I was interviewed by Louisa Bojesen on CNBC (aka “the fastest growing pan-European TV channel, with daily viewers up 37% to 703,000 according to the latest European Media and Marketing Survey”) today, the subject being Internet banking in general and the security of same in particular. I was there to focus on security, a guy from Forrester in the Netherlands was there to focus on the general. He made a very good point, I thought. If customers aren’t going into branches, banks find it hard to cross-sell to them. I agree. Banking is, essentially, boring so once you’ve paid the credit card bill and cancelled a direct debit to British Gas, then you immediately click your way to somewhere more fun.
Technorati Tags: authentication, banking, credit cards, debit cards, internet
So far as security is concerned, things are changing for the better in Europe. Phishing is still a big problem, however, and it has economics on its side. If the fraudsters send out 10 million e-mails, and 1 in a 100 of the hapless recipients is a (for example) Citibank customer, and 1 in a 1000 of them is fooled by the e-mail, that means that the fraudster could gain access to a hundred Citibank accounts. And they do. In the UK, Lloyds TSB, NatWest and Barclays have all admitted that customer accounts have been accessed and that money has been stolen but none of them would give a figure. Last year Apacs said 2000 UK account holders had so far been duped by cybercriminals into revealing confidential bank details, losing some £4.5 million from their accounts in the process. The problem has already spread beyond the main US and UK institutions: two customers of the German Postbank lost more than €20K in the first German language phishing attack (the first attempts at phishing in Germany were in English).
The money stolen isn’t the only cost to the banks. In addition to making good that money, banks have to pay to repair the damage: changing names and passwords, re-issuing cards, reassuring customers and so on. This has already cost tens of millions of pounds in the UK and, according to research company Gartner, more than a billion dollars in the US.
It’s a no-brainer for the bad guys. When the police in Taiwan arrested a member of an organised phishing gang (who had been targeting five local banks with a “Trojan horse” attack) they found 45 million e-mail addresses and 200,000 passwords. Assuming they were average fraudsters, this means a password harvest of around half a percent is a good figure to work on. It isn’t only about passwords, of course. According to The Nilson Report, a list of 200 million e-mail addresses can be purchased for €20 or so and (of that fraction of the 200 million who are actually customers of the “target” institution, in fact around 7% give up data of sufficient value to be used or sold on). No wonder it was a boom businesses.
The problem can’t be solved in software, where everything can be copied. To really tackle it, the industry needs to use some piece of tamper-resistant hardware in conjunction with a PIN or a password. That is, the industry needs two factor authentication. In Europe, mass-market tamper-resistant device means a smart card and there are two obvious candidates for the smart card to support two factor authentication. These are the smart card given to you by your bank (ie, your chip and PIN card) or the smart card given to you by your mobile operator (ie, your SIM). So what do you think: “neither”, “either” or “both”?
The phishers seem to be especially busy at present – I’m getting about 4 or 5 messages a day, all “earnestly” entreating me to click on dodgy links.
I’m not entirely sure I agree with the Forrester chappy – Egg seems to do a reasonable job of cross promoting its products on its website – I see guinea pigs before I log in and as soon as I log out. I wouldn’t be overly bothered if I saw guinea pigs mid transaction (foreign readers are going to have no idea what I’m on about). Surely it’s all about getting online advertising right and I personally find that less irritating than having some spotty youth in the branch trying to force insurance or whatever on me.
Someone else comment – please…
I’ve just lost a week of my life backing up and rebuilding my home PC after I discovered a keyboard logger. Actually, I never found it but saw the trail of evidence yetty-like in the esnow.
I’m spitting.
In four years using said PC/XP installation I found only a few harmless bits of adware. I thought I was a security savvy Internet banker – I’m immune, if you’re sensible about email attachements, dodgy links, … Clearly, I’m not. How many others have it?
How it got there I don’t know, but fortunately it was obvious (cookies disappeared forcing me to re-enter account numbers, etc.). If I was doubting the usability of two-factor authentication, I no longer care. Just gimme.
In the meantime, Banking is only boring until they have something I want. Like money (theirs or mine, I don’t care). The rest of the cross-selling I get from my phone/online bank is wasted, but there is plenty of it. If I do need an overdraft or loan, their email says that all I have to do is log-in as usual … Hang on!