Following the incidents of online fraud experienced by Absa clients last month, the big four banks were at pains to point out that there had been no breach of security on their systems, but that customers needed to be more vigilant when transacting over the internet. We find out what safety measures the big banks had in place before the fraud incidents, what improvements they have made since and what they recommend you should do to protect your online bank account.
Consumers who have become accustomed to doing their banking over the internet got a wake-up call in July when it came to light that three Absa internet banking clients lost almost R500 000 due to electronic fraud.
The losses were suffered in the accountholders' own homes. The fraudsters "stole" information from the personal computers of these accountholders using programs called spyware, which can gather information on your computer, such as your internet banking log on, by clandestinely monitoring your keystrokes.
The fraudsters then use the information to log into the bank's system using the accountholder's user name and password.
The incidents highlighted the need for online banking customers to be vigilant about the security of their own personal computers.
However, since then banks have implemented additional security measures and have made software available to consumers to assist them in protecting their computers.
Ensuring internet banking security requires that banks remain one step ahead of fraudsters.
Here is a list of measures the big banks have implemented since the Absa fraud incidents.
Standard Bank
Jaco Maree, the chief executive of Standard Bank, says security in the financial environment has to be a partnership between a bank and its customers.
The bank has decided to assist its customers in ensuring that their personal computers are protected by providing world-class firewall and anti-virus software free of charge.
The cost of the software will be borne by Standard Bank for one year. After that you will be responsible for maintenance of the software, but Standard Bank has undertaken to negotiate bulk prices for customers.
However, Johan Roets, the director of direct distribution at Standard Bank, says the firewall and anti-virus software may not in all cases protect you against other people gaining access to your personal identification numbers (PINs) via spyware (which records your keystrokes while you are connected to the internet), so Standard Bank has also introduced a calculator-type pin pad for its online customers. The pin pad pops up when you log on to the bank's website and allows you to use your computer mouse to input your PIN and not the keys on your keyboard.
You are also urged to make use of a reputable internet service provider that uses effective anti-virus software, Roets says.
Security measures that Standard Bank has had in place since before July include:
- A double lock password system introduced in 2001. In addition to your usual customer-selected PIN (which is different from your ATM PIN) you have to choose an additional password to log on to do internet banking;
- Monthly electronic account payment limits which you set yourself and which control the amount of money that can be transferred out of your account in a month; and
- Email confirmation of beneficiary and profile changes was introduced last year. No new beneficiaries can be created on your account or any new information added without an automatic email being sent to you by the bank informing you of the changes. You cannot add beneficiaries over the telephone but must do so online or at a branch (in which case you must provide proof of your identity).
First National Bank
Roland le Sueur, the head of FNB internet banking, says the security of internet banking is a two-way relationship. With any channel, such as cheque or ATM - in fact whenever money is involved - there are certain risks. But these risks can be successfully overcome if the bank and the customer work together.
FNB makes sure that the banking system is safe and offers its customers a number of guides and security measures. In order to make sure that your computer is secure, you need to use these security measures and apply the available security tips.
Le Sueur says FNB's internet banking systems using the latest security measures are extremely secure. The security measures include multi-layered firewalls, 128-bit encryption and a team of technology experts who constantly monitor the banking website, eBucks, and keep up to date on new initiatives and possible security risks. However, Le Sueur says, many of the new risks to the security of internet transactions occur on the side of the customer, so it is important to help protect customers by educating them on security matters.
Since July this year, FNB has added additional functionality to its inContact service, a free SMS and/or email notification service. Previously you were notified when money was deducted from or paid into your account. Now online bank clients who subscribe to the inContact service are also notified every time their internet banking account is logged onto. So you will know if there has been any unauthorised access to your account and you can inform the bank, which will take action immediately.
FNB is the first South African bank to offer insurance against online banking fraud. This is a free new benefit - introduced since July - which means that FNB will refund online banking customers should they suffer losses due to the unlikely event that fraud is committed via its online banking site, www.eBucks.com
FNB will investigate all reported cases of online banking fraud and will reimburse you, provided that you have registered for the inContact service and taken adequate precautions with your personal computer and access details, and have followed the safety measures listed on the bank's website. The bank will only reimburse the money lost from your account plus charges and interest, and not indirect losses, such as the cost of taking out a loan to cover your shortfall in cash.
