Cyber criminals are the new bank robbers – and online raids are increasing, as Liz Phillips reports
With financial transactions increasingly moving into the virtual world, it’s vital that the technology used is secure.
Banks are shutting branches in small, unprofitable areas, removing counter service in others and encouraging customers to transact online or over their mobile devices whenever possible.
Even cheques are going paperless and moving online. Rather than having to go to the bank to pay in a cheque, from next year you’ll be able to take a picture of your cheque on your smartphone and send it to your bank.
Cheques, those bastions of paper payments, are not dead yet. Last year they still accounted for 10 per cent of all payments by individuals, although consumer spending online has increased by 495 per cent over the past ten years, according to the UK’s Payments Council.
With such spectacular growth, it’s no wonder cyber security is becoming the main concern for financial services in 2014 as they are the target of 47 per cent of phishing attacks netting cyber criminals £7 billion a year worldwide, security vendor Check Point warns.
Its managing director Keith Bird cites one of the cleverest mobile attacks, Eurograbber, as an example. In autumn 2012, the virus stole £30 million from more than 30,000 customers of 30 banks in Italy, Spain, Germany and the Netherlands by bypassing the SMS-based security account authentication used by banks for mobile and online bank customers.
The fraudsters were able to trick customers into downloading a virus on to their PCs and mobiles, which allowed the attackers to intercept the authorisation codes. It allowed the crooks to make transactions themselves over a period of months before being discovered by Check Point.
The trouble with multi-layered security is that, if it’s too complicated or tiresome, the customer won’t use it
There’s also the problem of users knowing whether they are accessing the correct website. This is known as a “man in the middle” attack where the connection to the bank is intercepted by the cyber criminal after the user has authenticated it.
One way to prevent this, according to Colin Tankard, managing director of Digital Pathways, specialists in design and management of security systems, is two-factor authentication to re-validate transactions as well as software, such as Rapport, which checks if the website is correct.
The trouble with multi-layered security, such as a password or a PIN plus a token, is that it needs to operate in a hassle-free way for the user. If it’s too complicated or tiresome, the customer won’t use it.
Research by Intelligent Environments, which provides digital banking software, found that almost a quarter of consumers are frustrated by the need to use a card reader.
“Similarly, while complex 12-digit passwords can help improve security,” explains Intelligent Environments’ Clayton Locke, “they can also undermine it. One in four consumers admits writing down their password as they simply cannot remember it, while a further quarter uses the same password for all online activity.”
Biometrics like the fingerprint scanner on the new iPhone 5S or retina scanners for tablets and wearable technology, such as Google glasses, solve this problem.
But no matter how fancy the technology becomes, the consumer will always be the weak link. Leaving mobiles or tablets lying around, with little or no protection, makes them easy targets for criminals as does using untrusted public wi-fi networks for financial transactions which can be easily intercepted.
Clicking on links in e-mails, no matter how authentic they look, and downloading apps to mobile phones from cyber criminals are tricks that are all too easy for unwary victims to fall for.
There are now 150,000 examples of malware and 104,427 of these were found in 2013 alone, according to identity assurance firm HID Global. And new Trojans are being rapidly developed all the time.
Trojans plant malicious scripts on vulnerable web pages, which capture usernames and passwords as they are typed in, if the device’s security is not kept up to date.
A survey by security software company Kaspersky last summer found that 30 per cent of users do not feel safe making e-payments on smartphones or tablets, 33 per cent never use a mobile device for online transactions, and 28 per cent of smartphone and tablet owners aren’t comfortable using them for online banking.
However, 22 per cent of tablet users and 27 per cent of those with a smartphone are unconcerned about entering financial information on their gadgets.
Despite the fact that some consumers may be too casual with their online finances, regulators are all too keenly aware that they need to ensure financial institutions themselves try to keep ahead of the fraudsters.
There are new European Union regulations in the pipeline focusing on improving customer authentication, to bring in multi-layered controls, as well as improving consumer education and awareness of the dangers.
“The regulators are also keen that organisations understand the risks they face when providing online and mobile payment services,” says Alex Petsopoulos, who leads financial services cyber security for Deloitte.
“At the moment, mobile banking and payment services are very limited in functionality, so there is little incentive for fraudsters to attack them, but as these services develop, is security keeping up?”
In the UK, the government’s Financial Policy Committee has said that, by the end of the first quarter of this year, banks and infrastructure providers must ensure there’s a plan to deliver a high level of protection against cyber attacks.
Last month, David Willetts, minister for science and universities, launched a new guide for the corporate finance sector outlining practical steps for businesses to manage cyber security.
The impact on the bottom line for major UK businesses is huge. Deloitte estimates it costs them each an average of £2.1 million a year.
In addition, security breaches can drive away consumers who have had a bad experience. There are also costs involved in handling a large-scale failure, including compensation for any losses, increased demand on customer service staff, and the need for crisis management and public relations to limit damage to brand reputation.