http://www.smh.com.au/news/banking/thieves-in-the-site/2005/12/05/1133631195585.html By Peter Weekes December 6, 2005 Regulators and financial institutions are finally starting to realise what security specialists have warned for a long time: the internet is not a particularly secure place to do your banking. Over the past few years financial institutions have encouraged consumers to move online, as it is cheaper for them to operate a website than a local branch network. The strategy has worked. Last year the number of people with online banking accounts doubled to seven million, according to the Market Intelligence Strategy Centre. But financial institutions have been slow to provide customers with secure transactions. Instead, organisations such as the Australian Bankers Association have put the onus on consumers to buy firewalls and anti-virus software to protect their computers. This attitude is slowly changing, with overseas regulators calling on banks to adopt more stringent security than a simple - and highly susceptible - password. Internet fraud cost Australian banks about $25 million last year, and that doesn't include the country's 60-odd credit unions that may have been affected. In a paper presented at the recent Information Warfare and Security Conference, Matt Warren, head of the school of information systems at Deakin University, said only 23 of the 181 institutions that offer internet banking provide customers with security stronger than a password. "The concern that I have is the duty of care that the banks have to protect their customers," he told Money. "Banks are focusing on maximising profit, they aren't focusing on maximising security." He concedes that any method of protection is a temporary solution, as the internet was not created to transmit sensitive personal information, but adds that banks still have an ethical responsibility to ensure it is safe to do business with them online. However, banks are reluctant to adopt high-protection measures such as biometrics (retina scans and fingerprints) because of the cost to the bottom line, he says. Warren doubts that regulation forcing banks to provide certain types of protection will be successful in stopping fraud. By the time the regulation is implemented in the fast-moving world of internet technology, he argues, hackers will have developed new techniques to beat the system, and the consumer will be left with antiquated protection. Nonetheless, US federal regulators say passwords are no longer sufficient. They have told the banks they must provide additional identity verification by the end of next year. Similar moves are under way in Britain and Europe. The Australian Bankers Association is encouraging its members to voluntarily introduce two-factor authentication systems. This means customers must identify themselves twice, first with something they know and then with something they have. For example, to use the website they might enter a password and then a randomly generated one-time-only string of numbers. This can be sent to the user by SMS, an approach adopted by the National Australia Bank, or by a security token, used by HSBC and others. "The idea of that is that if someone has captured your password, they won't have obtained the other information, so they can't masquerade as you," Warren says. The security tokens are small digital devices that customers can carry around on their key rings. On a home computer, passwords could be captured by trojan programs, which record the key strokes you have entered and send them back to the hacker. Because the tokens generate a real-time, one-time-only sequence of numbers, the captured keystrokes are worthless to any fraudster. Neal Wise is a professional hacker. He co-founded Assurance.com.au and worked with a number of banks to test the tokens before they were introduced. "They certainly do make a contribution," he says. "When you use a password that you have agreed upon with your financial institution, it is a static value and, if you don't frequently change it, it could be compromised. "Even if you do change it, it is done in the internet banking site. "The tokens provide more randomisation that would prevent an attacker from being able to guess the string of values that you enter in from the token as well as your password and user name." A number of banks offer customers such tokens, but HSBC is the only one willing to foot the bill. "We take the view that ensuring adequate levels of protection for customers is the bank's responsibility," says HSBC's Australian head of direct banking, Liz Kimber. "We thought it appropriate that we fund it. Other banks see it in a different light, but that's what we decided." The Australian Consumers Association agrees. Its senior finance policy officer, Nick Coates, says extra security is needed and the cost should be picked up by the banks. "You don't expect customers to pay for the security guards outside a bricks-and-mortar bank, so you wouldn't expect consumers to pay for the upgraded IT," he says. Wise doesn't think new technology is the only answer. He is most concerned about an online facility known as "pay-anyone". Until recently most banks didn't put a limit on the amount that could be transferred out of a fund. This meant that a hacker could clear out an entire account without alerting anyone until it was too late. "The pay-anyone facility is dangerous," Wise says. "That is why banks are now putting reasonable limits on the daily amounts that can be transferred." Wise says there are also problems with two-factor authentication: the SMS approach is dependent on the reception of the mobile phone, while tokens can be expensive and cumbersome if people have multiple accounts, each of which will require its own different device. For more information on secure online banking, visit the following websites: http://www.bankers.asn.au; http://www.choice.com.au SECURITY CHEAT SHEET * Regularly change passwords. Don't use one that's easily guessed, such as a birthdate. * Use a different password for each site. * Never respond to any email requesting your details and passwords and don't follow links in an email. * Always enter the web address in your browser to go to your bank's site. To make sure you're at a legitimate site, click/double click on the padlock symbol and check the security certificate. * Ensure your operating system (for example, Windows), email program and browser have the latest security updates and patches. * Install antivirus, anti-spyware and firewall software and keep them up to date. New threats are created every day. * Avoid using public computers, such as those in internet cafes, for online banking. * Don't give your account details, PINs or access codes to anyone, including family or friends, or anyone who calls asking for them, even if they say they're from your bank. * Don't select "save password" on computer programs or websites. * Log off as soon as you finish internet banking and close your browser. * Regularly check account statements and notify your bank immediately if you believe your password has been compromised or you notice unauthorised transactions. Source: Australian Consumers Association _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Tue Dec 06 2005 - 03:10:08 PST