Prior to July, FNB had a number of security tips permanently available on its website advising customers on how to transact securely on the internet and regular reminders in its electronic monthly newsletter. The bank has also run a nationwide educational campaign on online security.
Nedbank
Loraine von Hoesslin, the head of digital business at Nedbank, says the bank's cellphone-based SMS feature, which Nedbank has had in place for about 12 months, has made it practically impossible for fraudsters using keylogging software or spyware to steal funds from its clients' accounts.
She says Nedbank will nevertheless continue to monitor developments in the online environment for new risks and will introduce additional security measures if necessary.
Prior to July Nedbank's internet banking service, NetBank, had a system in place to provide authentication for higher-risk transactions, such as transfers of large sums and the addition of new beneficiaries.
When you try to add a new beneficiary, for instance, the NetBank system sends a random reference number to your cellphone by means of SMS. You must input this number into your computer to complete a transaction, such as making a payment. In order to activate the service you have to register your cellphone number at the bank and provide proof of your identity, Von Hoesslin says.
Other measures that are in place include:
- The use of three passwords - identity number, PIN and password - rather than the usual two;
- A complex password which requires letters and digits;
- The use of a unique identity number not derived from your bank account number;
- 128-bit encryption and automatic log-off from internet banking after a period of inactivity;
- Branch controls when opening an internet banking account, such as producing your identity document;
- Computer server safety such as firewalls and regular checks;
- A lock out after three incorrect PIN, password and/or identity number attempts; and
- A daily transaction limit.
Von Hoesslin says the bank's security did not necessitate the introduction of a whole range of additional measures, which invariably add to client inconvenience and concern without materially improving security.
Absa
Angela Bruwer, Absa's general manager of group communications and public affairs, says Absa was the only bank to take the initiative to conduct audits on clients' personal computers when it detected unusual activity on their accounts. That is how Absa discovered the first three cases of identity theft using spyware in this country, she says.
Security measures that were already in place at the bank prior to July were:
- Advanced encryption software. Absa uses the most advanced internationally accepted standards of encryption technology. At present this means 128-bit encryption built into the client's browser, which is why you require the latest available browser, she says. In terms of security, it is always in your best interests to update your browser to the latest released version and keep up to date with patches released by the software manufacturer to detect bugs;
- Access number and password. You can only use Absa's service if you have registered as a user and chosen an access account number and your own PIN;
- Security violation. You have three opportunities to enter your PIN correctly. After the third unsuccessful attempt, you will be denied access to the service. You will then be required to visit a branch, identify yourself and have your PIN reset;
- Time-out. If you have logged on and have not used the service for three minutes, you will be logged off. To access your accounts again you will need to log on again; and
- Account limits. You can choose daily as well as monthly limits on the amounts that can be transferred out of your account.
Clients have been warned to take these safety precautions and extensive security information has been made available to customers.
As soon as the cyberfraud incidents were detected, Absa warned its 450 000 internet banking clients and provided clients with safety tips to prevent them from becoming victims.
The following additional measures have been implemented by the bank since the cyberfraud incidents:
- On July 29 an on-screen keypad was placed on the Absa website. You can now sign on to internet banking using a mouse instead of typing your PIN numbers on a keyboard. This feature minimises the risk of account numbers and PINs being intercepted by keystroke logging software; and
- Since August 2 clients have been encouraged to obtain a secure, comprehensive anti-virus software package and personal firewall at no cost from Absa's website or any Absa branch countrywide.
Absa will continue to explore the latest in cutting-edge technologies and provide additional precautions. Upcoming features that will be available to customers in the short term include the following:
- As a client, you will shortly be able to opt for an SMS notification system that will notify you when a new beneficiary has been added or a transaction conducted on your internet banking account; and
- By the end of the month a dual password will be introduced for all internet banking clients, which will also help to prevent fraud.