[ISN] Thieves in the site
InfoSec News
isn at c4i.org
Tue Dec 6 05:41:51 EST 2005
http://www.smh.com.au/news/banking/thieves-in-the-site/2005/12/05/1133631195585.html
By Peter Weekes
December 6, 2005
Regulators and financial institutions are finally starting to realise
what security specialists have warned for a long time: the internet is
not a particularly secure place to do your banking.
Over the past few years financial institutions have encouraged
consumers to move online, as it is cheaper for them to operate a
website than a local branch network.
The strategy has worked. Last year the number of people with online
banking accounts doubled to seven million, according to the Market
Intelligence Strategy Centre.
But financial institutions have been slow to provide customers with
secure transactions.
Instead, organisations such as the Australian Bankers Association have
put the onus on consumers to buy firewalls and anti-virus software to
protect their computers.
This attitude is slowly changing, with overseas regulators calling on
banks to adopt more stringent security than a simple - and highly
susceptible - password.
Internet fraud cost Australian banks about $25 million last year, and
that doesn't include the country's 60-odd credit unions that may have
been affected.
In a paper presented at the recent Information Warfare and Security
Conference, Matt Warren, head of the school of information systems at
Deakin University, said only 23 of the 181 institutions that offer
internet banking provide customers with security stronger than a
password.
"The concern that I have is the duty of care that the banks have to
protect their customers," he told Money.
"Banks are focusing on maximising profit, they aren't focusing on
maximising security."
He concedes that any method of protection is a temporary solution, as
the internet was not created to transmit sensitive personal
information, but adds that banks still have an ethical responsibility
to ensure it is safe to do business with them online.
However, banks are reluctant to adopt high-protection measures such as
biometrics (retina scans and fingerprints) because of the cost to the
bottom line, he says.
Warren doubts that regulation forcing banks to provide certain types
of protection will be successful in stopping fraud. By the time the
regulation is implemented in the fast-moving world of internet
technology, he argues, hackers will have developed new techniques to
beat the system, and the consumer will be left with antiquated
protection. Nonetheless, US federal regulators say passwords are no
longer sufficient.
They have told the banks they must provide additional identity
verification by the end of next year.
Similar moves are under way in Britain and Europe.
The Australian Bankers Association is encouraging its members to
voluntarily introduce two-factor authentication systems.
This means customers must identify themselves twice, first with
something they know and then with something they have. For example, to
use the website they might enter a password and then a randomly
generated one-time-only string of numbers.
This can be sent to the user by SMS, an approach adopted by the
National Australia Bank, or by a security token, used by HSBC and
others. "The idea of that is that if someone has captured your
password, they won't have obtained the other information, so they
can't masquerade as you," Warren says.
The security tokens are small digital devices that customers can carry
around on their key rings. On a home computer, passwords could be
captured by trojan programs, which record the key strokes you have
entered and send them back to the hacker. Because the tokens generate
a real-time, one-time-only sequence of numbers, the captured
keystrokes are worthless to any fraudster.
Neal Wise is a professional hacker. He co-founded Assurance.com.au and
worked with a number of banks to test the tokens before they were
introduced.
"They certainly do make a contribution," he says. "When you use a
password that you have agreed upon with your financial institution, it
is a static value and, if you don't frequently change it, it could be
compromised.
"Even if you do change it, it is done in the internet banking site.
"The tokens provide more randomisation that would prevent an attacker
from being able to guess the string of values that you enter in from
the token as well as your password and user name."
A number of banks offer customers such tokens, but HSBC is the only
one willing to foot the bill.
"We take the view that ensuring adequate levels of protection for
customers is the bank's responsibility," says HSBC's Australian head
of direct banking, Liz Kimber. "We thought it appropriate that we fund
it. Other banks see it in a different light, but that's what we
decided."
The Australian Consumers Association agrees. Its senior finance policy
officer, Nick Coates, says extra security is needed and the cost
should be picked up by the banks.
"You don't expect customers to pay for the security guards outside a
bricks-and-mortar bank, so you wouldn't expect consumers to pay for
the upgraded IT," he says.
Wise doesn't think new technology is the only answer. He is most
concerned about an online facility known as "pay-anyone". Until
recently most banks didn't put a limit on the amount that could be
transferred out of a fund. This meant that a hacker could clear out an
entire account without alerting anyone until it was too late.
"The pay-anyone facility is dangerous," Wise says. "That is why banks
are now putting reasonable limits on the daily amounts that can be
transferred."
Wise says there are also problems with two-factor authentication: the
SMS approach is dependent on the reception of the mobile phone, while
tokens can be expensive and cumbersome if people have multiple
accounts, each of which will require its own different device.
For more information on secure online banking, visit the following
websites: http://www.bankers.asn.au; http://www.choice.com.au
SECURITY CHEAT SHEET
* Regularly change passwords. Don't use one that's easily guessed,
such as a birthdate.
* Use a different password for each site.
* Never respond to any email requesting your details and passwords and
don't follow links in an email.
* Always enter the web address in your browser to go to your bank's
site. To make sure you're at a legitimate site, click/double click
on the padlock symbol and check the security certificate.
* Ensure your operating system (for example, Windows), email program
and browser have the latest security updates and patches.
* Install antivirus, anti-spyware and firewall software and keep them
up to date. New threats are created every day.
* Avoid using public computers, such as those in internet cafes, for
online banking.
* Don't give your account details, PINs or access codes to anyone,
including family or friends, or anyone who calls asking for them,
even if they say they're from your bank.
* Don't select "save password" on computer programs or websites.
* Log off as soon as you finish internet banking and close your
browser.
* Regularly check account statements and notify your bank immediately
if you believe your password has been compromised or you notice
unauthorised transactions.
Source: Australian Consumers Association
More information about the ISN
mailing list