Online banking is suffering through a withdrawal phase. A study last fall by I.T. security firm Entrust found that 18 percent of Americans who bank online plan to do so less often because of security concerns. A third of the respondents said they were worried about their bank's Web site being spoofed by a fraudulent facsimile that would trick them into divulging their logon information.
"Consumer confidence in online banking security has been damaged," said Chris Voice, vice president of technology at Entrust. "This is bad news for banks. If consumers start defecting from online banking to call centers or branches, this will put banks' costs up."
According to Voice, a call-center transaction costs a bank 10 times as much to process as an online transaction. And if people start beating a path back to the branches, where a transaction is even more expensive than at the call center, banks will have to hire more staff, he said.
Banks are reluctant to share hard data on the scale of online fraud. But in response to the growing threat, financial institutions around the world are stepping up their user-authentication systems and strengthening their risk-monitoring technology.
In the U.S., the federal government has given banks until the end of the year to install better online-security measures. Some companies, such as Bank of America and E*Trade, have gotten a head start by introducing two-factor authentication technologies to complement the traditional user name and password required for accessing online services.
A SiteKey for Sore Eyes
Two-factor authentication combines something you have, such as a hardware device or a software application, with something you know, such as a password.
Bank of America's new authentication system, called SiteKey, is now mandatory in all markets across the U.S. in which the bank offers online-account services, with the exception of Washington and Idaho. The bank said it will roll out SiteKey to its online customers in those two states by April.
SiteKey, developed by PassMark Security in Menlo Park, California, is designed to prevent account holders from falling prey to bogus Web sites that troll for sensitive information. It does this by asking you to select an image and a phrase that only you know. If this image and phrase are not displayed on the Bank of America Web site when you log in, then you know the site is fraudulent.
"SiteKey allows our customers to know that they are accessing our Web site and not a fraudulent site, and it enables us to know that we are dealing with genuine customers," said Betty Riess, a spokesperson for Bank of America.
E*Trade chose a hardware-based route to stronger authentication. Since April 2005, it has been offering its customers devices known as SecurID tokens, which are made by RSA Security in Bedford, Massachusetts. For customers who are frequent traders on the site or who hold over $50,000 in assets with E*Trade, the SecurID tokens are free, and a one-time $25 charge for everyone else.
These tokens calculate a one-time "passnumber" to enter when logging on. The number has to correspond to an identical one-time passcode that is simultaneously generated at E*Trade's back-end server.
"We have been very pleased with the adoption rates for the tokens," said Greg Framke, E*Trade's CIO. While he would not disclose how many tokens have been issued, Framke said adoption numbers have been doubling regularly since the program started. "There is a pretty reasonable proportion of users who log on every week to E*Trade with the tokens," he said.
The company has enough confidence in SecurID to offer its customers a guarantee that they will be reimbursed if they suffer online fraud, whether or not they are token users. "We expect other financial institutions to follow our lead in issuing tokens to their customers," Framke said.
Methods of Deceit
Avivah Litan, a financial-services security analyst at Gartner Group, said that a rise in online banking fraud attempts has followed banks' efforts to step up their security systems for debit and credit card payments. "It's too early to tell how the criminals will respond to the new security systems that banks are installing for their Web sites," Litan said.
Two scams commonly used today are phishing and pharming. In a phishing attack, a victim is tricked into divulging a password, user name, or other confidential data by an e-mail that purports to originate from a bank or credit card company. The message typically steers people to fake Web sites under the pretense of having them update security information. Once the sensitive data is obtained, the victim's money is there for the taking.
Phishing e-mails might also ask customers to reconfirm their ATM card number, expiration date, and personal identification number (PIN). These details are then used to manufacture a bank card, which the fraudster then uses to drain the victim's account.
"No legitimate bank or e-commerce company is going to send its customers e-mails requesting security information," said Amanda Pires, a spokesperson for PayPal. "Nor is a bank going to send out an e-mail warning that a user's account will be suspended if they do not immediately provide their Social Security Number."
Pharming works much in the same way as phishing, except that e-mail is now out of the picture. In a pharming attack, your Web browser is hijacked so that you are diverted to a false site when you attempt to visit your bank. Unaware of anything out of the ordinary, you divulge your password and user name to criminals.
A variant of the two above scams is known as a "man in the middle" attack. Here, once a person is fooled into visiting a bogus bank site, a real-live hacker watches as the victim types in logon information. Criminals also have employed Trojan programs -- hidden applications that disguise themselves in order to avoid detection by antispyware software -- that wait for people to go to their banking sites and then capture passwords.
Keeping a Close Watch
Amir Orad, executive vice president of marketing at New York security firm Cyota, said that it is not enough for banks to step up their authentication procedures. "Just as a home owner has a gate, a lock on the door, an alarm and a safe, so banks need to have multiple layers of security," he said. In addition to stronger authentication, banks need to be monitoring their customers' transactions for abnormal events, according to Orad.
"If I log on and simply pay my monthly car insurance bill, then that is a normal event which does not need any verification," Orad said. "But if an online payment is made out of my bank account to someone that I have never made a payment to before, then maybe the bank needs to ask for some additional security information before authorizing the transaction."
A challenge-and-response mechanism is a good idea for high-risk transactions such as an online payment or a change-of-address notification, said Jonathan Penn, an analyst at Forrester Research. "If I ask my bank to change my address on its files and then ask for my card to be canceled and a replacement issued, then the bank's Web site should ask me a security question," he said. "It should not ask for something that is likely to be in the public domain like my Social Security Number, but for something that I have pre-agreed with it, such as my favorite football team."
Cyota has developed a real-time monitoring system that looks globally for fraudulent attempts to access online bank accounts. Its E-Fraud Network has 50 major banks as its members, including Barclays Bank of the UK and ING Direct of the Netherlands. "As soon as a suspect Internet Protocol address tries to access an account at one bank, this IP address is blocked, and its details are relayed to the other members of the network," Orad said.
Cyota was acquired in December by RSA, the security vendor that makes E*Trade's SecurID tokens.
Hardware devices represent an additional layer of security on top of software-based authentication and risk-monitoring systems. In the UK, banks are investigating the use of smart cards for accessing online banking services. Since the beginning of 2005, every UK bank customer has been issued a debit card that contains a chip as well as the standard magnetic stripe. The chip, which is designed to prevent the card from being cloned by crooks, can be used to authenticate the cardholder when logging on to a bank's Web site.
How the card manages that feat is the one drawback to the technology. Banks have to issue smart-card readers to the cardholders. When the smart card is inserted in the reader, and the person types in the PIN, a passcode is generated. The person then enters that passcode when logging on to the bank's Web site.
According to Colin Whittaker, head of security at UK banking association APACS (Association of Payments and Clearing Services), it would cost banks in Great Britain the equivalent of $5.40 to issue a smart-card reader to each of their Internet-banking customers. "The banks have agreed to pay the cost of issuing these readers," he said. "What is not known yet is whether the banks will use the readers to authenticate cardholders when making online debit or credit card payments on the Web, or also for online banking security."
One company has developed an alternative hardware-based authentication system to using smart cards or one-time passcode-calculating tokens. Meridea, in Helsinki, Finland, has developed software that allows cell-phone users to use their handset as an authentication device.
"An online banking user registers their cell-phone number with their bank and the bank then sends them a text message," said Justin McAuley, vice president of financial products at Meridea. "Once the customer has downloaded this message, they click on a link in it to download an application."
After downloading the application, the customer has to enter an activation code provided by the bank, and create his or her own secret PIN. "The cell phone has now become an authentication device," McAuley said. "There is no need for banks to issue their customers with online authentication tokens or smart cards."
When performing a transaction, the user is presented with a one-time challenge code on the bank's Web page, and is asked to provide a response code. "The user types the challenge code into the mobile phone, which validates that the challenge code is genuine," McAuley said. "After the user has entered their PIN into the phone, it generates a response code. The user types the response code into the Web bank screen, and the transaction is confirmed."
Knowledge Is Its Own Reward
Recent efforts to fight fraud have stressed the importance of consumer education. Too many people, it seems, neglect to take the elementary step of running security software on their computers.
But some companies are encouraged by what they see as increased vigilance on the part of consumers. Amanda Pires, a spokesperson for eBay and its PayPal payments service, said that the online auction company has seen a rise in the number of phishing e-mails forwarded to it by users.
"We think greater user awareness about phishing is the reason for this," Pires said. "EBay and PayPal work with Internet service providers and law enforcement to shut down spoof Web sites. We have a very good success rate in the U.S., but it takes longer to shut down spoof Web sites when they are located abroad."
Still, people who bank online should not be lulled into a false sense of security.
Frost & Sullivan analyst Rob Ayoub said that many Internet users are more careful about their personal information in the physical world than they are on the Web. "No one would hand over their credit card information to a shady-looking guy hanging around outside their bank," he said.
"People should be even more careful on the Web."