Editor's Note
Online Phishing: Don't Bait the Hook
I'LL
probably be the last person on earth to sign up for online banking. I still haven't agreed to do it partly because I'm leery of phishing. The mere mention of online phishing really bugs me. I don't like the sound of the word, and I certainly don't like the way it's spelled.
I just don't like phishing.
Partially, it's because banks have been slow to offer little more than a password for online banking, suggesting that customers don't want the added inconvenience. Banking regulators say otherwise: It's time to pick up the pace and protect customers. My bank says it maintains a firewall to prevent unauthorized entry into its systems. It also says the data is transferred using a private code that encrypts the data to prevent eavesdropping, tampering and message forgery.
I'm concerned enough about online banking that I want more information. A second authentication is a good idea at the right time. Convenience is great, but give me security anytime. |
The Federal Financial Institutions Examination Council, a group of regulators that includes the Federal Reserve and the FDIC, has told banks that single-factor authentication, such as user name and password, isn't enough to protect against fraud and identity theft. Banks now have until the end of 2006 to implement a two-factor authentication. This means relying on the customer, who might have hardware tokens or smart cards, as well as something the customer knows, such as a password.
Single-factor authentication is inadequate to protect against Internet-level scams, such as phishing and pharming. Because banks have been given a deadline of the end of 2006, they've also been directed to do risk assessments of all online transactions, taking a layered approach to ensure the level of security matches the risk.
Why is this a big deal?
According to an article published by MSNBC, nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months. The average loss per incident was about $1,200, and researchers are blaming online banking. The problem is that there is an increasing number of existing checking accounts without enough back-end fraud detection solutions.
As expected, banks are rather tight-lipped about fraud losses, and bank investigators have even less to say. When banks do talk, they admit there is an escalation in this part of the criminal element. There is a sharp rise in phishing e-mails, an attempt to steal user names and passwords. This is done by imitating e-mail from a legitimate bank or financial institution. Believe it or not, as many as 1.8 million consumers had been tricked into divulging personal information via a phishing attack, most of them in the past year.
Dave Jeans, chairman of the Anti-Phishing Working Group, said phishing attacks designed to steal bank information began to skyrocket in August 2003. Believe it or not, phishing e-mails have jumped 4,000 percent. Who got hit the hardest? Results show that Citibank overtook eBay as the most common target.
Phishing isn't the only way criminals gain access to online bank accounts, and the risks haven't let up for online banking. APWG found that 85 percent of the 14,000 unique phishing attacks in August were directed toward customers of financial institutions. Under development by the Financial Services Technology Consortium is a blueprint that financial institutions can use for better authentication; the goal is a framework that banks can tailor to their needs.
Customers might not like two-factor authentication because it requires an extra step, but it will add security. The days of a password neatly tucked away in the brain are over. Authentication options may include a one-time password system -- meaning an electronic device that banks give to every customer -- or a lower-tech version that might include bingo-like cards or scratch-off cards that contain a fixed number of passwords.
Lloyds TSB Bank in the United Kingdom has been working on stronger authentication, testing it with its 30,000 customers. Customers were given a device that generates a six-digit number every time they log onto the banking site. Bank of America has tried this with its SiteKey, in which an image picked by the customer appears when a person signs on. The bank then recognizes the computer from which the customer is signing on, and the customer is able to tell that the site is legitimate.
MasterCard International has developed its own Chip Authentication Program, in which an embedded chip generates a one-time password.
It all sounds perfect. However, don't count on crooks to be phased by two-factor systems.
Criminals are becoming increasingly knowledgeable at writing Trojan horse programs. Key loggers are quite adept at stealing passwords and account information. Experts say these attacks are more widespread than many realize and could be the cause of up to half of account takeovers.
Online banking and online bill pay is popular. As many as 141 million Americans use the Internet to pay bills. Consumers like the convenience, and banks like the operating savings.
Financial institutions need to step up to the plate and ensure that their customers are completely protected. On its Web site, my bank says of online banking, "You'll probably wonder how you lived without it." I wonder how secure it is and if my identity is protected by more than a simple password.
I'm concerned enough about online banking that I want more information. A second authentication is a good idea at the right time. Convenience is great, but give me security anytime.
I understand there will always be that criminal element working on its next phishing trip. I just don't want to bait the hook.
This article originally appeared in the January 2006 issue of Security Products, pg. 6.