Security fears dog online banking

By Iain Thomson on Jan 22, 2010 7:00 AM
Filed under Security

Risk-based approach urged.

Online banking customers are worried about their financial security, but banks are lagging behind, according to a global survey of 4,500 internet users.

The survey identified security as a concern for 86 percent of online banking users, compared with just 68 percent for users of government web sites and 64 percent for online health care.

Four out of five wanted better protection than a simple password.

"Consumers are very much aware of the threats," Seth Geftic, senior manager of identity protection and verification at RSA, told V3.co.uk. "They are not satisfied with simple password protection. Consumers really want and need this security."

Geftic explained that, while some European banks use two-factor authentication, many UK and US banks are turning to risk-based authentication.

A risk-based approach monitors user behaviour and applies computer algorithms to usage patterns to determine whether an account has been compromised. Such systems avoid the 'man in the middle' attacks that can defeat two-factor authentication.

However, internet users are getting savvier about the threats from phishing and malware. In a similar survey in 2007, 63 percent of respondents were aware of Trojans, but this had risen to 81 percent last year.

The study also looked at social networking sites, and found that users are seriously worried about the levels of security.

"People are asking for more security and have said they would use it," said Geftic. "A lot of data on social networking sites is used to steal banking information. People have been trained not to answer an email from a bank, but attacks are more likely to come from social networking."

8 comments in this discussion

"wjc = Prof. William (Bill) J Caelli - trusted computing advocate? Google: caelli +PINPad Lesgislating that trusted computing is required on any PC that talks to a bank .. not going to happen. ..."

