Category: Financial

SiteKey’s image and text checks let people know they are on an authentic Bank of America Web site and also verify the identity of the customer, the company said Wednesday. The features will be introduced first in Tennessee next month.

They will then be expanded state-by-state to become available nationwide by year’s end, said Sanjay Gupta, an electronic commerce executive at Bank of America. Use of SiteKey will be optional at first, but will be required once the introduction is complete, Gupta said. “We wanted to not only protect our customers, but give them a way to feel very safe that when they come to BankofAmerica.com that it really is BankofAmerica.com,” he said.

The features are designed to combat phishing, spoofing and spyware–three common types of online attacks that are often used together. Phishing scams, which attempt to steal sensitive information such as user names and passwords, typically use fake Web pages “spoofed” to look like legitimate sites belonging to trusted providers. Spyware is malicious software that gets surreptitiously installed on a PC and spies on the user’s actions.

In April, Bank of America’s account holders were the target of a phishing attempt, according to an example documented by the Anti-Phishing Working Group. Gupta said the financial institution has 13.2 million online customers, the most of any U.S. bank.

When people register for SiteKey, they pick an image from a list and type in their own phrase to be associated with their account. When they enter their login name and hit the SiteKey button on the Bank of America site, that same image and phrase are displayed in response, Gupta said. This verifies that the user is in fact on the real Bank of America Web site, he said.

In another feature, SiteKey links the customer’s PC to the online banking service. If the service is later accessed from a different computer, the account holder is prompted to answer one of three previously selected challenge questions. This should prevent abuse of an account even if attackers obtain the correct login credentials, Gupta said. Additional PCs, such as an office computer, can be linked to the bank’s Web site so a customer doesn’t have to keep answering challenge questions.

The technology for SiteKey is supplied by PassMark Security of Redwood City, Calif., Bank of America said. The SiteKey features are valuable in helping maintain the confidence of consumers as they do online banking, said James Van Dyke of Javelin Strategy & Research, which publishes an annual report on identity fraud. “This is definitely unique among large institutions,” he said. “Consumers want increased mechanisms to ensuring safety.”

Smaller organizations, in particular the Stanford Federal Credit Union, have preceded Bank of America in adopting more advanced security features, he said.

http://news.zdnet.com/2100-1009_22-5722035.html?part=rss&tag=feed&subj=zdnet

The new directive is designed to combat the alarming rise in online fraud that has developed out of identity theft and phishing, while also improving customer confidence in Internet banking tools.

The system would include a device that reads a payment card and accepts a PIN entry from the cardholder. This is then followed by the generation by the device of a unique security number to be imputed into the website system of the goods’ seller.

Banks are expected to agree on the new technology in May, with roll out to be undertaken over the next 12 months.

http://www.datamonitor.com/~464a534ca19940dfbfac9f95422efbc6~/industries/news/article/?pid=3EBB8311-179A-40CB-8543-DA15A0C07570&type=NewsWire

“In the past, online banking was all about who had the best features and functions,” says Mike Weider, founder and CTO at risk-management solutions company Watchfire Inc. “Now, issues of trust, privacy, and security are more and more a differentiator between the leaders and the laggards.”

According to the 2005 Privacy Trust Survey for Online Banking, customers with a high degree of trust in their bank are more likely to use online financial services, which generate more profit for banks than offline transactions. The study, sponsored by Watchfire and conducted by the Ponemon Institute, a management-practices research organization, also finds that trusting customers are loyal, with 55% claiming they’ve never visited another bank’s Web site. The price of that loyalty is an expectation of privacy.

Among those with a high level of trust in their bank, 57% indicated that they would stop using online services in the event of a single privacy breach. More than 82% of respondents cited identity theft as their biggest concern should a privacy breach occur.

“Having a privacy problem will have a catastrophic effect,” Weider says. “Not only will you lose a lot of customers, but they’ll be your best customers.”

Asked what steps banks should take to earn customer trust, survey respondents wanted information sharing with third parties to be limited, fewer marketing pitches, and identity verification when conducting online transactions.

http://www.informationweek.com/story/showArticle.jhtml?articleID=160500671

That means, according to Forrester, banks can’t rely solely on governments or ISPs (Internet service providers) to make the Internet a safe place to do business but must deploy or strengthen two-factor authentication — such as PIN (personal identification number) and TAN (transaction authorization number) — and educate Net users about security precautions, such as firewalls.

European consumers are losing trust in the Internet as a channel for doing business as computer attacks on them and the companies they do business with mount, according to Forrester. Just 30 percent of the 22,907 Europeans polled by Forrester said they are confident of the security of personal financial information, such as credit and debit card numbers, when used to make transactions online.

http://security.itworld.com/4337/050330bankingsecurity/page_1.html

According to reports in the British media from the BBC and the Financial Times, among others, the scheme was set to steal 220 million pounds ($423 million) from the London offices of the Japanese bank Sumitomo Mitsui.

The National Hi-Tech Crime Unit (NHTCU), the country’s cyber-cops, began investigating last October after the bank discovered that hackers had infiltrated its network and were using a keylogger to capture keystrokes.

Keyloggers, a type of spyware, are used by hackers and increasingly, by phishers, to snatch users account information — such as log-in names and passwords — and grab other lucrative data, including credit card numbers.

Police arrested an Israeli man, identified as Yeron Bolondi, 32, in Israel after an attempt was made to transfer 13.9 million pounds ($26.8 million) into an account there.

If it had been successful, the robbery would have dwarfed Britain’s previous record, the armed theft of £26 million ($50 million) from Belfast’s Northern Bank in December, a crime thought to have been conducted by the IRA.

“From what we know from our SpyAudit data, there’s a good chance this wasn’t even a planned attack,” said Richard Stiennon, the vice president of threat research for Boulder, Colo.-based anti-spyware vendor Webroot.

According to Webroot’s SpyAudit, a for-free spyware auditing tool it makes available on its own site as well as to EarthLink subscribers, 15 percent of enterprise PCs tested have a keylogger already installed.

“It reminds me of how Microsoft was hacked back in 2004, when a Microsoft developer’s home computer lead the hackers into Microsoft. It all comes back to this ongoing trend of more and more malicious code being developed with keyloggers,” said Gregg Mastora, a senior security analyst with Sophos.

http://www.techweb.com/wire/security/159901593

Thanks to home PCs, the Web and broadband, banks have been given the chance to revolutionise their business model. Rather than employ an army of well turned-out staff in branch offices across the land, banks now encourage their customers to visit them online.

Online transactions cost a tiny fraction of those conducted over a counter, or even on the telephone, and have undoubtedly helped raise profits. But the smell of the money has attracted a new generation of criminals in the shape of phishers who try to trick the unwary into handing over their personal details, or fool them with fake sites. This technique, called pharming, is particularly devious because users don’t even need to click on an email link to get to the fraudulent site.

Savvy users already know that clicking on a URL in an email does not necessarily take them where they think they are going. But most people have a comfortable level of trust in the fact that if they type a URL in themselves, they know where they will end up.

The solution is for the banks — and major e-commerce sites too — to stop relying just on passwords. No longer is it enough for banks to verify their users online; they need to start now providing a mechanism by which users can verify the banks online.

In the UK, Citibank is tackling keystroke loggers by making users use an onscreen keyboard, but it still does not prove to a user that what lies behind that onscreen keyboard really is Citibank.

Latest figures show that online fraud cost the UK banking sector £12m last year — which should concentrate a few minds.

http://comment.zdnet.co.uk/0,39020505,39190646,00.htm