UK’s Nationwide Building Society has implemented a system that should defeat most phishing and keylogging attacks. After entering their customer number (which can be saved on the computer), users must complete two more fields:

1. Any one of three previously registered "memorable" data
2. Using drop-down boxes, select three randomly selected digits from their six-digit passcode

Users probably don’t much like the changes at first, but it won’t take long before it’s routine, especially since users can select their own six-digit passcode.

Analysis
This system eliminates three problems:
– Those who use the same username/password from other sites
– Users with very easy-to-guess passwords such as their spouse’s name
– Keyloggers who capture typed username/passwords

To learn more about how to promote online security and peace of mind, check out Marketing Security: The sensitive issue of publicizing security and authorization enhancements from our sister publication, the Online Banking Report.

Now that the FDIC has officially come out in favor of two-factor authentication, it’s only a matter of time before every major bank has upgraded their login procedures.

According to a Dec. 24 New York Times article, E*Trade Bank will be the first US bank offering two-factor authentication for retail customers. They are expected to use a token system similar to that used by AOL and several international banks including ABN Amro, Credit Suisse, Rabobank, and First National Bank (South Africa), winner of Online Banking Report’s Best of the Web in November.

E*Trade’s system is expected in Q1 2005 and will be optional for the customer. It’s already in testing with 200 customers.

US Bank is also said to be testing a token system from Verisign.

Analysis: A simpler solution needed for the mass market
We commend these banks for doing something to reassure frightened users. According to Forrester, 26% of online users have not applied online for a financial product due to phishing fears and 14% have stopped paying bills or banking online. Finally 20% have stopped opening emails from their financial providers.

However, a hardware token is overkill for most retail users. It requires ongoing maintenance expenses, tech support, and is a logistical headache for the end user. It’s kind of like a car alarm. They make sense if you live in a high-crime area, but mostly they are just a nuisance.

Luckily, there are simpler choices on the way. Just yesterday, an interesting company was profiled in The Seattle Times, BioPassword. Its software records the unique typing patter of the end-user and will keep out anyone else attempting to type the user’s password. At a recent conference, the company offered up to $100,000 to anyone who could successfully login to its account, even after they’d been told what the password was. Not one of 1200 attempts was successful.

Another interesting alternative to tokens is Entrust’s IdentityGuard which Forrester analyst Jonathon Penn raved about in a November 19, 2004 research note. The Entrust solution is a low-tech version of the token, using a paper-based "bingo card" users are asked to enter digits from certain rows/columns of the card (see card right).

Another solution receiving a lot of attention, partly because ex-Intuit CEO Bill Harris is founder, is PassMark. The company touts its "2×2 factor" program that authenticates users to the bank and the bank to the user. The latter is done via visual aid, hence the company name. They also have an excellent easy-to-digest demo.

— JB

Link: Citizens Bank.

Most banks could help their customers increase their comfort level with online banking by doing four relatively simple things:

1. Greet customers by name before logging in, so that users know they have arrived at the correct site.
2. Post a prominent link to an online security area.
3. Post an understandable discussion of the customer’s liability for unauthorized electronic withdrawals, preferable with a "guarantee" of zero liability if promptly reported.
4. Provide hotline phone numbers and email addresses for reporting suspected fraud.

Citizens Bank, the U.S. division of Royal Bank of Scotland, does a good job with points 2 through 4.

A catchy homepage graphic for its "Online Fraud Prevention Center" directs users into a thorough discussion of online fraud and prevention techniques.

The bank’s Online Guarantee is highlighted with a graphic image and a phone number and special email address, prevention@citizensbank.com are also included.

Finally, copy writing is user-friendly and links to third-party resources, such as the National Cyber Security Alliance, round out the section.

To learn more about how to promote online security and peace of mind, check out Marketing Security: The sensitive issue of publicizing security and authorization enhancements from our sister publication, the Online Banking Report.

With phishing reaching epidemic proportions (see chart), you need to look for ways to reinforce the authenticity of your website. Few banks have adopted one of the simplest trust building tools: greeting customers by name. This is simple to do through site registration and cookies. Online retailers have been doing this for years, it's time banks jumped on the bandwagon. Once registered, when accessing your website, either through an email link or via direct surfing, users will know they've come to the right place.

For more information on anti-phishing defenses, read OBR 102, No Phishing: Enlisting users in your battle against fake emails

Phishy e-mails and Web sites: What’s your responsibility? – Computerworld

Larry Ponemon, founder of the Ponemon Institutute, and new IT ethics columnist for ComputerWorld, writes about phishing this week.

His accout is unusual in the detail. His company surveyed 411 customers of a major retail bank that claimed to have clicked on a phishing email in May 2004 and who contacted the bank’s customer service department seeking help. Of the sample, 65 (16%) provided account details in the scam. Of those, 5 (8% of 65) reported account losses totally $50,000. Doing the math, that means a little more than 1% of those clicking on the fake email lost money, averaging $10,000 per loss, or $120 per customer who clicked. Pretty good money for the crooks if you don’t get caught.

