Computer Crime Research Center


Banks fess up on online fraud

Date: March 28, 2005
Source: STUFF

New Zealand banks were hit by about 200 Internet banking frauds last year, an informal poll conducted by NZ InfoTech has found.

Though the banks say they recovered stolen funds in the vast majority of cases, all are looking into two-factor authentication to make personal bank accounts less vulnerable to attack.

This follows police recommendations and ASB Bank's successful introduction of two-factor authentication in December.

Westpac New Zealand says that out of 62 million log-ins last year there were 89 fraud attempts and 25 instances of money being lost irretrievably. It plans to introduce two-factor authentication for retail customers later this year.

All Westpac customers who lost money through online fraud were reimbursed by the bank, at a total cost of $134,000.

Kiwibank spokesman Bruce Thompson says that out of 2.5 million transactions, Kiwibank experienced 32 cases of online fraud in the past year. It recovered 97 per cent of the funds and the remaining 3 per cent was reimbursed to customers by the bank.

Eighteen cases involved the use of "mules" – people who are duped into channelling stolen funds through New Zealand-based bank accounts to fraudsters resident overseas.

Kiwibank has added another security measure to its website. A constantly changing number which is displayed as an image has to be rekeyed to prevent computers being used to bombard the site with passwords till they hit a valid one.

Mr Thompson says the bank may also employ two-factor authentication sometime this year.

"There are indications from overseas that it is very effective," he says.

Thirty-three National Bank customers were the victims of online fraud during the 11 months to the end of January, though in 29 of these cases the money was recovered.

The bank reimbursed unrecoverable funds on a "case by case" basis, it says.

"The actual dollar value of loss was such a small amount as to be immaterial," says spokesman Robert Reid. The bank's customers conduct millions of online transactions a year, he says.

BNZ spokesman Zaman Toleafoa describes instances of Internet fraud as low, with about 26 "successful" attempts last year.

In most cases money is recovered, and where it isn't it is reimbursed to customers, he says.

BNZ's parent, National Australia Bank, is trialling two-factor authentication to protect home bankers in Australia and BNZ may adopt it too, if the trial is successful, he says.

ANZ spokesman Craig Howie says the bank is also "considering two-factor authentication, along with other options".

ANZ has faced 39 online fraud attempts since October, seven of which succeeded.

Most perpetrators were identified and "dealt with", he says.

Many banks already offer two-factor authentication to businesses which bank electronically.

Using two-factor authentication, banking customers must key a special code – which can only be used once – as well as their regular password to undertake potentially risky, high-value online banking transactions.

Westpac and ASB issue business customers with a special hardware device or "token" manufactured by US firm RSA Security.

It looks like a pocket calculator and contains a clock to synchronise with banks' back-end servers.

Once the customer keys a password into the device, it uses algorithms to generate an access code – valid for only a few minutes – which customers must then rekey into their computer to complete their transaction.

ASB and BankDirect's NetCode service for retail customers introduced in December, as well as the system being trialled by NAB in Australia, do away with the need for a special hardware device.

Access codes are instead sent by text message to customers' cell phones.

ASB Bank's head of technology, Clayton Wakefield, says so far 18,000 people have registered to use NetCode.

ASB and BankDirect customers must use it if they want to transfer more than $2500 within 24 hours to a previously unregistered third-party account.

The $2500 cap can be lowered by customers if they want additional peace of mind.

So far no hacker has managed to break the system, though Mr Wakefield says fraud still occurs below the $2500 cap at "very low levels".

"I can count the instances of fraud on my right hand," he says.

"It's an effort equation for those criminals. They obviously go to easier targets."

Although cellphone-based authentication has its problems – customers must have cellphones, be in range and may not be able to use them to authenticate transactions from overseas – Mr Wakefield says customer feedback has so far been positive and there have been few teething problems.

It is also possible to take a low tech approach to two-factor authentication.

Access codes containing random combinations of letters and numbers can simply be printed out on strips of paper and given to customers for them to rekey.

The approach to security is called two-factor authentication because two things are needed to authenticate a transaction – the customer's password and the physical device or piece of paper which provides the single-use access code.

Add comment  Email to a Friend

Discussion is closed - view comments archieve
2005-07-31 15:29:56 - sehr gut Saite. Was machen Sie mein... Hans Millard
Total 1 comments
Copyright © 2001-2013 Computer Crime Research Center
CCRC logo