Internet crime
Internet crime is on the increase, affecting banks and their customers. Matthew Warner asks how successfully banks are fighting back by working with their customers and other organisations.
The banking sector is at the forefront of the IT revolution, and nothing has been more central to this revolution than the Internet. However, the Internet offers increased opportunities for crime as well as business.
Viruses and worms can compromise systems and overwhelm entire networks, while organised crime is now executing sophisticated frauds, specifically aimed at bank customers. In response to the varied threats, banks have developed unprecedented levels of security and highly effective business continuity management processes.
Phishing for funds
The Internet has allowed criminals to modernise some old scams and develop a generation of new ones. The latest phenomenon is known as 'phishing'. It has affected a large number of banks around the world and most banks in the UK, in some cases requiring the temporary shut down of Internet banking operations. Since it was first seen in September last year, there has been a surge in phishing scams. Figures from the Anti-Phishing Working Group show that activity has increased by 52% per month so far this year, with 5.7 new phishing attacks every day.
These scams attempt to steal identities by persuading unwary customers to divulge their credit card details and password. An e-mail directs the customer to a website that purports to be that of their bank, where they are asked to click on a link and re-enter their account details. This is often claimed to be part of a 'security update'. The stolen information is then sold to criminal gangs, often based in Russia and Eastern Europe. Early phishing sites were poor fakes, and the language used was an odd mixture of Russian and English. However, this has changed, and false websites are now all but indistinguishable from the genuine article.
The phisher uses the strength of a bank's brand against the bank itself. Such is the trust people place in the bank's website that they assume the request for a security update is routine. This misplaced trust can be very damaging. Mark Bruno, Product Manager at Brightmail, which develops anti-fraud software, explains: "The cost to the company can be high if the scam preys on the company brand. There is the damage to brand equity, which is hard to measure. There is also the cost of support calls, which have hit 70,000 after a phishing attack. Then there is the potential cost of remunerating victims of the scam."
Ways to customers' money
A flaw in the security of Microsoft's Internet Explorer has also assisted phishers. The '0.1%' flaw enabled phishers to put a web address in the address parameter of e-mails that it sent out, which though appearing to be the correct address, in fact took the users to a bogus site where they found the request for confidential information. The flaw was quickly patched, but nevertheless shows the sophisticated use of IT by some phishers.
Slightly less sophisticated is the use of a 'cousin domain'. This counts on customers not noticing that the site they are using has a .net or .org address instead of the usual .co.uk, for example. Sometimes a hyphen is inserted between words in an address. The address issue is avoided altogether by phishers who use a pop-up web page. These don't carry a URL and so remain anonymous, but they will ask for confidential information and are all the more convincing because they appear on top of the genuine website.
Attempts at identity theft have been combined with 'job offer' scams that threaten to criminalise unwitting bank customers. It isn't possible for the phishers to move money overseas simply through online banking, so spam e-mails are sent out with the aim of duping people into becoming 'agents' for a fictitious company. They are asked to open an account, which is used to channel money stolen from other people's accounts, often through phishing. They can earn a small commission, but also a criminal record.
The banks insist that the number of customers actually duped by phishing attacks is small. However, Sandra Quinn of the Association for Payment Clearing Services (APACS) recognises the threat of this new weapon. "There is a risk to your brand's reputation, and a danger that people will turn from Internet banking. You risk scaring the customers so much in telling them about security issues that they decide not to use the website again." Quinn also points out that that Internet banking is seeing dramatic growth, with more customers going online who are less knowledgeable about IT risks.
Need for banks to improve alliances
Key to the fight against phishing is the education of customers. No bank would ever ask for confidential details, and all of them place this advice on websites. Informing customers is a priority; but is reactive rather than proactive, serving only to warn of phishing scams after they have happened.
Co-ordination between banks, APACS, the FSA, ISPs and the police, particularly the National High Tech Crime Unit, is helping combat the problem, but such unity of purpose is relatively new. Quinn says that co-operation is now 'pretty good', although a year ago there was very little. APACS is leading the fight by providing the banks with a forum to discuss the problem. However, rather than plastering websites with warnings Bruno feels the banks should make more determined attempts to solve the problem.
Nick Truman, Head of Security at BT Openworld, believes the banks could do more to co-operate with ISPs, citing incidents where he has contacted banks about specific phishing scams only to be ignored. "Phishing will erode confidence in the banking sector," he says. "It's in their interests to deal with it, but it doesn't seem to happen." The banks fiercely deny this is the case, but traditionally loathe discussing security issues or risks with the wider business community.
Truman suggests that the ISPs are "between a rock and a very hard place", as they are often blamed for attacks but can do little about them. In one case, a phisher's site was hosted in one country, paid for in another, the server was in a third, the domain registration in a fourth and the address in a fifth. The site might only be up and running for an hour, making any traceability all the harder. Furthermore, attacks can be launched from domestic broadband PCs that have had a Trojan virus installed - the owner has no idea that their 'always online' PC has become a criminal's mini web-server - so there is no point in seeking a prosecution.
Increased bank security affects customers
The current trend of attacking the customer rather than the bank can be seen as a result of the advanced security that banks use to protect themselves. Marcus Alldrick, Head of Information Security at Abbey, explains: "We have anti-virus defences at multiple points in our infrastructure. Gateways, servers, desktops are all constantly monitored."
These will hopefully stop viruses that carry a 'payload' designed to do damage. However, availability, a vital part of Internet banking, is threatened by 'multi-blend' viruses such as Sobig.f. These simply overwhelm networks with email - the flooded servers and clogged inboxes preventing the transfer of legitimate information. These malicious attacks will continue affecting all business sectors.
In a recent development, law enforcement agencies in the US have contacted the FSA to warn them that financial institutions could be targeted with IT attacks, timed to coincide with a physical attack, such as a terrorist bombing. The logic is that the distraction of the bomb will lead to a greater chance of success for the virus. The British Bankers' Association is calling for vigilance, as without specific details of such a combined attack, there is little anyone can do. But the FSA suggests that the US warnings are well founded. Being IT-vigilant may seem small comfort in the face of a bomb threat; but along with education about combating the increasing number of phishing sites and viral attacks, vigilance is vital.
Matthew Warner is a freelance journalist