Editor's Note

Online Phishing: Don't Bait the Hook

I'LL probably be the last person on earth to sign up for online banking. I still haven't agreed to do it partly because I'm leery of phishing. The mere mention of online phishing really bugs me. I don't like the sound of the word, and I certainly don't like the way it's spelled.

I just don't like phishing.

Partially, it's because banks have been slow to offer little more than a password for online banking, suggesting that customers don't want the added inconvenience. Banking regulators say otherwise: It's time to pick up the pace and protect customers. My bank says it maintains a firewall to prevent unauthorized entry into its systems. It also says the data is transferred using a private code that encrypts the data to prevent eavesdropping, tampering and message forgery.

I'm concerned enough about online banking that I want more information. A second authentication is a good idea at the right time. Convenience is great, but give me security anytime.

The Federal Financial Institutions Examination Council, a group of regulators that includes the Federal Reserve and the FDIC, has told banks that single-factor authentication, such as user name and password, isn't enough to protect against fraud and identity theft. Banks now have until the end of 2006 to implement a two-factor authentication. This means relying on the customer, who might have hardware tokens or smart cards, as well as something the customer knows, such as a password.

Single-factor authentication is inadequate to protect against Internet-level scams, such as phishing and pharming. Because banks have been given a deadline of the end of 2006, they've also been directed to do risk assessments of all online transactions, taking a layered approach to ensure the level of security matches the risk.

Why is this a big deal?

According to an article published by MSNBC, nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months. The average loss per incident was about $1,200, and researchers are blaming online banking. The problem is that there is an increasing number of existing checking accounts without enough back-end fraud detection solutions.

As expected, banks are rather tight-lipped about fraud losses, and bank investigators have even less to say. When banks do talk, they admit there is an escalation in this part of the criminal element. There is a sharp rise in phishing e-mails, an attempt to steal user names and passwords. This is done by imitating e-mail from a legitimate bank or financial institution. Believe it or not, as many as 1.8 million consumers had been tricked into divulging personal information via a phishing attack, most of them in the past year.

Dave Jeans, chairman of the Anti-Phishing Working Group, said phishing attacks designed to steal bank information began to skyrocket in August 2003. Believe it or not, phishing e-mails have jumped 4,000 percent. Who got hit the hardest? Results show that Citibank overtook eBay as the most common target.

Phishing isn't the only way criminals gain access to online bank accounts, and the risks haven't let up for online banking. APWG found that 85 percent of the 14,000 unique phishing attacks in August were directed toward customers of financial institutions. Under development by the Financial Services Technology Consortium is a blueprint that financial institutions can use for better authentication; the goal is a framework that banks can tailor to their needs.

Customers might not like two-factor authentication because it requires an extra step, but it will add security. The days of a password neatly tucked away in the brain are over. Authentication options may include a one-time password system -- meaning an electronic device that banks give to every customer -- or a lower-tech version that might include bingo-like cards or scratch-off cards that contain a fixed number of passwords.

Lloyds TSB Bank in the United Kingdom has been working on stronger authentication, testing it with its 30,000 customers. Customers were given a device that generates a six-digit number every time they log onto the banking site. Bank of America has tried this with its SiteKey, in which an image picked by the customer appears when a person signs on. The bank then recognizes the computer from which the customer is signing on, and the customer is able to tell that the site is legitimate.

MasterCard International has developed its own Chip Authentication Program, in which an embedded chip generates a one-time password.

It all sounds perfect. However, don't count on crooks to be phased by two-factor systems.

Criminals are becoming increasingly knowledgeable at writing Trojan horse programs. Key loggers are quite adept at stealing passwords and account information. Experts say these attacks are more widespread than many realize and could be the cause of up to half of account takeovers.

Online banking and online bill pay is popular. As many as 141 million Americans use the Internet to pay bills. Consumers like the convenience, and banks like the operating savings.

Financial institutions need to step up to the plate and ensure that their customers are completely protected. On its Web site, my bank says of online banking, "You'll probably wonder how you lived without it." I wonder how secure it is and if my identity is protected by more than a simple password.

I'm concerned enough about online banking that I want more information. A second authentication is a good idea at the right time. Convenience is great, but give me security anytime.

I understand there will always be that criminal element working on its next phishing trip. I just don't want to bait the hook.

This article originally appeared in the January 2006 issue of Security Products, pg. 6.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3