Online security: who’s afraid of the big bad wolf?

Submitted by Greg McAweeney on 28/09/2009 09:30 | category: Online Security

I was asked to speak at an online security seminar a while back and theme of customer education was mentioned more than once. Are financial institutions doing enough to protect their customers’ identity and money in the online world? And are bank customers even aware of the emerging threats the social media and the precautions they should take?

Let’s face it, online security is not really a dinner party conversation for most of us but there’s a lot at stake so here’s my take on it.

The increased adoption of online banking will undoubtedly increase over the next decade as Gen X have grown up knowing nothing but the web and older generations have been embracing the internet and social media in greater numbers.

The greatest growth in Facebook over recent times has come from the 35-49 age group while those in the 50-64 age group are becoming avid social media junkies.

Aussies love their social media with Forrester Research reporting that 75% of Australian online adults read blogs, use social networking sites like Facebook, listen to podcasts, and read online reviews. So it’s pretty clear, there’s not exactly going to be a retreat from online anytime soon.

So while we’re busy sharing all sorts of information about ourselves online with our friends and people we’ve never met and never likely to, it creates a feast of information that criminals can use to try and steal our identity. And there are many examples of this from the fairly harmless such as Britney Spears having her Twitter account hacked (do we really care) to the story of Dimitri who was featured on ABC’s Four Corners in August. He inadvertently clicked on a spoofed or phished email purporting to be from the Commonwealth Bank which set off a chain of events starting with funds being stolen from his bank account, mobile phone account hijacked and more misery besides.

If you are unfortunate enough to be a victim of identity fraud it can be a nightmare to put things right as your credit rating is usually one of the first things to be hit. Criminals try to take out loans or open credit accounts in your name.

Should banks be doing more?

My personal view is that financial institutions have a moral obligation as well as a legal obligation to do what we reasonably can to keep your money and identity safe.

One of the main reasons we see so many phishing email attacks is because many banks still rely on basic user name and static passwords to regulate access to online bank accounts. It’s a policy from the Stone Age that Fred Flintstone would be proud of.

In RaboPlus, we made a conscious decision to implement far more robust security via our Digipass system and we’re always looking at ways to keep a step ahead. And while some people in the industry might try to trivialise the issue, 800,000 Australians fell victim to fraud in 2007 with 500,000 actually losing money according to a Datamonitor report. Lots of money - $977million and if 25% of this fraud was perpetrated online we’re talking about a quarter of a billion dollars. Stolen.

It’s time for customers to take some responsibility too

Of course phishing isn’t the only way that fraudsters try to attack customers and their bank accounts whether it’s by trying to hijack an online banking session, exploiting weaknesses in call centres, mailbox fraud, mobile banking platforms, we can take some sensible and not very onerous precautions..

Remember that the more information about yourself that you share online across various social media sites the higher the risk of attracting fraudsters. And this is where the customer has a role to play. A bank can only do so much. I believe customers also need to face up to their responsibilities. You wouldn’t drive without a seatbelt because you know it’s reckless. So why be reckless with your money?

If you need another reason to be rethink what information you share online, read about the unfortunate Natasha Cann whose Facebook account was hacked and the criminals tried to scam her closest friends out of money.

You can read more about online banking security precautions, how to spot scams, social networking sites & identity theft issues in the online security section of our site. There are also a number of good sites you can go to for security information and you will find these linked on our site.

My view is that RaboPlus shouldn’t try to hide from the fact that there are risks to banking online and making people aware of the risks and how to protect themselves online can only help to combat the fraudsters out there. I’m not trying to scaremonger – the chances of falling victim to fraud are still very low but you don’t want to be the one who does lose money.

Online banking customers will always make that trade-off between high security and convenience – some would rather go without devices like Digipasses in favour of passwords. But as I’m fond of saying: if you became a victim of online banking fraud, the first question you’d probably ask your bank is why wasn’t their online security better? A bit like closing the door after the horse has bolted really.

Add comment Trackbacks (0) Trackback url Permalink

Comments

1. Callan (Sydney)Quote | 26/10/2009 03:48

I think your digipass is excellent security measure and its a shame the big 4 dont offer their customers the same safety. You guys should licence it to them!

2. Ricky (Sydney)Quote | 01/11/2009 04:41

Two factors authentication has been around for a while, I have been using token (what digipass really is) from a HK/UK based international bank for about 5 years. The Big 4 probably have something similar for their "higher value" customers. Rabobank does have the best and clearest information online in regards to risk and security, concise and easy to understand. Other banks' message often seem to be written by lawyers.

3. SamQuote | 29/11/2009 01:45

Callan - welcome to 2009. Rabo doesn't own this, it's a well established, commonly available technology. Other banks just decided to use another technology (some are easier to use and don't require you to lug around this token)

4. Greg McAweeney (Sydney)Quote | 01/12/2009 10:22

Sam wrote:

Hi Sam, you are of course correct, the Digipass is issued by a company called Vasco, and Rabobank has been using the Digipass in Holland, and for it’s online banks around the world for a number of years. There are many forms of two factor security out there, but not that many Australian banks have adopted them, mainly due to the cost of implementation. Many of the big banks still have the weakest of security by way of the login with a simple user name and password, and in my view, that’s just not a good enough level of security. Sure, the banks are currently refunding losses to customers if their account is hacked, but that only deals with the cash part, the fraudsters now know an awful lot about you and your life from your banking transactions, and I’m certainly not happy about that level of risk. I still believe carrying the Digipass is a small price to pay for peace of mind.

5. Dan (Perth WA)Quote | 13/03/2010 07:22

Regarding Online Banking Security - to further enhance the Digipass security you should also investigate the Ironkey Personal S200 USB flash drive dubbed the most secure USB flash drive ever tested by Computerworld (Feb 2009). It's designed to protect your data, passwords and online identity on any computer. A few years back Raboplus sent their customers a 2GB flash drive as a promotinal gesture for opening an online account. Perhaps you can make the Ironkey available to customers with $10000(or whatever level you deem appropriate, or to all customers) or more invested with Raboplus? This will add another layer of security to online banking transactions!
kind regards,
Dan

6. Greg McAweeney (Sydney)Quote | 25/03/2010 10:06

Dan (Perth WA) wrote:

Thanks for the idea Dan, we’ll look into it.

7. Jen (Bris)Quote | 30/03/2010 12:49

I love the digipass security. My concern was that to set up an account with Raboplus, I needed to email personal details of myself plus my transfer account details in the application form, which I then had to print and send as hard copy anyway (with signature). I would never normally send this degree of personal information in one transaction. Is it possible to just download an application form without submitting these details on-line? I nearly gave up! Is there another method to add an additional security measure to this aspect of the application process? thanks

8. Greg McAweeney (Sydney)Quote | 06/04/2010 10:06

Jen (Bris) wrote:

Thanks for your comment, Jen. As an online bank, the internet is our primary channel for customers to open and manage their accounts. You can be reassured that data security is an extremely high priority for us. Our online security goes beyond Australian industry standards and our secure online application form is certified by DigiCert – your data and privacy are protected. You can also read our privacy policy and online security tips for more information. We do on occasion send paper copies of the application form for customers to complete and return to us via mail. If you still want to pursue this option, please call our Customer Contact Centre on 1800 445 445.