CRIMINALS TARGET ONLINE BANKING IN SOUTH AFRICA
Criminals are making such concerted attacks on SA's online banking industry that the major banks and Internet service providers may co-operate to standardise their technologies to keep the thieves at bay.
At a sensitive and lengthy exploratory meeting last week, key players discussed the best way to present a united front to beat the criminals and educate their customers. While commitments are yet to be firmed up, the delegates agreed to nominate staff to focus on the issue and investigate the available technologies.
Standard Bank's media relations manager, Ross Linstrom, would only say: "We are participating and we think it's a good initiative." Nedbank, First National Bank, Absa, Investec and Rand Merchant Bank also attended, along with internet service providers (ISPs) Verizon, MWEB, Saix and Internet Solutions.
The discussion was organised by Striata, a specialist in delivering documents securely by e-mail. The issue uniting them is phishing, where e-mails are sent out asking people to update their personal details online. A link in the e-mail directs customers to a fake website that exactly mimics the bank's website. When they enter their account number and passwords, the details go straight to the criminals who withdraw cash from that account.
Gilbert Swats, CEO of the South African Banking Risk Information Centre (Sabric), says phishing is proliferating because the banking systems are too secure to attack without knowing a person's account details.
"The banks are continuously looking at their systems and have very sophisticated security measures to parry any attacks. They are very open to saying if there is a new initiative and protection mechanism it will be welcomed and they will look at its merits," he says. "There needs to be a good partnership between the banks, the industry and customers because there is a shared responsibility to reduce the problem."
Statistics are shaky, but Striata CEO Mike Wright estimates that every month 1-million phishing e-mails are sent to local customers and up to 100 websites are set up mimicking those of SA's banks. "If you send a million messages and get a 0,01% success, that's 100 people who give you their details," he says.
The volatile rand and SA's small online banking population have kept the country relatively safe in the past. "Why phish in rands when you can phish in dollars, and why phish for 2-million customers when you can phish for 20-million?" Wright says.
But the far larger foreign banks have introduced anti-phishing measures and educated their clients, prompting phishers to seek easier markets. "We don't educate clients as much, so we have a virgin client base to phish," says Wright.
Two agreements were reached at the meeting. The first is for each bank and ISP to nominate a key contact so when any incident is detected the information is shared instantly.
The second, and no doubt slower step, is to adopt digital certificate technology that guarantees an e-mail is genuinely from the bank. The technology checks which server was used to send the message. If e-mail supposedly from a bank is sent from a machine the bank does not use, the ISP carrying the traffic will not deliver it to the customer.
That will prevent the bulk of phishing e-mails from being delivered. Moreover, compliant e-mails are marked with a red rosette, and customers could be taught to ignore any without a rosette.
The banks will not say how much cash has been stolen through phishing. They are taking the pain and refunding victims. That compassion will not last forever.
"Absa has not lost any money to phishing, but Barclays in the UK has been targeted and lost money," says Carl Louw, the head of Absa's internet channel. The banks have taken a soft stance because phishing is new and customer education is not yet at an optimal level. "Slowly but surely the banks will start pulling in the reins," he says.
Wright puts it more bluntly: "The banks can't let this go forever otherwise customers will be complacent. They (banks) have to start saying 'you are not going to be repaid if you don't listen to anything we say. You have to take responsibility for your actions'."
Louw says the industry-wide initiative proposed by Striata would get a consistent message into the market about how customers should protect themselves online. It is also valuable because the ISPs have a major role to play in quickly closing spoof websites, blocking fake messages and raising customer awareness.
Banks are also suffering from attacks that originate in internet cafes, where criminals download key-logging software on to public computers. The software records each keystroke as a user types in their banking details, allowing the criminal to enter their account and withdraw cash.
"Internet cafes are not taking the right action to prevent key logging and we are seeing a dramatic increase in those credentials being harvested," says Louw. As well as educating customers not to bank from public computers, the internet cafes could wipe the computers clean between each user.
Some delegates said there was a "reluctant admiration" for phishers because their attacks were so sophisticated. "These are seriously clever guys. Three or four years ago it was elementary, but telling the difference between a spoof site and real site now requires inside knowledge," says one.
At the moment the ISPs "black hole" a fake website as soon as the banks alert them, to prevent people reaching the site. In response, the phishers now set up hundreds of fake websites, and each batch of e-mail has a different link to reach them.
Last week, a two-factor security system use by Dutch bank ABN Amro was flouted and money stolen from customers in a phishing scam. Two-factor authentication sends the customer a one-time number to type in as additional evidence of identity.
But the e-mails claiming to be from ABN Amro downloaded software on to the clients' computers. When they visited their banking site, the software redirected them to a mock site that asked for their security details. As soon as the hackers received those details they logged into the customer's account before the one-time security number had expired. SA's banks have introduced one-time passwords, but this attack shows they are not infallible.