Independent Online
Bookmark article to read laterSearch IOL
IOLPersonal FinanceMy MoneyDebtFinancial PlanningMedical CoverInvestmentsInsuranceRetirementTax
Independent Online | Personal Finance
Search IOL
IOLPersonal FinanceMy MoneyDebtFinancial PlanningMedical CoverInvestmentsInsuranceRetirementTax
Shop @ LootPersonal FinanceIsolezweDaily VoiceIOL PropertyDigi Mags
Independent Online

Sunday, September 22, 2024

View 0 recent articles pushed to you.Search IOLLike us on FacebookFollow us on TwitterView weather by location

Virtual security

Published Feb 7, 2004

Share

There is no simple solution to the problem of internet banking fraud and no guaranteed online security, but the banks are working hard at raising consumer awareness and protecting themselves and their customers.

Internet banking is the ultimate in convenience, but given the security risks of the worldwide web, the news that three online clients of Absa in the Cape had collectively lost about R500 000 to a hacker in July this year, should not have been a surprise. Three more incidents were soon reported by Absa clients in Pietermaritzburg, although the bank's media manager, Errol Naidoo, said at the time the bank regarded these as general fraud cases, not cyberfraud.

The other banks claim their security has not been breached, but don't be misled: if they thought there were no risks in internet banking, they would guarantee to repay you every cent ever lost from your account. But they don't, and it seems, according to evidence in the Absa case, that the account of a First National Bank (FNB) client may also have been raided.

While FNB does offer something it calls a guarantee on its online accounts, there are quite a few conditions attached. For instance, to qualify for the guarantee, you have to register for the bank's SMS and email notification service, which alerts you to every transaction going through your account. The bank undertakes to investigate all reported cases of online banking fraud and to reimburse you if it finds the case to be valid, provided that you take adequate precautions with your personal computer (PC) software and access details, and follow the safety measures listed on the bank's website.

However, cybersecurity specialist Mervin Pearce, the chief executive of Security Audit and Control Solutions, an information technology risk management company, says no system is foolproof.

As a so-called white-hat hacker, Pearce uses his skills to stay one step ahead of the criminal or malicious hackers, and claims that he has yet to find a computer system in South Africa that he can't get into. He has penetrated every system he has worked on in seven days or less - including those of some banks, he says.

The Absa thefts were a real wake-up call for everyone involved in internet banking. The incidents have served all online customers, except possibly those involved, by prompting the banks to implement additional security measures and make protective software available to their customers.

Since that scare, Standard Bank and Absa have started providing free anti-virus software and personal firewalls (which prevent outsiders from accessing your computer) for all their internet banking customers. They have both added calculator-type pinpads to their banking websites to protect your personal identification number (PIN) against detection by spyware software, which steals information by recording your keystrokes. When you log on to the bank's website, the pinpad pops up and you can enter your PIN using a mouse, and spyware cannot your keystrokes.

Absa, like FNB, has introduced a service alerting you by SMS or email whenever your account is accessed, while Standard Bank does the same using email only.

However, Nedbank has not introduced any new security measures because it believes its accounts are already well protected. For instance, if you are Nedbank client and you want to transfer money online or add a new beneficiary to your account, the system will send you a random number via SMS, which must be entered onscreen to complete the transaction or authenticate the instruction.

But all these measures are just smoke and mirrors designed to reassure bank customers, according to Pearce. He believes the Absa fraudster was an amateur.

Sophisticated hackers write programs that elude firewalls and anti-virus software, since both these security measures are effective only against known codes. Amateur hackers download these programs to gain illicit access to companies and commit fraud, he says.

The SMS and email notification services used by banks are not foolproof, Pearce says. Even Nedbank's random number authentication is not totally secure.

For instance, it is possible for a fraudster who know your cellphone number, PIN and other passwords to convince a cellular service provider that he or she has lost "his" or "her" SIM card and needs a replacement. By obtaining a new card, the fraudster can intercept any SMS the bank sends you, and you will be none the wiser until it is too late.

But what about secure socket layers (SSL), the secure technology that banks use in their computer systems? SSL is a technique of coding information using random mathematical keys so that only you and your bank can readily unscramble the information. These keys are generated each time you sign on to an internet banking site and are destroyed when your session ends.

Pearce says SSL only protects data when it is in transit over the internet (between your computer and the bank's). It does not protect confidential information that can be obtained from your PC, or even the bank's system, using specialised hacking techniques, he says.

But Pearce does admit that one-time passwords such as those used by Nedbank, which are randomly generated and sent to you, for example, by SMS, are harder to crack because of their uniqueness. Dual or triple passwords and/or complex passwords made up of letters as well as digits, are less secure because these can still be picked up by password loggers (which record your password) as you type or click them in.

Pearce says banks that give you pinpads for your protection are lulling you into a false sense of security. It is the easiest thing in the world, he says, to drop password loggers, pinpad loggers (which record what you enter on a pinpad) or Trojans (a type of virus) on to your computer.

And don't be lulled into thinking that any of the common security measures the banks put in place are a guarantee of security, he warns. These include:

- Controls that the banks put in place when you first open an internet banking account, such as the need to physically present your identity document at your branch;

- Automatic lock-out from your account after three incorrect attempts to enter your PIN, password and/or identity number;

- Automatic log-off from the bank's website after a period of inactivity. If you have logged on and have not used the service for a predetermined period, you will be logged off; and

- Daily and/or monthly electronic transaction limits that control the amount of money that can be transferred out of your account over a period.

Understand the risks

Of course hacking is a sophisticated fraud and there are far simpler methods for you to lose money by banking online. For instance, potential fraudsters can obtain your PIN and password if you write them down on your computer, or they may shoulder surf (watch you enter your details when you log on to your bank's website). They may also guess an obvious password such as your birth date.

