Online Banking, Transactions & Security – How Safe are We Really?




As online criminals and hackers develop ever more sophisticated Trojans, spyware, botnets and attack vectors, are the banks, online stores, social networking sites and others really doing enough to keep their customers safe and secure?


In today’s modern world, an 18 year old teenager sitting in his bedroom in New Zealand can be the ringleader of an online criminal gang responsible for creating botnets, installing spyware on consumers PCs and skimming millions of dollars from bank account holders worldwide. That 18 year old has been caught, the result of a global sting against growing numbers of online criminals and an explosion in online crime.

Are online stores, credit card companies and banks doing enough to ensure our online transactions are secure and our confidential details safe? What about the ever more popular social networking sites who are people targeted by online criminals who aim to steal confidential details that people may also use when accessing their bank accounts?

Online Banking security is only part of the problem, we need to change the mindset of banks, business and consumers in general.

On a relatively regular basis, concerns about online security in general and online banking fraud hit the news. The latest is the aforementioned 18 year old NZ teenager, but only a couple of weeks ago, the  Queensland University of Technology (QUT) published a study on hackers being able to “infiltrate SMS banking passwords”.

Another article from asks “Is Bank of America lying to its customers?”

Online banking has had a massive boom worldwide, as consumers rapidly took up Internet connections for their computers. Millions of new online users meant that banks needed to upgrade their systems, and forced them to implement better security systems that look for fraud in real time, and investigate technologies such as two factor authentication.

Again in most cases banks have only actually rolled out this extra level of security to only a small percentage of their overall customer base, due to the inconvenience to customers and the added cost to banks.

Two factor authentication is achieved by using keychain sized number generators synched with the banks systems, containing an ever changing code that must be entered along with your username and password, or by sending an SMS message to your phone containing a code that must be entered into your online banking login to proceed to your online accounts.

Unfortunately if your computer has already been compromised by crimeware then the extra security provided via your phone SMS token or key chain token is now irrelevant.  In a world of crimeware that includes Trojans, spyware and botnets lurking unsuspected on consumers’ computers worldwide, becoming ever more sophisticated, what are the banks really doing about it? After all, it's obvious that the weakness lies in the consumer's PC, not in the bank's heavily fortified back end - that is still clearly being compromised!

So, what do banks and online stores do today when it comes to security, and what should be done instead? As it currently stands, banks and most online stores today only protect the account holder or the customer up to the front door of their computer. In addition, banks have specifically enticed customers to utilise online banking and access their online accounts anywhere they may be in the world at virtually anytime. Naturally, this has driven efficiencies and profit gains for all banking organisations.


However banks should be looking at how they can protect the customer’s confidential details even if the criminal has already accessed the computer as is the case for millions of customers unwittingly infected by malware and part of a botnet.

The US was one of the first countries to recognised that the banking industry is only going to move on talking online security seriously when they are being put under pressure by Government - and really only then when the US Government released the FFIEC banking guidelines that mean banks needed to provide more than one factor for ‘authenticating customers’.

US banks were given a deadline of December 2006 to increase the security of their Internet banking sites. However, as can be expected in a world of ever changing security issues and challenges, alongside the ever growing bottom line cost of security, US and global banks have failed to adequately address the issues and have mainly done as little as they had to in order to satisfy the heightened security requirements.

As an example, virtually no major US bank has issued hardware tokens or implemented SMS security for their customers, with noted security journalist Brian Krebs of The Washington Post discussing this in great detail in his blog.

The Banking industry has gone through virtually all the different types of security issues around today, starting from simple phishing attacks (which are still successful, believe it or not!), internal fraud, cross site scripting vulnerabilities, denial-of-service attacks, very targeted malware,  big scale malware (such as mpack + torpig) and even sophisticated attacks against hardware two factor authentication.

Banks have done only as much as they had to, to protect their pristine and ‘safe as money in the bank’ image. Joining the long list is now a study from the Queensland University of Technology (QUT), linked above, that stated that “Using SMS passwords won’t protect people from internet banking fraud”, and that 61% of the users were successfully duped in a stealthy attack performed during the study.

