Gallery

How secure is your bank?

Posted on 9 Apr 2008 at 14:42

Token security measures

Even the seemingly uber-secure random-number-generating hardware tokens that create a new six-digit access code every 30 seconds aren't entirely secure.

Stephen Howes, the CEO of ID authentication developers GrIDsure, warns that if a token is used inadvertently at a phishing site thenthe cybercriminal has a window of opportunity in which to use that captured code and access the account. "An automated system will only need milliseconds to do this and so a one-minute token gives the fraudster plenty of time to conduct a man-in-the-middle attack," Howes says.

The common perception that losinga token is like handing over the keys to your account is wrong - the account is still protected by a user-determined PIN. But, as Munro points out, of greater concern is the fact that banks have emblazoned their logos on the tokens. "If one is stolen, the thief immediately knows which online bank to target,"he explains.

Losing a token can also create huge inconvenience for bank customers. "The revocation process is a nightmare. We had a token fail on us recently, and the offshore call centre reset our entire account, instead of just reissuing a token. We were unable to process any transactions for a week," says Munro.

When it comes to the Barclays PINsentry chip and PIN system, which requires customers to enter their bank card and tap in their PIN before spitting out a random number, Howes remains unconvinced.

"All these devices are the same and not personalised to you. Banks will tell you that a big benefit is the fact that you can borrow the device from someone else, should you forget yours.

"So how long will it take for someone to tamper with one of these and use them to capture your PIN?

"If you use the device for any length of time and enter the same PIN, how long before it becomes noticeable that some buttons are beginning to wear or are becoming dirty quicker than others?"

Men in the middle

No matter what security measures a bank implements, experts say there'll always be one vulnerability: the internet itself. "All are flawed because they rely on a shared secret, which is then passed over an insecure internet," says Garry Sidaway, the principal consultant for multi-factor authentication specialists TriCipher. "All the hacker does is sit in the middle of the connection between the bank and the user and pass on the shared secret, then grab the user's private information. These are the man-in-the-middle attacks that have hit Bank of America and Nordica.

"We are also seeing man-in-the-browser attacks where the hacker is changing information between the user and the bank on the fly, so 'what you see is what you get' can be broken."

Industry groups say banks adapt their security methods constantly. "Each bank will have designed its fraud-prevention solutions to tackle the types of fraud that it and its customers are experiencing," says Mark Bowerman, from the association for the payments industry, APACS.

"It's probable that different banks face different types of fraud threat to varying degrees and, therefore, they would need to implement relevant solutions accordingly. As it stands, there's no one-size-fits-all approach. However, no bank has only a single line of defence in all this and there will be some form of 'back-end security' in place. These are not transparent to the customer or the fraudster, but will play their part in preventing fraud."

There's no doubt banks are taking online security more seriously, but despite the strides being taken towards better authentication, it means nothing if cybercriminals can bypass them with keyloggers or social engineering.