The Sunday Star Times
report that a hacker accessed internet banking accounts by using keystroke spyware installed at an internet cafe.
While I do not doubt there are security issues with internet banking, I suspect a great deal of the anxiety is due to internet banking being an unfamiliar technology.
I do not believe that people, even those who are particularly security conscious, choose to use a form of payment on the basis of a rational assessment of the risks. I came to this conclusion while working behind a checkout counter during my student years. Many customers, especially those of the older generations, preferred writing cheques to using EFTPOS, and some even claimed that cheques were more secure. From witnessing over 100 transactions in a week it was obvious to me that EFTPOS was far more secure. Faking a signature on a check is relatively easy with preparation, especially if the forger can sign the check in front of the teller with apparent confidence.
I do not think the two-part identification adopted by ASB and BankDirect is a great improvement in security. With this system a customer is sent a text message containing a specific second password to enter before money can be transferred. IMHO this just creates a greater incentive for people to take off with my cellphone. If they have taken the time to keylog my other password - nicking the cellphone is a cinch. Especially in an internet cafe, where spodders have their attention elsewhere (note I am not a thief, but a victim of this in London).
Whether it be conducted by cheque, EFTPOS, or handing over wads of cash, no method of banking is ever going to be 100% secure. Its always going to be a tradeoff between greater security and usability. If intenet banking is twisted up in security knots, people will stop using it, especially those who are less confident with computers.
For a few months my bank insisted that I change my password for access to internet banking every month. I was unable to recycle a set of passwords, I constantly had to think of new ones. This immediately stuck me as being counterproductive, as it increased the chances that people would write their passwords down. To make matters worse, I happened to be overseas one time my password expired, and the only way I could regain access was to ring the bank in New Zealand. Suffice to say I did not bother making a toll call from Europe, but it was highly inconvenient as it left me with no way of knowing how much money I had in my account before it was spent on German beer (yummy!) etc.
On the couple of occasions I was a victim of card fraud while in the UK, the ability to access a live statement of my account by internet banking allowed me to catch and identify the fraud within hours. IMHO it would be terrifying to find loads of fraud on the statement at the end of the month!
I personally like the system adopted by HSBC
in the UK, whereby your pass number stays the same, but you are asked for three different letters of the passcode each day. For example if your password was 123456, on one day the system may ask you for the 3rd letter of your passcode(3), the 1st letter of your passcode(1) and the 6th letter of your passcode(6). While not entirely foolproof against keylogging (nothing is), a significant advantage with HSBCs system is that the full password is never revealed.
Perhaps restricting access to internet banking to a certain range of IP addresses could cut down the chances of fraud, especially as it would minimise the chances of overseas based crims accessing NZ internet banking accounts. If you were going overseas you could tell your bank to remove this restriction (like global roaming on cellphones) perhaps replacing this with an alternative type of verification for the time you were overseas.
Ultimately, the best solution may be an additional piece of hardware, such as a thumbprint reader or card swipe and pin. But I bet Bonny and Clyde already know how to make the heist on that one.
Labels: banks, internet