Editor's Note

Online Phishing: Don't Bait the Hook

I'LL probably be the last person on earth to sign up for online banking. I still haven't agreed to do it partly because I'm leery of phishing. The mere mention of online phishing really bugs me. I don't like the sound of the word, and I certainly don't like the way it's spelled.

I just don't like phishing.

Partially, it's because banks have been slow to offer little more than a password for online banking, suggesting that customers don't want the added inconvenience. Banking regulators say otherwise: It's time to pick up the pace and protect customers. My bank says it maintains a firewall to prevent unauthorized entry into its systems. It also says the data is transferred using a private code that encrypts the data to prevent eavesdropping, tampering and message forgery.

I'm concerned enough about online banking that I want more information. A second authentication is a good idea at the right time. Convenience is great, but give me security anytime.

The Federal Financial Institutions Examination Council, a group of regulators that includes the Federal Reserve and the FDIC, has told banks that single-factor authentication, such as user name and password, isn't enough to protect against fraud and identity theft. Banks now have until the end of 2006 to implement a two-factor authentication. This means relying on the customer, who might have hardware tokens or smart cards, as well as something the customer knows, such as a password.

Single-factor authentication is inadequate to protect against Internet-level scams, such as phishing and pharming. Because banks have been given a deadline of the end of 2006, they've also been directed to do risk assessments of all online transactions, taking a layered approach to ensure the level of security matches the risk.

Why is this a big deal?

According to an article published by MSNBC, nearly 2 million Americans have had their checking accounts raided by criminals in the past 12 months. The average loss per incident was about $1,200, and researchers are blaming online banking. The problem is that there is an increasing number of existing checking accounts without enough back-end fraud detection solutions.

As expected, banks are rather tight-lipped about fraud losses, and bank investigators have even less to say. When banks do talk, they admit there is an escalation in this part of the criminal element. There is a sharp rise in phishing e-mails, an attempt to steal user names and passwords. This is done by imitating e-mail from a legitimate bank or financial institution. Believe it or not, as many as 1.8 million consumers had been tricked into divulging personal information via a phishing attack, most of them in the past year.

Dave Jeans, chairman of the Anti-Phishing Working Group, said phishing attacks designed to steal bank information began to skyrocket in August 2003. Believe it or not, phishing e-mails have jumped 4,000 percent. Who got hit the hardest? Results show that Citibank overtook eBay as the most common target.

Phishing isn't the only way criminals gain access to online bank accounts, and the risks haven't let up for online banking. APWG found that 85 percent of the 14,000 unique phishing attacks in August were directed toward customers of financial institutions. Under development by the Financial Services Technology Consortium is a blueprint that financial institutions can use for better authentication; the goal is a framework that banks can tailor to their needs.

Customers might not like two-factor authentication because it requires an extra step, but it will add security. The days of a password neatly tucked away in the brain are over. Authentication options may include a one-time password system -- meaning an electronic device that banks give to every customer -- or a lower-tech version that might include bingo-like cards or scratch-off cards that contain a fixed number of passwords.

Lloyds TSB Bank in the United Kingdom has been working on stronger authentication, testing it with its 30,000 customers. Customers were given a device that generates a six-digit number every time they log onto the banking site. Bank of America has tried this with its SiteKey, in which an image picked by the customer appears when a person signs on. The bank then recognizes the computer from which the customer is signing on, and the customer is able to tell that the site is legitimate.

MasterCard International has developed its own Chip Authentication Program, in which an embedded chip generates a one-time password.

It all sounds perfect. However, don't count on crooks to be phased by two-factor systems.

Criminals are becoming increasingly knowledgeable at writing Trojan horse programs. Key loggers are quite adept at stealing passwords and account information. Experts say these attacks are more widespread than many realize and could be the cause of up to half of account takeovers.

Online banking and online bill pay is popular. As many as 141 million Americans use the Internet to pay bills. Consumers like the convenience, and banks like the operating savings.

Financial institutions need to step up to the plate and ensure that their customers are completely protected. On its Web site, my bank says of online banking, "You'll probably wonder how you lived without it." I wonder how secure it is and if my identity is protected by more than a simple password.

I'm concerned enough about online banking that I want more information. A second authentication is a good idea at the right time. Convenience is great, but give me security anytime.

I understand there will always be that criminal element working on its next phishing trip. I just don't want to bait the hook.

This article originally appeared in the January 2006 issue of Security Products, pg. 6.


  • Maximizing Your Security Budget This Year

    The Importance of Proactive Security Measures: 4 Stories of Regret

    We all want to believe that crime won’t happen to us. So, some business owners hope for the best and put proactive security measures on the back burner, because other things like growth, attracting new customers, and meeting deadlines all seem more pressing. Read Now

  • 91 Percent of Security Leaders Believe AI Set to Outpace Security Teams

    Bugcrowd recently released its “Inside the Mind of a CISO” report, which surveyed hundreds of security leaders around the globe to uncover their perception on AI threats, their top priorities and evolving roles, and common myths directed towards the CISO. Among the findings, 1 in 3 respondents (33%) believed that at least half of companies are willing to sacrifice their customers’ long-term privacy or security to save money. Read Now

  • Milestone Announces Merger With Arcules

    Global video technology company Milestone Systems is pleased to announce that effective July 1, 2024, it will merge with the cloud-based video surveillance solutions provider, Arcules. Read Now

  • Organizations Struggle with Outdated Security Approaches, While Online Threats Increase

    Cloudflare Inc, recently published its State of Application Security 2024 Report. Findings from this year's report reveal that security teams are struggling to keep pace with the risks posed by organizations’ dependency on modern applications—the technology that underpins all of today’s most used sites. The report underscores that the volume of threats stemming from issues in the software supply chain, increasing number of distributed denial of service (DDoS) attacks and malicious bots, often exceed the resources of dedicated application security teams. Read Now

Featured Cybersecurity


New Products

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge. 3

  • ResponderLink


    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3