More interesting is that 310 (75%) felt that the bank’s service reps were unprepared to deal with the problem. Nearly 60% of the total sample, a whopping 243 customers, said they would close their accounts at the bank. Even if just a quarter followed through, that’s 61 lost customers (15% of 411). Assuming each customer represents a NPV of $1000 to the bank, that’s another $60,000 in losses, bringing the total to more than $100,000.

Dr. Ponemon closes with five ideas for fixing the problem.

If you have been trying to convince senior managment to approve funding of additional security measures, by all means forward this article to them.

By now you’ve probably seen the MSNBC report by Bob Sullivan entitled, Survey: 2 million bank accounts robbed, followed by the subhead, Criminals taking advantage of online banking, Gartner says. The MSNBC article seems to say that 2 million U.S. consumers lost money from their checking accounts due to online banking.
In fact, here is what Gartner actually says in its report:

“Illegal access to checking accounts is the fastest-growing type of consumer fraud, and may
be proliferating through online channels.” (italics are mine)

The report goes on to say that most consumers do not know how they theft occured, only 17% believed that their info was stolen off the Internet, another 10% reported their wallet was stolen, and only 5% recall giving up personal info to phishers.
Gartner also says that 70% of the online consumers reporting losses also report that they banked or paid bills online, “which exposes their (codes) to the Internet.” However, what they don’t say is that close to 70% of ALL online consumers are banking or paying bills online, so it doesn’t look like there is strong correlation between the two.
Finally, let’s not neglect the sample size. It looks staggering in the headlines to say that 2 million people were robbed. But my back-of-the-envelope calculations show that the multi-million number was extrapolated from fewer than 75 respondents reporting a recent unauthorized checking account withdrawal (from Gartner’s survey of 5000 online adults). I’ll let the market research experts debate the exact reliability of Gartner’s extrapolation, but one should be wary.
As bad as the MSNBC article looks for the online banking industry, the NBC Nightly News with Tom Brokaw got even more carried away. They took an even bigger number, 4.5 million, which Gartner said is the number of people who have ever had an unauthorized checking account withdrawal, and mistakenly said that all those people were robbed via online banking. Here is the exact synopsis of the TV feature from the MSNBC website:

“An estimated 4.5 million Americans have had money stolen from their Internet bank accounts.
NBC’s Bob Hager reports.”

This is a great example of a respectable piece of research taken out of context which then begins to have a life of its own as other news media echo the original piece. Hopefully, someone will dig a little deeper and set the record straight. Since I was quoted in the original Sullivan story, before I had seen the actual Gartner research, I will be contacting him to urge a followup.
Just to show that not everyone takes the 2 million number at face value, a story posted today at NBC affiliate WEEK-TV quotes Peoples Bank (Bloomington/Normal, IL) CEO, Ed Vogelsinger as saying that despite having 20% of their base using online banking, so far no one has reported any Internet banking fraud. Way to go Ed.
We urge our readers to take appropriate steps through their PR channels to set the record straight. At a minimum be prepared to rebut the MSNBC numbers if approached by the media. Feel free to send any reporter our way.
Contact: Jim Bruene, Editor, Online Banking Report, at 206-517-5021 or email jim@onlinebankingreport.com.
Reference: “Banks Must Act Urgently to Stop Account Hijackers,” by Avivah Litan, Gartner

Phishers struck another blow to the banking system when they demonstrated that they no longer need rely on random blanket emailing blasts. Case in point: within 24 hours of a real systems glitch at Royal Bank, the email thieves sent a massive fraudulent email playing off the legitimate systems outage.
One can only hope that this particular theft didn’t enrich the thieves. Otherwise you have a situation where there is an incentive for a thief to create havoc with a bank’s systems and then cash in through a well-timed phishing fraud.
Read more on the prevention of phishing at Online Banking Report (subscription required).

Before there was phishing there was keylogging. Rember the controversy in South Africa a year ago? Turns out keylogging may be harder to contain than phishing. An article in today’s Wall Street Journal discusses the case of Robotector who unleashed a virus that captured usernames and passwords when victims logged into to any of 30 major banking and payment sites.

What’s a bank to do? There are lots of ways to fight the cyberthieves, but the most important one is to add an additional layer of authentication for moving money out of the bank. We’ve been recommending this for nearly 10 years, but it’s been a low priority due to the relatively low levels of losses experienced online. Well, the times have changed, and it’s time to make authentication a top priority for 2005, or earlier if you can work it into the budget. In the meantime, keep educating users and crossing your fingers.

See Online Banking Report for more details on fighting phishing and other security problems.