How Secure is your UK Online Banking?

The UK maybe still in the midst of a recession, but these times are proving anything but a recession for cybercriminals, as UK Online Banking fraud is sky rocketing at the moment. The ‘Financial Fraud Action’ showing a 55% increase for the first half of 2009, while the ‘UK Payments Administration’ figures reports a 44% year on year rise. Through my own research and underground monitoring of UK cybercriminal activity, I am seeing increasing numbers of stolen UK online bank account access details being put up for sale, and increasing numbers of keylogger malware being deployed, which are specifically targeting the theft of UK online bank access credentials covertly.

Despite these increases in criminal activity and years of warnings, UK banks still aren’t doing enough to protect their customers from the dangers of the internet. Many UK banks are still yet to provide their customers with a security best practice Two-Factor authentication access to their online banking, so are making it all too easy for cybercriminals to steal UK bank account access details. Two-Factor authentication involves using an individual hardware token which is possessed by each individual online account holder. This hardware token displays a constantly changing number on an LCD screen (see picture below), which is typed in along side the customer’s identity (name) and password to provide access to the online bank account. Using a hardware token such as this would prevent the majority of online banking theft today, as without the physical possession of the 2nd factor hardware token, you cannot gain access into the online bank account.

Many UK banks still resort to the security dated “knowledge based” authentication along side a person’s password. “Knowledge based” authentication is about asking the account holder a question which only that individual is likely to know the answer to. For example typical knowledge based questions are: What is your mother’s first name? What is the first school you attended? What is the name of your favourite pet? The problem is this type of personal information is no longer private in the information age, and can be found in all manner of places on the internet, both legitimately and illegitimately. So fraudsters who steal bank account details often do a bit of simple research to build up a knowledge profile about their target, so they can get pass the knowledge based questions as well. This information gathering can be done in just minutes from a computer keyboard, anywhere in the world, a wealth of personal details on target can be quickly found by using websites such as Google, Facebook and various public record websites like the electoral role directory 192.com. I have seen UK cyber-fraudsters selling complete profiles of UK individuals along with their online bank account username and password, including one which stated the victim’s favourite pet’s name!

Two-Factor authentication will not completely solve online banking fraud, but if deployed by UK banks, would go some distance in bringing down the number of UK online bank accounts being compromised. My own research shows the majority of UK bank theft is actually done from criminals based abroad, who generally regard the UK as easy pickings and a soft target. The slow take up of Two-Factor authentication by UK banks just goes to re-enforce the UK’s perception as being a soft target by cybercriminals around the world.

Why don’t all UK banks deploy Two-Factor authentication?

Their excuse is cost. Although the actual cost of deploying Two-Factor authentication is relatively small (£3 to £6 per customer), UK banks do not want to spend in the current climate and are more than happy taking the hit on cyber fraud, which is regarded as a more acceptable cost than shelling out on security prevention, no matter the inconvenience and stress this type of fraud places on it’s victims. There is a thought, given a choice customers would be happy to pay a one off £5 fee, paying for their hardware token to gain security benefits it provides.

Seriously, why do UK Banks continue to shoot themselves in the foot by not providing Two-Factor authentication to their customers?
Ok, here is the real food for thought on the cost argument. Most UK banks actually want their customers to use online banking for reviewing bank statements, than sending paper statements to their customers in the post. Surely the cost of having a customer use online banking and being provided with a hardware token for security is much cheaper than posting 12 statements a year. I say this as I know people who are put off by using online banking because they don’t feel confident in the security, personally I think using a hardware token would give them that a security assurance. Providing a Two-Factor token could actually turn out to be a real cost saving! And let’s not forget the carbon saving by not printing those paper bank statements and shipping them around the country too.

What can you do to protect your online bank account?
IT Security Expert advice
1. If your bank does not provide Two-Factor authentication (token/key), consider switching to a bank which does.

2. Password Protection
a. Ensure your bank account password is a unique password to you. Using the same password with other websites such as Social Networking websites, Message Boards, Webmail and Job Recruitment Websites must be avoided at all costs. The bad guys hack these types of websites to specifically lift individual username and passwords for the purpose for trying against their online banking websites.
b. Change your password at least once a year, once a quarter is what I personally recommend.
c. Ensure your password is strong. By strong I mean use upper, lower case letters, at least one number, but most of all include at least one “special character”. By “special characters” I mean @, ”, $, %. However I know of one recently taken over Yorkshire based bank which actually prevents you from using special characters in your password!

3. Email Security
a. We all know about phishing Emails now, but it’s still a major problem and a favourite attack by deployed by cybercriminals to harvest online bank details. Phishing Emails are becoming more realistic and more specifically targeted. Unfortunately this attack still works, people are still suckered in by these Emails. So no matter how genuine an Email looks, never click on the links, a bank will (should) never request your accounts details or ask for you to login for any reason via an Email. Remember a phishing Email always prays on the emotion of greed (you won something) or fear (your account has been compromised, change your details).
b. Never send your bank details by Email, no matter what legitimate company or person requests it, be strong and always resist, just say no!

4. Ensure your Operating System is patched up to date, and you have Anti-Virus and Anti-Spyware applications running at all times, and make sure they are kept up to date. The bad guys like to deploy key logging malware onto unsuspecting user PCs, who then have not idea their key strokes are being recorded and sent on to fraudsters, key strokes including those bank account access details, namely the username and password.

5. Check your bank statements regularly. UK banks are getting better at detecting bank fraud but it’s far from perfect. Therefore it’s important you take responsibility and check through your statements regularly looking for fraudulent transactions. Pay particular attention to internet transactions and transfers out.