Banks on the ‘hit list’ and mobile ‘vishing’ attacks!

Submitted on 12/02/2008 09:00

Last month, I wrote about online baking security and listed ten internet scams you need to be aware of as an online banker. Well, there are two more to add, one for online transactions, the other affects mobile banking security.

According to global infrastructure company, Symantec, 400 banks are on the ‘Trojan. Silenbanker’ hit list. The main concern is that this Trojan can circumvent two-factor authentication, intercept transactions and silently alter the user’s bank account details to the attacker’s bank account details instead.

With large numbers of Australians conducting their banking online, the banking industry is understandably doing what they can to stay one step ahead of the scammers.

RaboPlus is doing everything it can to protect its customers by giving every customer a Digipass, one of the safest methods of online banking. However, in such a dynamic world, RaboPlus will have to continue to face the never-ending banking security storm head on, with the rest of the industry and governments.

Due to the boom of online banking, other banks have started to roll out more sophisticated security such as two-factor authentication. At a recent round-table in Singapore, Oracle’s regional director for security and ID management solutions, Roman Tuma, suggested security had to move beyond two-factor authentication, particularly when it came to mobile banking.

Tuma suggested online banking consumers need and want security after the point of logging in. Extra layers of security could be installed past the login page, and any unusual activity could be logged and sent to the bank’s network, ringing alarm bells.

Interesting to note that although, according to Reutt, the US was the first country to recognize that Government is important in pushing financial institutions to introduce better security, two-factor authentication was mandated by the Monetary Authority of Singapore (MAS) in December 2006.

On the mobile banking front, the FBI has been warning recently of dramatic increases in the number of so-called ‘vishing’ attacks, enticing mobile phone users to give up personal banking details.

It works much the same way as ‘phishing’, with an email or text asking the user to call their bank to reactivate a credit card or debit card. When they call, they’re greeted by a ‘Welcome to the bank of ...’ and are requested to enter their card number to resolve an ‘impending security issue.’

With more iPhones and Smartphones entering the market, mobile banking security will continue to grow as a banking security issue both here in Australia and abroad.

Some scammers have even set up their own call centres, often employing staff who may be unaware that they are working for a criminal gang.

So, to last months’ 10 internet scams and issues to be aware of, let’s add another: "Trojan.Silentbanker".

1. Man in the Browser
2. Man in the Middle
3. Phishing
4. Hoax Emails and Fraudulent websites
5. Browser Hijackers
6. Spyware
7. Pop Ads - Adware
8. Vishing – fraudulent phone calls and numbers
9. Smishing: Mobile Banking Security – Brendan McGee posted this great discussion on mobile banking security in October. “Discussion about Mobile Banking Security at a Feverish Pitch”
10. The Pinch
11. Trojan.Silentbanker

Know of any more scams or issues out there? If you know of any more add to them!

Add comment Trackbacks (0) Trackback url Permalink

Comments

1. Brandon (Perth, WA)Quote | 25/02/2008 11:13

Hi Bryan - nice post. I guess that with SMS now being rolled out in banking security the scammers will be targeting a mobile phone near me soon. Commonwealth already uses SMS as security for online banking - so Commonwealth customers beware!

2. Mark (Sydney)Quote | 05/03/2008 03:06

The Digipass system is time consuming requiring another (expensive?) device and multiple nbr entries for withdrawals.

There is a crowd down in Canberra called Alacrity that seems to have a more user friendly option for enabling easy User Not Present authentication for online and mobile channels. Worth a look maybe (www.alacrity.com.au or alacritytec.com.au)

3. Simon (QLD)Quote | 12/03/2008 11:13

I think the Digipass system is great. The more difficult for hackers to get hold of my details the better.

4. Bryan Inch (Sydney)Quote | 14/03/2008 11:10

Mark (Sydney) wrote:
The Digipass system is time consuming requiring another (expensive?) device and multiple nbr entries for withdrawals. There is a crowd down in Canberra called Alacrity that seems to have a more user friendly option for enabling easy User Not Present authentication for online and mobile channels. Worth a look maybe (www.alacrity.com.au or alacritytec.com.au)

Thanks for your comment Mark.

The security of our customers’ money is a top priority at RaboPlus. The digipass is supplied to customers free of charge and is one of the safest methods of online banking available today.

Rabobank has worked very closely with Vasco, the Belgian company that developed the Digipass, for many years and was one of their original clients. Our track record and experience with Vasco globally gives me added comfort that our customers’ investments are as safe as we can make them.

I mentioned in a previous post, that in a recent online customer survey conducted by an independent agency for RaboPlus, 82% of customers considered the Digipass easy to use. Our average customer’s investment is quite substantial, so I imagine that on the whole, they appreciate the extra security the Digipass offers, even though a few may find it a bit inconvenient/time consuming.

I appreciate your suggestions though and I’ve taken your comments on board to consider future improvements.

5. PeterQuote | 04/04/2008 04:32

Hi Bryan, We are new to Rabo bank, your blog is a great idea. We have been banking online for some years. The sms security step used by our regular bank seems like a good idea. Your digipass is even better, but can you explain in a nutshell how it works?
I have no idea how the pass's generated security code can authenticate a particular transaction. I am one of those people who will pull the clock apart to see how it works, usually after it has stopped. I don't intend pulling you pass apart, just want to know how it works.

6. Bryan Inch (Sydney)Quote | 10/04/2008 07:18

Peter wrote:
Hi Bryan, We are new to Rabo bank, your blog is a great idea. We have been banking online for some years. The sms security step used by our regular bank seems like a good idea. Your digipass is even better, but can you explain in a nutshell how it works? I have no idea how the pass's generated security code can authenticate a particular transaction. I am one of those people who will pull the clock apart to see how it works, usually after it has stopped. I don't intend pulling you pass apart, just want to know how it works.

Hi Peter, the theory behind the Digipass can be described using an analogy of a clock. The Digipass works like a clock that shows the time in a scrambled way. If the time is 15 minutes and 13 seconds past 4pm, a digital clock would show 16:15:13 (161513 in numbers only). To make this time unreadable and unique it's then scrambled. For example if we multiply the time by 15 (An example of the Digipasses secret code key) the result would be 2422695 (secret message).

Our main system has a similar style but in reverse. So to continue the analogy of a clock, our system contains a list of secret codes (keys), and is able to 'un-scramble' the secret message. If the unscrambled message is the correct time, we know that it is the correct Digipass that has been used for this account.

In the real environment scrambling is more sophisticated and uses a complex and unique "Key" per digipass. No two Digipasses use the same codes.

I hope this helps you to understand how the Digipass works.