By Sams

Tags

banking, cent, online, per, security, survey

Westpac creates new wealth technology platform

Further security flaws found in Java Runtime Environment

ANZ still wearing NZ platform integration costs

Banks concerned over POLi security

Breaking Stories

Alacer Gold turns ERP refit project to Australia

NSW Govt bids for self-service analytics

NSW Police take aim at 3D-printable guns

Google faces new federal antitrust probe

US ISP to rip out Huawei equipment

Comments: 8

gonny Jan 22, 2010 10:04 AM	"However, internet users are getting savvier about the threats from phishing and malware." I have definitely become savvier about the threats from phishing attacks. I have stopped responding to them as I have worked out that it isn't really my bank. I know this because I rang CBA and they confirmed they dont send emails that have multiple spelling mistakes telling me that my acount has espired and I need to update my parsword.
Daveh Jan 22, 2010 10:26 AM	Ironically, i have researched this topic for my hons thesis. The issue is actually evident within this article. Security within financial transactions is mentioned ONLY with negative stigma - see the mentions of THREATS with security. The reality of the situation is that you face the same risks every day in an offline environment. What is needed to change things is the media to report positive statistics about security and prevention for online finance. More warnings just leads to more fear.
Ace Jan 22, 2010 10:54 AM	But you see Daveh, then you don't have a 'news' story. TV 'news' is restricted to one feel-good story (unless it's Australia day), which must be the last story read, and print media is pretty much the same. Apparently we are simply not interested in good ideas, things that go right, or things that make you happier. I'm sure you'll use some kind of fear tactic to give your thesis more oomph, such as 'the world as we know will end in widespread violence if this notion of "fear sells" continues in the future' ... or some such thing ;). As we all know, money is the root of all evil, and someone stealing your money is the evil of all roots of all evil. I mean, that's really evil stuff! Referring to 'positive statistics' - there is no such thing in reporting. There is either negative statistics, or a deafening silence. I think we have learned to realise that hearing nothing in the news about internet, Telstra, Qantas etc means that all is rosy. Or well covered up. Regarding online bank security, because it is relatively important, I think it is worth a one-time password type of arrangement. Hopefully the banks could spend a little out of their billion dollar profits to distribute and manage security tokens to their customers. I know some do already, but not all.
wjc Jan 22, 2010 11:44 AM	STOP BLAMING THE CUSTOMER! If anything our Government regulators must have seen the fallout from the Microsoft IE-Vers 6, etc (Aurora) debacle and the almost impossible situation that the home and small business PC user is in in supposedly being responsible for protection of their PC used for Internet banking. moreover, in a risk assessment sense, an ordinary user simply cannot ascertain the levels of vulnerabilities and threats involved in the global Internet. It is time for our politicians and Government to take action - just as for many other industries - from the car industry, to air transport, to pharmaceuticals and so on - to ensure that the Australian banking industry provides what is needed to enable the PC to be used for services that they want us to use to save them costs, internet banking. Recent USA suggestions that SME's should dedicate a separate PC to JUST THEIR SPECIFIC INTERNET BANKING point to the need for action and for politicians to get involved in moving responsibility BACK TO THE BANKING AND FINANCE INDUSTRY ITSELF as is common for other industries. Remember that many people and SME's still stuck on dial-up lines, because of Telstra's dreadful "pair-gain" mess, CANNOT MAINTAIN THEIR PC in up to date mode. At 35Kbits/sec the line times out before any real patches, virus updates, etc can reasonably be applied! Asking them to ensure that patching is up to date in any on-line banking contract is an impossible demand and such clauses must be made conditional on the ability of the user to do so! Solution - easy - a "card present" transaction at the home/SME PC by use of an approved PINPad, just like that available at most merchants AND with the proper tamper-resistant design and end-to-end cryptographic systems that were the hallmark of EFTPOS success in Australia (the 2805 series of standards and PINPad security designs). Yes - regulation IS THE ONLY WAY. "Light touch" regulation has failed and market forces do not work. We are rapidly falling behind security "best practice" in this area globally from a time when Australia led the way! We still have a massive base of magstripe ATM cards! For example, how many PINPads at stores no longer have a visual protection shield to enable safe entry of the PIN unobserved by the checkout person, at least? Many! How many PINPads are now bolted to a counter and are almost impossible to lift out of the socket to enable your PIN entry action to be private? Many, again! Also, remember, any tampering with a PINPad, as reported in Queensland this week, was supposed to immediately destroy all the crypto keys used, requiring the PINPad to go back to the transaction acquirer organisation to be re-established as a valid unit. The proof is there - a strong regulatory environment is the only way to protect our citizens and the nation. It is time to BLAME THE BANKING INDUSTRY, not the user.
Ace Jan 22, 2010 12:19 PM	@wjc: Are we reading the same article? Where exactly in the article were customers being 'blamed'? Also, If you can't download os fixes over a 35Kbit line, then you seem much less likely to download viruses, and get infected in a dangerous way. Is their a reason why any hacker would bother with a pc on the end of a dial-up line when there are so many faster connections to probe? You can't put pin-pads at home, because 1) they require a dedicated dial-up line, 2) they could be hacked into much more easily at home and 3) the sheer expense would add about $600 per annum to your banking fees. Pinpads are bolted down because they get stolen. Google 'mcdonalds pinpad perth stolen' to find out how some people got $3 million before being caught. Many pinpads work in an 'offline' batch mode due to the sheer number of transactions the banks can cope with. As no doubt you are aware, mag stripe cards are disappearing quite rapidly, but it's not something that can be done overnight. I think there can be a significant improvement in security through much simpler measures.
Daveh Jan 22, 2010 2:54 PM	Ace, i have also seen Bowling for Columbine. And i do agree with you. I simply wanted to give the facts as they were in my thesis and try and remain on neutral ground. As for WJC's comment. Ask yourself a real world example of what your talking about. A person shouting their banking code and using it in all forms of non reputable vendors throughout the world. Should the financial institution be expected to accept the burden for this persons lack of caution? And by proxy common sense? We live in an increasingly net-centric world. Being cautious on the internet needs to become second nature, like ensuring that your home is secure. Would you leave your doors unlocked while living an a huge city? The blame rests with EVERYONE. For a start people NEED to take responsibility, otherwise these issues will NEVER stop. Self-Interest most common reason for education and would be the most obvious reason for people to take care ie. "I dont want to risk MY money", so why would we remove this Self-Interest by placing the risk with the financial institutions? Looking at it another way, if a bank imposed limitations to your ability to spend online (say preferred vendors only) then there would be an OUTCRY. All the bank is doing in this case, is what the user should do personally with the broadest stroke possible in order to limit liability. What you are after in this case is for Big-Uncle-Kevin to make the Big-Brother-Banks take care of you, instead of being self reliant? Congratulations on turning 2. Hopefully with the next 16 years of schooling and learning you will become an adult net user.
gonny Jan 22, 2010 4:55 PM	If it were actually true that there many SME's are still using dial up I think you will find the number would be ever decreasing as they go out of business. If the solution to end user online security was a $500 eftpos terminal in your house, it might defeat the purpose and convenience of the internet all together? Here's one for you, why don't banks fit out our houses with ATM machines? It is evident that online security fears are a result of a lack of education about how the internet works and the types of vulnerabilities that exist. The fact that phishing scams have any success rate at all indicates that there is a severe lack of education and understanding around the internet and the opportunities available to hackers and criminals. With all this in mind, I am actually wondering why consumers are fearful about online security at all??? In Australia, it is actually the financial institution that wears the cost of fraudulent activity conducted on an account. So, in reality, perhaps it is the financial institution that has a vested interest in ensuring online banking customers are educated about the risks involved. As a general rule but, to remain safe online, simply use a paid anti-virus solution. Make sure it is up to date. Don't respond to any email that looks phishy and what ever you do, as hard as it is, don't visit pron sites that contain spyware and viruses.
Sams Jan 23, 2010 9:41 AM	wjc = Prof. William (Bill) J Caelli - trusted computing advocate? Google: caelli +PINPad Lesgislating that trusted computing is required on any PC that talks to a bank .. not going to happen. "Solution - easy - a 'card present' transaction at the home/SME PC by use of an approved PINPad" Requiring that every motherboard on a PC involved in online transactions will have expensive, specialised security hardware is not an "easy" solution. For those that want it, an easy solution is a free read-only boot CD supplied by the bank (or a third party partnered with lots of banks and payment providers like PayPal), with a stripped down (Linux?) OS and just enough tools to make transactions. Send a timely updated CD every once in a while to head off any critical vulnerabilities (invalidate some kind of key on the old one). In addition to HTTPS and one-time password tokens, that should be sufficient. Once the effort to crack the technology becomes harder than socially engineering money out of people, then you have won. "a strong regulatory environment is the only way to protect our citizens and the nation" Manifestly no, but it is a good way for security tech firms, and their investors, to make money I think.