Joe Hendren

[ Home ] [ Articles ] [ Blog Home ] [ Travel ] [ Links] [About Me]

Monday, March 07, 2005

Internet banking and security issues

The Sunday Star Times and DPF report that a hacker accessed internet banking accounts by using keystroke spyware installed at an internet cafe.

While I do not doubt there are security issues with internet banking, I suspect a great deal of the anxiety is due to internet banking being an unfamiliar technology.

I do not believe that people, even those who are particularly security conscious, choose to use a form of payment on the basis of a rational assessment of the risks. I came to this conclusion while working behind a checkout counter during my student years. Many customers, especially those of the older generations, preferred writing cheques to using EFTPOS, and some even claimed that cheques were more secure. From witnessing over 100 transactions in a week it was obvious to me that EFTPOS was far more secure. Faking a signature on a check is relatively easy with preparation, especially if the forger can sign the check in front of the teller with apparent confidence.

Unlike DPF I do not think the two-part identification adopted by ASB and BankDirect is a great improvement in security. With this system a customer is sent a text message containing a specific second password to enter before money can be transferred. IMHO this just creates a greater incentive for people to take off with my cellphone. If they have taken the time to keylog my other password - nicking the cellphone is a cinch. Especially in an internet cafe, where spodders have their attention elsewhere (note I am not a thief, but a victim of this in London).

Whether it be conducted by cheque, EFTPOS, or handing over wads of cash, no method of banking is ever going to be 100% secure. Its always going to be a tradeoff between greater security and usability. If intenet banking is twisted up in security knots, people will stop using it, especially those who are less confident with computers.

For a few months my bank insisted that I change my password for access to internet banking every month. I was unable to recycle a set of passwords, I constantly had to think of new ones. This immediately stuck me as being counterproductive, as it increased the chances that people would write their passwords down. To make matters worse, I happened to be overseas one time my password expired, and the only way I could regain access was to ring the bank in New Zealand. Suffice to say I did not bother making a toll call from Europe, but it was highly inconvenient as it left me with no way of knowing how much money I had in my account before it was spent on German beer (yummy!) etc.

On the couple of occasions I was a victim of card fraud while in the UK, the ability to access a live statement of my account by internet banking allowed me to catch and identify the fraud within hours. IMHO it would be terrifying to find loads of fraud on the statement at the end of the month!

I personally like the system adopted by HSBC in the UK, whereby your pass number stays the same, but you are asked for three different letters of the passcode each day. For example if your password was 123456, on one day the system may ask you for the 3rd letter of your passcode(3), the 1st letter of your passcode(1) and the 6th letter of your passcode(6). While not entirely foolproof against keylogging (nothing is), a significant advantage with HSBCs system is that the full password is never revealed.

Perhaps restricting access to internet banking to a certain range of IP addresses could cut down the chances of fraud, especially as it would minimise the chances of overseas based crims accessing NZ internet banking accounts. If you were going overseas you could tell your bank to remove this restriction (like global roaming on cellphones) perhaps replacing this with an alternative type of verification for the time you were overseas.

Ultimately, the best solution may be an additional piece of hardware, such as a thumbprint reader or card swipe and pin. But I bet Bonny and Clyde already know how to make the heist on that one.

Labels: ,


At 9:28 PM, Blogger Rich said...

I did the sums on the "pick 3 letters from 6" system that HSBC and others use. There is an 80% probability that an eavesdropper will acquire the complete password in 3 transactions.

As you say, 2 factor systems are secure unless someone swipes the (physical) second factor.

The point I've made at more length on my blog is that whatever the technology, the bank should take the risk not the customer.

At 12:06 AM, Blogger Joe Hendren said...

Interesting...thanks for that :)

From memory I believe the numbers HSBC ask for change daily, and that it tells you on a successful login whether how many failed login attempts (if there have been any) have occured since you last logged in.

I agree the risk should be taken by the bank, as they are providing a service which claims, implicitly or explicitly, that it is save for customers to use.

Where anxiety exists, insurance people usually follow! Like the banks in the UK offer additional card fraud insurance, banks could cream off an insurance premium from customers worried about internet banking fraud. This should be resisted, as it would allow the banks to defer liability, in the guise of providing a service.


Post a Comment

<< Home