Banks report 70 percent of phishing attacks hosted offshore

Former Soviet republics responsible for most scams.

Representatives from Australia's largest banks have told a senate inquiry into cybercrime that 70 percent of phishing attacks targeted at their customers originate outside of Australia.

Appearing before a panel of senators in Sydney late last week, representatives from Westpac, the Commonwealth Bank, and the Australian Banking Association reported that many attacks originate from countries well outside the reach of Australian law.

"Typically a victim's loss is less than a few thousand dollars - it is commercially impossible to pursue those funds offshore," John Geurts, executive general manager of group security at the Commonwealth Bank, told the panel.

Richard Johnson, chief information security officer at Westpac, said the bank's operation centre found that "the vast majority of actual attacks are from offshore - from the former Soviet socialist republics".

The Senate inquiry has spent a great deal of time on the issue of where attacks originate in order to form an informed view on addressing the cybercrime problem.

The deputy chair of the panel, Kay Hull, canvassed concerns that there are no global authorities or agreements between international governments to police the internet. It was a problem, she said, that was highlighted by the Australian Tax Office in its submission to the inquiry.

The ATO reported a 31 percent increase in IT security incidents impacting its systems in the 2008/09 financial year, "including attempts to phish for information as well as malware attacks."

Investigations into a phishing scam directed at ATO taxpayers in June, as reported by iTnews, were found to have originated on a server in the Ukraine.

"More recently there have been a number of tax refund email (phishing) scams," the office said in its submission. "The emails used to catch the consumer are visually very convincing. In addition to the personal loss or risk to the consumer associated with these attacks, they pose a risk of loss of information or revenue from the Tax Office through identity fraud."

The ATO also provided some insights as to how so many Australians may have been caught out by the scam.

"Anecdotal information gathered by Tax Office shopfront staff is to the effect that some taxpayers from a non-English-speaking background appear to have a limited understanding and awareness of e-security risks. Their limited knowledge and understanding of the Australian taxation system, lack of English language skills and for some, general computing inexperience, leave this section of population potentially vulnerable to online exploitation," the submission read. 

Banks winning the war on online fraud

Despite the growing complexity and diversity of attack methods, representatives from the banks reported that good progress is being made to fight online fraud.

Geurts said the CBA, for example, has reduced fraud by 96 percent when compared to 2005 levels. The bank has enrolled 2.8 million Australian customers into two-factor authentication technology - which means that the great majority of its regular users "don't experience any breaches", he claimed.

The bank is signing up 6,000 to 10,000 customers to the additional security measure every day, and is on target to sign up 100 percent by the end of next year, he said.

Beyond reducing levels of fraud, Geurts said such security measures have enabled a "far richer set of [banking] products" to be offered online.

Johnson, representing Westpac, said that while the Australian banking industry "has always had a philosophy of collaborating and working with white hats" and "led the world in the establishing of information sharing networks", better cross-sector collaboration was required to reduce fraud levels further.

Stakeholders as diverse as the Government, law enforcement and Defence, telecommunications providers, and banks should band together to share information and become more resilient to attack, he said.

"We are yet to coalesce as a group to share the information each of us have in a way that partners in other countries have achieved," he said.

His views were echoed by Tony Burke, policy director at the Australian Banking Association.   

"A closer relationship between banks, law enforcement and stakeholders would be desirable," he said.

But Burke warned that political attempts to introduce ISP-level content filtering won't provide a technical fix to the problems of cybercrime.

"We think at present that mechanisms we've seen on broad brush content-filtering has some negatives," he said. "Rather than trying to put a barrier up, there are ways to control the problem at the source."

He clarified that by the "source" he means the attacker.

"We all have gotten used to a certain amount of risk," he concluded. "And we need to, in order to participate in the internet world."