Gallery

How secure is your bank?

Posted on 9 Apr 2008 at 14:42

Davey Winder discovers that today's high-tech security methods aren't as safe as they may seem.

When it comes to your choice of bank, how much time did you spend investigating the online security measures? With online banking becoming the norm rather than a nerdy extra, security must now playa part in the selection process, but few potential customers realise what the modern risks are.

Knowing the access process employed by a bank and actually understanding its security implications are two different things, which is why we've been talking to industry insiders to find out how secure our leading banks really are and to help you avoid what could be a very costly mistake.

Two-question verification

John Colley is the managing director at (ISC)2, a not-for-profit systems security organisation, and he used to be group head of information security at the Royal Bank of Scotland and has also been the head of risk services at Barclays. He readily admits there's a lot of truth to the assumption that some banks are willing to accept a certain amount of fraud by sticking to "old" security technology.

"Every bank needs to make a risk decision," Colley told us. "It can be very expensive to change banking front-ends and so a bank will weigh up the investment against fraud losses. The cheapest investment is the so-called 2QV - two-question verification - and many banks still think this is sufficient in terms of account-access security."

The Halifax, for example, asks for your username, password and the answer to one of five preset questions such as "what was your first school", which could easily be gleaned from social-networking sites.

"Single passwords are easily broken, they can be guessed, discovered and then used by hackers or fraudsters to gain access to online bank accounts," Colley adds.

"2QV is statistically fairly secure,but not always applied correctly. For example, many people don't get the two questions right and so the bank moves to ask a third and fourth question. This reduces the security of 2QV."

PINs and screen scrapers

Ken Munro, the managing director at independent penetration testing company SecureTest, regularly puts financial institutions under the microscope. Although fairly happy with the 2QV concept, Munro argues the real problem is users not protecting their data adequately. "Virtually nobody would disclose their cash card PINs when asked, so why do users disclose banking passwords in response to phishing emails?" he asks.

David Harley, part of the research team at security vendor ESET, says phishing's success rate is so high that other means of bypassing security are rarely needed.

"Blackhats won't generally wastea lot of their time trying to get banking access by guessing - they tend to rely on getting the information they need directly from the victim, using social-engineering approaches."

So a fairly simple form of 2QV known as PPP - Partial PIN and Password - as employed by HSBC is pretty secure, assuming the customer doesn't succumb to a phishing attack or disclose their main login code and eight-digit PIN.

However, Colley argues, drop-down alphabet menu systems such as the one used by Lloyds TSB don't offer much more protection against determined keyloggers. "The more factors required in logging in, the higher the security," he told us. "But most modern keyloggers will pick up the fact that you've used a drop-down menu and record the characters you've picked off it."

Munro thinks that an onscreen Java keyboard would be even better because there are no keystrokes to log. "A number of banks, particularly those in the Middle East, appear to use the Java keyboard to great success," he says. "It's still possible to log the position of the mouse on the screen, and work out the character being pressed on the keyboard, but it's much harder."