Editor's Note

Online Phishing: Don't Bait the Hook

I'LL probably be the last person on earth to sign up for online banking. I still haven't agreed to do it partly because I'm leery of phishing. The mere mention of online phishing really bugs me. I don't like the sound of the word, and I certainly don't like the way it's spelled.

I just don't like phishing.

Partially, it's because banks have been slow to offer little more than a password for online banking, suggesting that customers don't want the added inconvenience. Banking regulators say otherwise: It's time to pick up the pace and protect customers. My bank says it maintains a firewall to prevent unauthorized entry into its systems. It also says the data is transferred using a private code that encrypts the data to prevent eavesdropping, tampering and message forgery.


I'm concerned enough about online banking that I want more information. A second authentication is a good idea at the right time. Convenience is great, but give me security anytime.

The Federal Financial Institutions Examination Council, a group of regulators that includes the Federal Reserve and the FDIC, has told banks that single-factor authentication, such as user name and password, isn't enough to protect against fraud and identity theft. Banks now have until the end of 2006 to implement a two-factor authentication. This means relying on the customer, who might have hardware tokens or smart cards, as well as something the customer knows, such as a password.

Single-factor authentication is inadequate to protect against Internet-level scams, such as phishing and pharming. Because banks have been given a deadline of the end of 2006, they've also been directed to do risk assessments of all online transactions, taking a layered approach to ensure the level of security matches the risk.

Why is this a big deal?

According to an article published by MSNBC, nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months. The average loss per incident was about $1,200, and researchers are blaming online banking. The problem is that there is an increasing number of existing checking accounts without enough back-end fraud detection solutions.

As expected, banks are rather tight-lipped about fraud losses, and bank investigators have even less to say. When banks do talk, they admit there is an escalation in this part of the criminal element. There is a sharp rise in phishing e-mails, an attempt to steal user names and passwords. This is done by imitating e-mail from a legitimate bank or financial institution. Believe it or not, as many as 1.8 million consumers had been tricked into divulging personal information via a phishing attack, most of them in the past year.

Dave Jeans, chairman of the Anti-Phishing Working Group, said phishing attacks designed to steal bank information began to skyrocket in August 2003. Believe it or not, phishing e-mails have jumped 4,000 percent. Who got hit the hardest? Results show that Citibank overtook eBay as the most common target.

Phishing isn't the only way criminals gain access to online bank accounts, and the risks haven't let up for online banking. APWG found that 85 percent of the 14,000 unique phishing attacks in August were directed toward customers of financial institutions. Under development by the Financial Services Technology Consortium is a blueprint that financial institutions can use for better authentication; the goal is a framework that banks can tailor to their needs.

Customers might not like two-factor authentication because it requires an extra step, but it will add security. The days of a password neatly tucked away in the brain are over. Authentication options may include a one-time password system -- meaning an electronic device that banks give to every customer -- or a lower-tech version that might include bingo-like cards or scratch-off cards that contain a fixed number of passwords.

Lloyds TSB Bank in the United Kingdom has been working on stronger authentication, testing it with its 30,000 customers. Customers were given a device that generates a six-digit number every time they log onto the banking site. Bank of America has tried this with its SiteKey, in which an image picked by the customer appears when a person signs on. The bank then recognizes the computer from which the customer is signing on, and the customer is able to tell that the site is legitimate.

MasterCard International has developed its own Chip Authentication Program, in which an embedded chip generates a one-time password.

It all sounds perfect. However, don't count on crooks to be phased by two-factor systems.

Criminals are becoming increasingly knowledgeable at writing Trojan horse programs. Key loggers are quite adept at stealing passwords and account information. Experts say these attacks are more widespread than many realize and could be the cause of up to half of account takeovers.

Online banking and online bill pay is popular. As many as 141 million Americans use the Internet to pay bills. Consumers like the convenience, and banks like the operating savings.

Financial institutions need to step up to the plate and ensure that their customers are completely protected. On its Web site, my bank says of online banking, "You'll probably wonder how you lived without it." I wonder how secure it is and if my identity is protected by more than a simple password.

I'm concerned enough about online banking that I want more information. A second authentication is a good idea at the right time. Convenience is great, but give me security anytime.

I understand there will always be that criminal element working on its next phishing trip. I just don't want to bait the hook.

This article originally appeared in the January 2006 issue of Security Products, pg. 6.

Featured

  • Video Surveillance Trends to Watch

    With more organizations adding newer capabilities to their surveillance systems, it’s always important to remember the “basics” of system configuration and deployment, as well as the topline benefits of continually emerging technologies like AI and the cloud. Read Now

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.