I was interviewed by Louisa Bojesen on CNBC (aka “the fastest growing pan-European TV channel, with daily viewers up 37% to 703,000 according to the latest European Media and Marketing Survey”) today, the subject being Internet banking in general and the security of same in particular. I was there to focus on security, a guy from Forrester in the Netherlands was there to focus on the general. He made a very good point, I thought. If customers aren’t going into branches, banks find it hard to cross-sell to them. I agree. Banking is, essentially, boring so once you’ve paid the credit card bill and cancelled a direct debit to British Gas, then you immediately click your way to somewhere more fun.
So far as security is concerned, things are changing for the better in Europe. Phishing is still a big problem, however, and it has economics on its side. If the fraudsters send out 10 million e-mails, and 1 in a 100 of the hapless recipients is a (for example) Citibank customer, and 1 in a 1000 of them is fooled by the e-mail, that means that the fraudster could gain access to a hundred Citibank accounts. And they do. In the UK, Lloyds TSB, NatWest and Barclays have all admitted that customer accounts have been accessed and that money has been stolen but none of them would give a figure. Last year Apacs said 2000 UK account holders had so far been duped by cybercriminals into revealing confidential bank details, losing some £4.5 million from their accounts in the process. The problem has already spread beyond the main US and UK institutions: two customers of the German Postbank lost more than €20K in the first German language phishing attack (the first attempts at phishing in Germany were in English).
The money stolen isn’t the only cost to the banks. In addition to making good that money, banks have to pay to repair the damage: changing names and passwords, re-issuing cards, reassuring customers and so on. This has already cost tens of millions of pounds in the UK and, according to research company Gartner, more than a billion dollars in the US.
It’s a no-brainer for the bad guys. When the police in Taiwan arrested a member of an organised phishing gang (who had been targeting five local banks with a “Trojan horse” attack) they found 45 million e-mail addresses and 200,000 passwords. Assuming they were average fraudsters, this means a password harvest of around half a percent is a good figure to work on. It isn’t only about passwords, of course. According to The Nilson Report, a list of 200 million e-mail addresses can be purchased for €20 or so and (of that fraction of the 200 million who are actually customers of the “target” institution, in fact around 7% give up data of sufficient value to be used or sold on). No wonder it was a boom businesses.
The problem can’t be solved in software, where everything can be copied. To really tackle it, the industry needs to use some piece of tamper-resistant hardware in conjunction with a PIN or a password. That is, the industry needs two factor authentication. In Europe, mass-market tamper-resistant device means a smart card and there are two obvious candidates for the smart card to support two factor authentication. These are the smart card given to you by your bank (ie, your chip and PIN card) or the smart card given to you by your mobile operator (ie, your SIM). So what do you think: “neither”, “either” or “both”?