Thursday 1 September 2011

Evolution of UK Home Banking Security - In progress?

I was featured in an article by MSN Money titled "Online Banking Security gets more Complex"

http://money.uk.msn.com/news/crime/articles.aspx?cp-documentid=159017310

Nothing ground breaking, but it would appear UK banking consumers are starting to feel the pain of increased online banking security trade-offs, due to UK banks trying to save money by cutting previously acceptable losses from online account fraud.

"One person, one bank: three devices

But despite the evidence that new measures are more than just inconvenient, many banks are pressing ahead. Lloyds, Barclays, Cooperative Bank, RBS and Nationwide Building Society all require customers to use a card reader when amendments are made to standing orders, direct debits or when setting up payments.

"This is called two-factor authentication," said independent bank security expert Dave Whitelegg.

How two-factor authentication works
The idea is that no fraudster can access your account, however much they know about your life, your pets and your mother's maiden name, unless they also physically possesses the device. "It's the same theory as for chip and pin," Whitelegg told MSN.

Chip and pin dramatically cut credit card fraud, and banks are hoping that two-factor identification will have the same effect on online bank fraud.

The biggest worry for banks is phishing attacks, by which fraudsters send emails hoping to get customers to log into cloned bank websites and enter their details, which are then captured and used to empty the real accounts.

"Phishing emails are sent out by the million, so even if 0.1% of recipients fall for them, they are a success," Whitelegg said.
Most such phishing attempts are easy to spot, failing to address the customer by name and littered with bad grammar and mis-spelling. But a new generation are more convincing. They may not only have your name, but much more convincing cloned websites.

Mobile banking: a worrying new frontier
The next frontier in banking fraud is coming with smartphones, which are increasingly enabled for transactions, but which experts say add a new vulnerability.

"They have never been targeted before, so they have never matured with fraud in the same way that PCs have," Whitelegg said.

Sending a text to confirm payment changes, which Santander among others allows, will become less secure if the entire transaction was originated from a stolen mobile.

So who are the people behind online fraud? There is a whole ecosystem out there, with software masterminds writing key logger and phishing programmes and devising convincing copies of bank websites. Then there are communities of hackers and fraudsters who meet online, and buy this software off the shelf, Whitelegg says.
"You have the people who steal cards, or personal data, who can be from anywhere, and then there are the Far Eastern networks of botnets, clusters of remotely controlled computers, which actually generate the phishing attacks," Whitelegg said.

The result is that just a few clever people have seeded a whole crime industry for thousands of criminals who would never have the brains to devise the whole process themselves.

How you can protect yourself
There are no absolutely foolproof ways to avoid data or identity theft but here are a few sensible precautions.

1) Treat your personal data like cash: Don't leave it lying around. Shred unwanted documents, don't disclose financial details or potential answers to security question (eg your mother's maiden name) except on verifiable and encrypted sites.

2) Use reputable anti-virus software and keep it up to date.

3) Never download an attachment from an untrusted source as it may contain viruses.

4) Phishing attempts usually begin with alarming warnings about a breach of your security. Banks never alert their customers this way. Even if you are concerned by an email, either ring your bank, or type in the web address from a bank statement. Never follow a link on the email.

5) Change your email address so it's not identical to your real name as used in any financial accounts, so you can easily spot crude phishing attempts which address you by your email name.

6) If you must write down passwords or security details, disguise them. This is particularly important if they are kept on a computer. Use a long and secure password to 'lock' laptops.

7) When inputting details onto a bank website, don't input them in the same order as the questions appear, and use the mouse rather than tab buttons to move around the screen. This can help foil key loggers and other trojan devices.

8) Go ex-directory: keeping your phone details out of circulation stops most phone-based frauds as well as irritating sales calls.

9) If your bank phones you unexpectedly, protect your interests by asking THEM a security question. Ask what your balance was on the date of your last statement, or a recent transaction that you can check. Banks will not ask for online security codes by phone, so don't give them. If in doubt say you are going to ring them back on the usual customer service number."

7 comments:

  1. Good luck with the new direction that you are seeking. I have found that it is best to talk about it to other people,
    seek out individuals in same/similar fields and organizations that you want to become part of and use your network that you have built up over the years.
    Keep us posted.Nice article! We definitely need someone to do a bigger scale test on this exact topic to see if we can get some statistically significant results.
    vps hosting reviews

    ReplyDelete
  2. Frank, thanks for your notes. I think all your points are valid. The only issue is what and how you use in real time scenario.Nice tut! Thanks so much for the great info.
    I was wondering this post,I like the idea Stephanie. I wonder if there wouldn’t be another, even more elegant solution.
    vps hosting reviews

    ReplyDelete
  3. There is nothing to fear about mobile and online banking. This post clearly outlines all the things people can do to prevent any kind of virtual fraud. Great job informing the general public of vital security pointers. Personal information is something to be closely guarded, whether you're banking online or posting at dating sites like plentyoffish.com.

    ReplyDelete
  4. It seems as if people just can't get enough of internet accounts. The bank subsequently launched an internet 'branch' in 1999 and WAP is on the way. Online people will be excited for this innovation.

    ReplyDelete
  5. For security the most used thing is security cams...

    ReplyDelete

Any comments with weblinks, or promoting/advertising company products and services will be rejected