Were this study done with a computer illiterate group, the figure would more likely be 99%. For any bank using SMS authentication or thinking of rolling it out soon, this latest study is bad news indeed.

But is this latest attack on banking security really news?

Not if you’ve been listening to what the security experts, such as Professor Bill Caelli from Australia’s QUT, Graham Ingram, the General Manager of AusCERT or Andreas Baumhof from TrustDefender have been saying.

To start with, it’s foolish to believe that one particular technology will solve all problems. So, what is the solution?


Believing one technology can solve all problems is like believing in a silver bullet solution – and in the real world where things are constantly changing, especially when it comes to security, a different approach is required.


What is needed is a multi-layered approach to provide security measures at all different levels. Banks have an obligation to protect your money and should therefore provide a protection on all fronts. But what does this mean and is your bank doing enough?

Every Internet banking session is done between the bank’s backend system (1), the user’s computer (2), over a public internet link (3). Perhaps banks should start protecting these key components, and while they are at it, should provide security and reliability measures in the following adjacent areas:  the backend systems, transaction monitoring, encryption, identity/authentication, the network, consumers computers, and in user education.

An effective security solution has security components for all these different parts of the system. If a bank misses just one part, the whole security chain can be compromised, just like a chain will collapse if even only one link breaks.

Now don’t get me wrong - banks worldwide are doing something – they’re just not doing enough from my point of view.

Most banks provide an adequate protection for their backend systems by using firewalls, and other technologies. Some banks (but far from all!) are using transaction monitoring (e.g. ANZ in Australia use their Falcon System, while CBA, also in Australia, use a system called Hawkeye). While everybody uses encryption, Identity Protection Programs in use by different banks vary heavily.

But what about the network itself? Virtually no bank is protecting the network, as most just use the public Internet to connect their customers to the banking IT infrastructure.

Last but not least nothing is done by the banks for the consumer’s computer, where rootkits, spyware, Trojans and botnets reside, opening up a massive security hole that online criminals are learning to exploit faster than security experts can plug the holes and issue patches. 

Given the gaps, security can collapse like a house of cards – and if you believe the well-documented reports from various security researchers around the world, this is where hackers are going to break into the banks and all existing security measures will fail.

Don’t believe me? Try googling for torpig, sinoval, anserine, mpack, gozi, 76service and storm worm, just to name a few, and see what you find. You may find yourself shocked!

So, what’s the banking industry’s typical response? We usually hear that online fraud is relatively small compared to other types of fraud. While this is relatively easy to say if you hide the real figures very carefully, the truth is that online fraud is exploding.

So, what can we do about it?


This is a good question and it seems clear that banks will only do something if they are forced to do so by legislation like the FFIEC guidelines in the US. Hey, APRA and ASIC in Australia – and banking and regulatory authorities worldwide - where are you?


Another surefire way to get attention is for customers to scream heavily and get some much needed attention. As another noted security journalist, Bruce Schneier, recently wrote in his blog “Future of Malware: (scroll down to 18 Oct 2007)

“And yet banks push online banking to customers with one hand while the other hand pushes problems like Gozi away, into acceptable loss budgets and insurance -- transferred risk. As long as consumers don't raise a fuss, and thus far they haven't in any meaningful way, the banks have little to fear from their strategies. But perhaps the only reason consumers don't raise a fuss is because the banks have both overstated the safety and security of online banking and downplayed negative events around it, like the existence of Gozi and service”.

Pretty damning stuff. What else can we add? Perhaps the only way to make banks take far greater responsibility for the customers and the ENTIRE online chain, from a consumer’s computer through to the bank’s central computers, can banks truly take control of their networks and truly keep their customers secure, instead of just giving lip service to security issues.

And if that doesn’t happen, remember – it’s your money. Want better online security from your bank? Let them know you want it. It seems to be the only way to get some real action on banking security. Don’t be soothed by words from banks and regulators that say all is ok. Global authorities might be catching teenagers in their bedrooms ripping off the banking system, but surely that’s just the tip of the iceberg.

Every act of fraud committed against banks and online stores ends up costing us all with the fight against online crime only set to intensify.


Originally published at:  










Click on the globe below if you need our help