Roland le Sueur, the head of internet banking at FNB, says most banking fraud is perpetrated by people known to the account holder. Just as you should not reveal the PIN for your ATM card to other people, or hand over blank cheques, you should keep your internet banking details confidential, he says.

Does this mean you should avoid online banking?

No, Pearce says. He has enough confidence in internet banking to have online accounts with two of the big banks himself. But you do have to understand how vulnerable you are and take as many precautions as possible, he says. The more measures you put in place, the more difficult it is for hackers and the more likely they are to go elsewhere.

He also believes that organisations are much more at risk than individuals, since sophisticated hackers are more likely to apply their expertise and ingenuity to the source of bigger pickings than your humble bank account.

If he was a hacker who wanted to steal money, Pearce says, he would penetrate a bank or company from the inside. Large organisations have thousands of machines on their premises with direct access to computer networks.

Ultimately, according to Pearce, total security will become a reality only if banks adopt public key encryption, which is an electronic method of identification. Ideally the system should be adopted by the country as a whole, with the government appointing a certificate authority to issue a smart card to every citizen. The card, combined with biometric technology such as fingerprint or retina scanning, would become your electronic identity.

Some countries are moving towards such security systems, Pearce says, but it requires advanced technology and development. For those reasons, and because of the potential privacy issues, South Africa is many years away from adopting such a system.

The buck stops … where?

In the meantime, who is accountable for losses suffered through internet banking?

Le Sueur says banks cannot be held responsible for what happens on your PC. While banks take responsibility for the security of their systems, consumers must take care of security on their own computers, he says.

But Pearce says the jury is still out on this issue. Agreements relating to the use of internet banking services generally contain disclaimers in favour of the banks, but it could be argued that banks are liable for losses under the Electronic Communications and Transactions Act if they fail to implement sufficient security measures.

For now online account holders and banks will be watching the Absa court case with interest because it will be the first time that the new act, which became law on August 2 last year, will be tested in court.

How cyberfraud works

Internet fraudsters gain access to your computer. This can be done via hardware that is physically attached to your computer, but is much more likely to come in the form of software known as spyware. Spyware enters in the form of a virus, an email, a cookie or software that you download from the internet or install from a CD-ROM or floppy disk.

Thereafter, when you connect to the internet, data gathered from your computer is fed to a collection point for the spy to sort through. From there, it is a simple task for the spy to extract crucial information, such as your internet banking user name, PIN and password.

Peter Barbas, the managing director of Data Enhancement Solutions, says a staggering 82 percent of internet users may have some form of spyware operating on their computers.

According to Herman Singh, the director of Direct Channels at Standard Bank, the bank is making anti-virus software available to its customers to combat "over 60 000 known viruses in the world, 87 percent of which are transmitted by the internet".

You are most likely to receive spyware in one or more of the following ways:

- Downloading software from the internet;

- Installing free software from magazines;

- Opening suspicious or unfamiliar emails;

- Through cookies and other temporary internet files deposited while you browse the internet; and

- Via viruses such as Trojans and worms.

How to protect your cash and your PC

- Make sure you are on the authentic website of your bank, and not a look-a-like site. To do so, check the bank's security certificate - a small encrypted file verifying the authenticity of the site - provided by an independent certification authority such as Verisign. Make sure the domain name (the internet address or URL) is identical to that on the security certificate. Your bank should change its certificate at regular intervals;

- Make sure you are on a secure website. To do so, check that the URL begins with https rather than http and look out for the small padlock on your toolbar;

- Do not do your banking at an internet cafe, public kiosk or airport lounge, because spyware could be monitoring the computers;

- Restrict access to your PC to prevent unauthorised spyware from being installed on it;

- If you do not know the origin of an email, delete it at once. Don't open suspicious attachments, even from friends, whose addresses can be faked by hackers;

- Ignore unsolicited virus warnings from anyone other than a trusted service provider;

- Set up a personal firewall on your computer to prevent hackers from stealing your private details, block Trojans from taking control of your PC and deny access to dangerous online intruders;

- Protect your computer against viruses by installing anti-virus software. Update it regularly or newer viruses will be able to infiltrate your system;

- Install specialist anti-spy software, which targets and terminates pinpad- and keypad-logging spyware;

- Be careful when entering your PIN and/or password in shops or online, making sure you are not watched (even by security cameras);

- Don't download or install any software from the web that is not from a reputable vendor and does not have verifiable proof of authenticity;

- Use only licensed software on your computer and where possible, ensure that your operating system, browser and email program are operating on the latest service packs (patches or software updates from vendors), because viruses frequently exploit security vulnerabilities in programs;

- Change your password and PIN regularly;

- Ensure your mail software cannot send emails without your confirmation (check the mailer's help file);

- Keep your transaction limits as low as possible to limit any losses should fraud take place;

- Check your email and cellphone messages regularly if your bank uses them to notify you of account activity;

- Query suspicious or unauthorised withdrawals from your account as soon as possible, so that the bank can take action and possibly prevent losses. Internet transfers to a third party can take a few days, which gives the bank time to reverse the transaction;

- Always make sure you have logged off after your last transaction. While most banks' systems log you off automatically after a few minutes, that may be all it takes for somebody to access your account;

- Delete your cookies, offline and temporary internet pages regularly, preferably after each banking session;

- Visit your bank's websites for detailed information on how you can enhance the security of your internet banking ( www.standardbank.co.za; www,absa.co.za; www.nedbank.co.za and www.eBucks.co.za).

This article was first published in Personal Finance magazine, 4th Quarter 2003. See what's in our latest issue

Related Topics: