Online banking has been one of the biggest success stories of the internet, with 40m users in the US, and 15m in the UK. In addition to ease of use, it has saved banks millions by reducing the need for branch staff.
But along with the efficiencies and cost-savings have come rich pickings for criminals.
Phishing – a tactic used by identity thieves to trick internet users into giving out bank details and other sensitive information – has fooled an estimated 2.42m Americans, costing them $929m, according to analyst firm Gartner. In the UK, payments group Apacs says online banking fraud doubled last year to £23.2m.
“The growth in online banking fraud over the past three years has been significant and there’s no getting away from the fact that fraudsters see it as an opportunity,” says Kate Brown, senior manager, risk and compliance, internet channel at UK bank Lloyds TSB.
More than 2m Lloyds TSB customers have signed up to internet banking, but there is still a proportion that is nervous due to security concerns, she says.
Research by analyst firm Forrester claims 600,000 of the UK’s 15m online banking customers have deserted the internet, because of concerns about phishing and keystroke logging software.
But financial institutions are fighting back: in Hong Kong it is mandatory for banks to offer security devices to internet customers; in the US, the Federal Financial Institutions Examination Council has issued guidance requiring all internet banks to authenticate customers better.
By issuing customers with a key-ring-sized device that generates a unique passcode every 30 to 60 seconds, banks are trying to render the stealing of passwords and log-on details useless. Even if criminals trick customers into revealing log-on details they still need the passcode from the physical device to enter the site and carry out transactions, says Ms Brown.
A six month trial by Lloyds TSB, using devices from Vasco, eliminated online banking fraud among 23,500 customers, she says.
Lloyds TSB is not the only bank using technologies – such as tokens, biometrics, smart cards, cookies and scratch-off cards – to authenticate customers, says Clive Longbottom, head of research for analyst Quocirca.
HSBC has been trialling two-factor authentication devices in Hong Kong and Brazil and last month announced it would issue 180,000 tokens to UK business customers. German banking customers have been using one-time passwords for more than a decade and less hi-tech scratch-off cards have been used by banks such as Nordea in Scandinavia for years.
But Mikko Hyppönen, chief research officer at Finnish IT security company F-Secure, says that two-factor authentication is not foolproof in the fight against criminals.
“These guys do this for a living and make a lot of money out it. They can invest time to figure out what banks are doing and find ways around safeguards. It’s a game of cat and mouse,” he says.
Criminals are developing new methods, such as “session hijacking malware” and “man-in-the-middle” attacks, where hackers intercept online banking data by sending customers to replica sites. While customers enter details, a software program automatically contacts the real site, logs on, steals financial information and transfers money.
“At the moment the bad guys are still finding easy targets. They are going after the cars without the car alarms. But we are going to see more sophisticated attacks sooner or later,” says Mr Hyppönen.
In the meantime, Bank of America and UK bank Alliance & Leicester are working with IT company PassMark to stop the criminals. In addition to using a cookie to authenticate a particular computer, internet banking customers also choose a personalised image when they register. By showing the image each time a person logs on, the bank is authenticating itself to the customer making them less likely to fall prey to criminals’ spoof websites or man-in-the middle attacks.
“The problem behind phishing isn’t the failure of the user, it is the failure of the banks to authenticate themselves properly to customers,” says Mr Hyppönen.