website registries for fraudulent domains, working together for a better way to communicate between retailer/bank and customer. All of these things, a year after phishing took off, haven’t been done. Hence The Fear.

Contestant For Worst Phisher Of The Year Award

Phishing carries on, but it seems to be attracting the dregs of the scamming world as well as its masters. Here’s one I just received which must be in line for Worst Phishing Scam Of The Year Award:

From:  Branch Banking and Trust Company[SMTP:SERVICE@BBANDT.COM]
Subject:  Online banking issue

Dear Branch Banking and Trust Company valued member,

Due to concerns, for the safety and integrity of the online
banking community we have issued this warning message.

It has come to our attention that your account information needs
to be updated due to inactive members, frauds and spoof reports.
If you could please take 5-10 minutes out of your online experience and
renew
your records you will not run into any future problems with the online
service.
However, failure to update your records will result in account suspension.
This notification expires on May 14, 2004.

Once you have updated your account records your internet banking
service will not be interrupted and will continue as normal.

Please follow the link below
and renew your account information.

Branch Banking and Trust Company Internet  <http://61.221.243.26/www/b/>
Banking

Not exactly cutting edge. The To field even contained more than one recipient. Back to the drawing board, lads.

Going Public With Sensitive Data

Forget phishing for your passwords via dodgy emails. Just use Wi-Fi.

Internet security company Secure Computing Corporation have today released a report prepared by security consultants Canola/Jones Internet Investigations which “documents the serious risks of password theft that business travelers encounter when using the Internet in hotels, cafes, airports, and trade show kiosks.”  The full report is available (in PDF format) here.

Posing as a business traveler, the author “found multiple methods available to cyber-criminals that could be used to steal passwords and corporate information”. Wireless access points are especially vulnerable: “Tests conducted at an airport Internet cafe and at a popular chain of coffee shops showed that unencrypted streams of data from the laptops of patrons could easily be seen in many instances by another patron sitting nearby with wireless ‘sniffer’ software.”

Even hotel broadband is risky. Canola/Jones shows “how a hotel guest can use widely available snooping software with a laptop logged onto the hotel network. The guest can successfully snoop on the hard drives of fellow guests who have file sharing” enabled on their PCs. Corporate data and passwords can easily be stolen.” Gulp. Other holes: keyboard logging software secretly installed on public terminals, and the hardy perennial, shoulder surfing, where a ne’er-do-well passes your terminal just as you happen to be entering a banking password.

Needless to say, this is all pretty scary. And Secure Computing would like to offer you a solution: their “two-factor authentication SafeWord line of tokens” which generate one-time-only passcodes for each user session. But there are other ways of foiling most of these exploits: Firewalls on your computer, common sense (don’t go to important websites like Internet banking on a public computer), and only using public Wi-Fi when you a) know it’s encrypted and b) you’re not dealing in sensitive data. Have I forgotten anything?