Banks dismissive of 'phishing' losses

The amount of money lost through online banking scams is 'not material enough' to warrant stepping up authentication, according to Australia's main banking industry group

The debate over the threat posed by email online banking scams or "phishing attacks" is heating up, with security experts accusing banks of ignoring danger signs.

According to the Anti-Phishing Working Group, the number of phishing attacks carried out globally has risen from three to about 50 per week since last November with Australian banks being among the most targeted in the world.

However, Australia's main banking industry body, the Australian Bankers' Association (ABA), says losses from online banking fraud "are not material enough" to warrant boosting online banking security.

ABA chief executive officer, David Bell, said other forms of graft such as credit card fraud were much more worthy of the banks' attention.

"Security is a top priority for Australian banks and fraud is taken very seriously.

"All banks have top level encryption, use intricate firewalls and have many other technology-driven security solutions. Fraud losses experienced after the spam email and ghost Web site criminal attacks are not material compared to other forms of fraud," said Bell.

Professor Bill Caelli -- a vocal Internet expert -- says the banks' risk assessment in the online fraud sphere, which he labelled as "who cares", is complacent, if not slightly dishonest.

"If there's no problems then why are they putting all this incredible three or four pages of junk on their own Web sites warning the end user to use firewalls and update their anti-virus software?" asks Caelli.

Caelli goes further, arguing banks' IT risk assessment generally is outdated. He said the banks were underestimating the number of consumers conducting online banking using insecure operating systems and the success of hackers in exploiting vulnerabilities. He believes banks have simply been lucky not to have suffered more serious attacks sooner.

"Okay, we haven't had massive attacks yet. All I'm saying is we've been warned -- the spamming and phishing are warning signs," he said.

"For heaven's sake now is the time to develop the next generation of security to meet the new risk assessment".

Near the heart of the issue is whether the static password-based authentication systems currently used by banks are adequate for online commerce. Security experts argue that online banking requires a two-layer authentication method equivalent in integrity to that employed for conventional offline transactions.

Credit cards and ATM cards are examples of two-layer authentication systems. "Two-layer" (a term born from an IBM study on security produced over 30 years ago, according to Caelli) means the consumer is required to prove their identity by both what they know -- such as a PIN number or signature -- and what they possess (a card).

Internet banking is a single layer authentication method. It requires the consumers to demonstrate only what they know -- their account details and their password. That makes them targets for online confidence tricksters and criminals who use any means necessary to dupe consumers into divulging that knowledge or simply steal it.

Pointing to Microsoft's recent decision to incorporate support for RSA's two-layer authentication tokens into the next Windows XP service pack, Caelli said it was high time that the banks beefed up security for their Internet banking products.

"Even [Microsoft's] chief software architect and chairman said the single password is dead. It's about time the Australian banking industry woke up and did the same thing," said Caelli.

One manufacturer of the devices, Vasco Security, claims the authentication tokens will stop password thieves in their tracks. They allow consumers to log on to online sites using a different temporary password each time.

"Here is a solution to your phishing and keystroke loggers," said Campbell Bradford, a Vasco Security consultant.

"Even if you put up a keystroke logger at an Internet cafe and capture my password the next time you try to log on it's going to be useless; it'll have expired".

While Microsoft's has endorsed the devices recently, they aren't new. Bradford said Vasco had sold more than 10 million of its tokens to 267 banks, mainly based in Europe, with trials by United Kingdom banks Lloyds TSB and Barclays already well underway.

Australian banks that ZDNet Australia spoke to offered a mixed range of views on investing in authentication tokens and more robust online technology.

St. George Bank said it's examining the technology but hasn't made any commitments yet.

"We are seriously looking at some of these factors at the moment but we're not giving any commitment as to whether we will or we won't, but, obviously, there are some distinct benefits involved in these things," said a spokesperson for St.George.

The Commonwealth Bank also told ZDNet Australia that it had some interest in investigating technology that could fortify its online banking service against fraud.

"In the case of products that could potentially minimise risk associated with phishing scams, the bank is always pleased to work with industry to provide better solutions", said a spokesperson for the CBA.

ANZ, which has been targeted by four email phishing scams during the past year, says there is no business case for using the tokens. For now, ANZ says, its solution will be continued focus on educating consumers.

"In some ways the technology is less of an issue here than people's sophistication in thinking through unsolicited emails and responding," said a spokesperson.

ANZ claims the strategy is working. It said the number of calls it has received in response to scams during the year has steadily decreased as consumers have become more aware of online bank scams through the media.

However, Bradford claims that none of Australia's major banks including St.George, ANZ and the Commonwealth Bank are receptive to solutions to fix the problem.

Privately, some sources within the banks were prepared to admit that they had reservations about authentication tokens. It appears that banks are concerned they would reduce customers' access to online banking services as they would have to have the token on their person to use the service.

But Bradford claims they simply aren't taking the problem seriously.

"There's not enough public pressure on the banks to do something about it and not enough Australians know enough about stronger authentication".

For more coverage on ZDNet Australia, click here.