Rekha Menon reports on the ruses used by hackers to steal from online banking users and the relatively successful industry response.

Late last year, in what was probably the world’s biggest instance of online fraud, cyber-criminals stole about SKr10m (€1m) from Swedish customers of leading Scandinavian bank Nordea. The hackers fraudulently obtained customer login details through a sophisticated combination of phishing and trojan programs. Phishing involves fraudsters using fake versions of genuine bank websites to lure people into revealing their bank account details. A trojan is a program that appears benign but contains or installs malicious software.

Nordea’s customers were sent e-mails, purportedly from the bank, that asked them to download an anti-spam tool. The PCs of those who downloaded the attachment were infected by the trojan ‘haxdoor.ki’, which monitored the PCs’ online activities and kicked into action when a user tried to log on to their internet banking account. The trojan saved the customer’s login details and displayed an error message asking the customer to re-enter their login information, which was then recorded and later used by the hackers to siphon off money from customer accounts. The hackers were based in Russia.

Mounting losses

Cyber-crime is undoubtedly one of the biggest challenges facing banks worldwide today. According to a recent report by analyst firm Aite Group, 38% of the top 100 US banks have suffered an increase in online banking fraud losses in the past 12 months. In the UK, APACS, the UK payments association, estimates that internet banking fraud losses for 2006 touched £33.5m (€49m), a 44% increase over the previous year.

The increase in online fraud in the past 18 months, suggests the APACS study, has primarily been driven by a sharp rise in phishing incidents, which went up from 1713 in 2005 to 14,156 in 2006. Barnaby Davis, head of electronic banking at Barclays Bank, remarks: “The predominant threat in the online space is phishing. Along with, trojans, viruses and other sophisticated techniques, such as man-in-the-middle, attacks are picking up as well.”

He notes that the rise in phishing is directly correlated to the increasing level of security systems now being deployed by banks. “With improvements in technology and banks’ investments in security systems, criminals have focused their efforts not on attacking bank systems but are targeting the line of least defence, which is simply asking customers for their details,” Mr Davis states.

“Criminal behaviour develops very rapidly. Two years ago, phishing wasn’t well known, but today it is the biggest threat we face. We need to be proactive to be able to counter new threats,” says Kari Oksanen, head of risk management, electronic banking, at Nordea.

In light of its recent high-profile online losses, Nordea’s security programme has moved into top gear and the bank is taking immediate steps to beef up the security of its online banking service. “We already had plans to improve the security of our online banking system but, with the problems in Sweden, we have fast-forwarded our plans,” says Mr Oksanen.

As a first step, the bank is deploying two-factor, card-based authentication technology for its 1.8 million online banking customers in Sweden, where the online attacks were experienced. The bank has five million online customers and plans to deploy the enhanced security measures across the remaining customers in the other Nordic countries at a later time.

Double protection

Two-factor authentication is by far the most popular technology currently deployed by banks worldwide to enhance online banking service security. It essentially provides an additional layer of security to the online banking login process. Instead of customers logging on using merely a password, they also identify themselves using a physical device such as card-based readers and tokens that generate one-time passwords at the time of transaction.

In the US, where regulators have mandated the use of “optimum” security measures to ensure risk-free electronic banking for bank consumers, most leading banks have deployed two-factor authentication. This trend is picking up in the UK as well. Lloyds TSB launched a pilot, two-factor authentication scheme using a key-ring sized access code device with 23,500 customers in October 2005, and Alliance & Leicester launched its scheme in May 2006.

Unlike most other banks, Alliance & Leicester has not opted for a separate physical device. Its account holders register an image with the bank that is displayed on subsequent visits to reassure them they are on the right site.

Despite different approaches, both banks have achieved positive results. Alliance & Leicester says that the technology has been “extremely effective” in combating online fraud; Lloyds TSB says that none of the customers participating in the pilot have experienced any fraud in the past 18 months.

In a bid to keep up with competition, other UK high-street banks, including RBS and Barclays, have announced plans to offer card-based, two-factor authentication schemes to online customers. RBS plans to launch its scheme this year.

An RBS spokesperson says that the enhanced security solution will be rolled out in phases to the bank’s customers who use online banking to make payments to new third-party accounts, set up standing order payees or change their online banking PIN or password.

Barclays has already started distributing card-readers to 500,000 of its two million active customers and will decide at the end of the year if the service needs to be extended to the remaining customers. “The two-factor authentication programme will be highly effective in countering phishing attacks and will definitely lead to a reduction in fraud,” states Barclays’ Mr Davis.

A different tack

Unlike its competitors, HSBC has not yet jumped onto the two-factor bandwagon and it has no plans to do so in the near future. “We have deployed two-factor authentication technology for our corporate clients, but not for retail customers and do not see the need,” says Nick Staib, senior manager, personal internet banking at HSBC.

While HSBC, along with its direct banking arm First Direct, enjoys more than 20% of online banking market share in the UK, according to Mr Staib, this accounts for only 3% of total UK online banking losses. With this security record, there is no commercial imperative for HSBC to deploy two-factor technology, he says. Moreover, he says, two-factor authentication is not a customer-friendly security programme. “A key challenge of online security is to balance appropriate security measures with customer demands and ease of use. We feel that customers do not appreciate two-factor authentication techniques and find it cumbersome.”

Banks that have deployed two-factor technology suggest otherwise. Both Lloyds TSB and Alliance & Leicester contend that, rather than complaining, customers have welcomed the reassurance provided by the additional layer of security.

Other countermeasures

Two-factor technology is, however, only part of a bank’s online security arsenal. Most banks have invested in several other countermeasures to tackle the menace of online fraud comprehensively. At Barclays, this includes free anti-virus software for its online banking customers and an SMS text alert service informing customers when a third-party payment is set up on their account. The centrepiece of Barclays online security programme, according to Mr Davis, is its regular communication with its customers informing them about security threats.

“Customer education is critical to prevent online fraud,” echoes Mr Staib. Lack of customer awareness is the weakest link and increasing awareness among customers is one of the biggest focus areas for HSBC, he says. HSBC is one of the founder sponsors of getsafeonline.org, a UK-based initiative to raise public awareness on online security issues.

Mr Staib believes that the banking industry is actively working to address regulator and end-customer concerns regarding online banking fraud. Estimates by HSBC’s in-house analyst indicate that in February fraud levels in the UK were down 40% on the previous month. February was also when the UK banking industry experienced the third consecutive month-by-month drop in online fraud, the lowest since 2005.

“We need to view the internet fraud growth figures a little pragmatically. A deeper analysis shows that banks are not doing too badly in curtailing fraud,” says Mr Staib.

“We also need to keep the loss figures in perspective,” says Mr Davis, referring to statistics from APACS that show that card fraud losses in the UK were £428m in 2006 compared with internet fraud of only £33.5m.

Despite fears of online security threats and exponential growth in online fraud, banks continue to achieve rapid growth in online banking usage. In the UK, for instance, the number of online banking users is estimated to have nearly doubled in the past four years to 16.9 million users.

“There has been no slow down in online banking usage. The convenience aspect of this channel is too powerful,” says Mr Staib.

Online fraud guarantees offered by banks also play an important role in reassuring customers. Nordea, for instance, has compensated the 250-odd customers affected by last year’s online fraud.

“Provided customers have a valid case, online fraud losses are mostly borne by banks. In the end, it is the bank that is hit, not customers,” says Mr Davis.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter