Internet banking takes another knock with news from AP that Germany’s biggest retail bank Postbank has imposed an online transaction limit .
Germany’s biggest retail bank, Postbank, said Monday it was imposing a euro3,000 (US$3,860) limit on online transfers in an effort to protect customers against e-mail “phishing” scams.
The bank, which has 11.5 million depositors and is majority-owned by postal company Deutsche Post, said the move was meant as a precautionary measure and none of its clients had suffered harm from the high-tech form of identity theft.
Postbank said the limit, which will not apply to standing orders, was a response to the “heightened security needs of customers” and should make online fraud less attractive.
I don’t think Postbank is the first to do this, but it’s probably the first to draw a direct line between the fact that customers are now more at risk than they’ve ever been. Most banks, I suspect, introduce these measures without really announcing them to the public.
I don’t, for the record, think this is the best way of tackling the problem. All this means is that accounts can’t be emptied in one go — in most cases this wouldn’t have been possible anyway, because of other limits on bank transfers. But what I think will happen is that phishers will concentrate on accessing accounts surreptitiously and maintain their access to those accounts without the knowledge of the users, setting up standing orders themselves that gradually empty accounts.
Of course, some customers will notice this kind of thing, but we’re likely to see phishing combine with more sophisticated efforts — such as those illustrated by Fabrice Marie in March — to gain access to accounts for more complex purposes than merely emptying them.
What I would like to see is some sort of dual- or triple-layered authorisation process for any kind of transaction or alteration of settings/standing orders/notifcation within accounts. Before making any such transaction or configuration change, the user would be required to enter data from a separate device, or else confirm via email or SMS or phone before the change/transfer was made. I think we have to stop assuming that entry/logging in is the main security fence. Phishers, scammers and social engineers have shown that is not the real issue. There are other ways to get in, so the security has to be at the transactional level, however much it upsets the user.
Bottom line: Don’t remove services from online banking to deter fraud because all you do is undermine its usefulness, and likely dissuade users from using it. Better to add multiple layers of security that may inconvenience the user but which help them to feel safer. In the end, they’ll still figure it saves them going to the bank, or spending hours diving through voice-driven menu options via phone-banking.