Archives for: July 2008

14/07/08

Permalink 01:07:13 am, by Igor Drokov, in Security thoughts, Online payments, Internet banking  

Can you imagine an ATM running Windows XP Home Edition and being connected to the Internet or a Point of Sale terminal running Tetris? – Unlikely! Why then is allowing a customer to use any computer on the Internet to connect to the banking system, and transfer much more money than you can take out of a cash machine, a good idea? Why did arguably the most conservative organisations in the world – the banks – agree to lower their defenses so low that they practically invited the criminals in?

The answer is simple – the same reasons why even risk-averse investors were chasing after every Internet company in the late 90s – the attractiveness of the global scale and reduced costs of e-channels.

Over the years, payments and savings have always been a subject of the most advanced protection:

  • Banknotes have watermarks and other security features to resist counterfeiting
  • Cheques require the account holder's signature
  • ATMs require both your card and your PIN, run secure software, and are physically tamper-resistant
  • Point of Sale terminals in your favourite supermarket are protected from tampering and use dedicated secure connections to the payment processing network

These are all very sensible measures that work (to one degree or another) to protect customers' and banks' money.

Today, however, there is a huge imbalance between the value of electronically accessible funds and their security. This is being very effectively exploited by criminals and the banks are looking for a solution. Personal computers are not tamper proof sales terminals, therefore it is unfeasible to rely on the customer to keep them 100% secure. No one can take away online banking but banks can deploy new security measures, and solving this problem requires a new innovative approach that can equally address security, ease of use, and cost.

At Cronto, we identified this imbalance years ago. We also correctly predicted that the only solution to address this problem is transaction authentication (where the customer confirms each banking instruction). We then developed an innovative visual transaction signing solution. Based on our unique Visual Cryptogram, the Cronto solution supports multiple end user options allowing the bank to choose what is right for their customers whilst maintaining consistency in their backend systems.

07/07/08

One of the frequently proposed ideas for reducing bank fraud is to train customers to identify and ignore phishing emails. The problem with this approach is that the criminals sending such emails quickly adapt to circumvent the advice given to customers, as can be seen in this quiz.

Even worse is that the emails sent by banks often resemble phishing attempts, and sometimes directly violate the advice given to customers. With this “do as I say, not as I do” approach, it is no surprise that customers regularly fall for the scams. In fact, sometimes a legitimate email look so fake that the bank's own security staff think it's a phish.

And it's not just banks which are slipping up. I received an email from Paypal, asking users to “click here and enter your password” despite the warning on the same page: “PayPal will never ask you to enter your password in an email”. What can customers be reasonably expected to do, given this type of training? I simply closed my account.

Email is a valuable sales channel for banks, and marketing teams evidently have not being willing to sacrifice it, despite the (justified) concerns of the security departments. This fact, coupled with the weak authentication schemes currently deployed, makes life for fraudsters easy. Paypal have tried one alternative approach – a two-factor token – but these are still vulnerable to attack. Strong security solutions, accepted both by customers and marketing, are needed to mitigate the large damages from fraud we see today.