Computer Crime Research Center


Computer crime: internet banking perspective

Date: June 13, 2005
Source: STUFF
By: Tom Pullar-Strecker

Consumers are becoming wary of internet banking. Concerns about phishing, pharming and keyloggers mean customers are now afraid someone might loot their bank account without them knowing it.

The Australian-owned banks have fronted up to the size of the problem of internet banking fraud in New Zealand. In March they indicated customers had been hit by about 200 frauds last year - mostly phishing and keylogging attacks - with the losses running to hundreds of thousands of dollars.

Most of the banks said they reimbursed all customers whose accounts were raided and all the banks said they reimbursed most customers.

From the banks' perspective, internet banking fraud is rare and the losses are small.

So small, in fact, that some privately admit it is hard for them to justify big investments in two-factor authentication systems or other additional security measures to mitigate the problem.

All two-factor authentication systems are, to some degree, messy and inconvenient. There is a trade-off between the ease of use and the cost and level of security they provide.

The two-factor authentication system just deployed by the Economic Development Ministry is a case in point. By using a plastic card, the system does away with the need to rely on expensive text messages or hardware tokens for authentication. It's very cheap and convenient, but if a card is photographed or copied without the knowledge of the owner, the mechanism is defeated.

The text message-based two-factor authentication system pioneered last year by ASB Bank is, to all intents and purposes, completely secure, but won't appeal to customers who aren't into texting.

Yet doing nothing isn't an option.

People aren't prepared to accept a lot of risk when it comes to safeguarding what, in many cases, will be their life savings. There is a genuine risk that without a real assurance of security a significant proportion of customers will turn away from internet banking and instead rely on branch and phone-based transactions.

Banks can't afford to let that happen. They have invested too much in their internet banking offerings. The recent proliferation of high-interest online and phone-based saving accounts on both sides of the Tasman, and the pretty impressive sums that some of them have attracted from investors, is further evidence of how significant the channel has become for the banks.

On the face of it, there might be a couple of quick fixes.

Should the "pay anyone" facility for customers to transfer funds online to private third-party accounts be switched off, for example?

Bankers say the "pay anyone" feature of internet banking services has become increasingly popular.

One speculates that a large proportion of such transactions are probably accounted for by people paying one another for goods purchased on Trade Me. The banks have no means of knowing for sure whether that is the case.

Another tempting quick fix might be to ban international money transfer service Western Union, which appears to be many crooks' favoured means of transferring money out of the country quickly and anonymously.

Some banks argue that if Western Union were booted out of New Zealand it would only slow down organised internet fraud for a while and that alternatives would emerge. Cash could simply be withdrawn from the New Zealand accounts of the "mules" that are commonly used to funnel stolen funds offshore, and posted overseas.

In the US, the current great hope is that banks will be effective in using software to detect and block suspicious transactions, based on customers' previous behaviour. In Britain, banks have begun delaying online transfers made for the first time between accounts by up to 24 hours to make it more likely they'll detect suspicious activity before it's too late.

It's tempting to argue that a combination of some or all of the measures above would be the best way to mitigate the problem caused by internet banking fraud.

But the problem is not just fraud itself, but the element of fear and uncertainty it creates.

A mix of two-factor authentication and sophisticated monitoring to detect fraudulent transactions won't completely remove that uncertainty and therefore won't ultimately fix the problem.

To do that, banks will have to provide a categoric assurance they will reimburse customers if funds are stolen by internet fraudsters and address whatever consequences that has for the services and security measures they provide.

That's easier said than done. BNZ tried to provide similar assurances in relation to online shopping in 2000 - NetPledge and NetPromise. They became so peppered with qualifications and caveats that were insisted on by the bank's lawyers that the final wording of the guarantees appeared to reduce rather than enhance customers' protection.

Insurance begets insurance fraud.

No one wants to assume risk.

But it's the banks - not consumers - that decide what security measures they are prepared to invest in and what trade-offs they are prepared to make when it comes to internet banking. They are, therefore, the right party to bear that risk.

This would be a good time for them to step up to the mark.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo