By now you’ve probably dealt with the repercussions from the June 14 MSNBC report by Bob Sullivan entitled, Survey: 2 million bank accounts robbed, followed by the subhead, Criminals taking advantage of online banking, Gartner says. A consumer (or senior banking manager) reading the article would likely come away believing that two million U.S. consumers lost money from their checking accounts due to online banking. ¹

In fact, here is what Gartner actually said in
its report²:

Illegal access to checking accounts is the fastest-growing type of consumer fraud, and may be proliferating through online channels. (emphasis mine)

The report goes on to say that most consumers do not know how their checking accounts were robbed: Only 17% believed their info was stolen off the Internet; another 10% reported wallets stolen; and only 5% recalled giving up personal info to phishers.

Gartner also said that 70% of the online consumers reporting losses also report that they banked or paid bills online, “which exposes their (codes) to the Internet.” However, what Gartner failed to point out was nearly 70% of online consumers that weren’t robbed also bank or pay bills online, so it’s a meaningless correlation.

Finally, consider the research methodology. It looks staggering in the headlines to say that two million people were robbed. But my back-of-the-envelope calculations indicate this huge number was extrapolated from fewer than 75 respondents reporting a recent unauthorized checking account withdrawal (from Gartner’s survey of 5,000 online adults). Some fairly large errors can occur generalizing a small sample size to the entire population. I’m not saying it’s wrong, but one should be wary.

As bad as the MSNBC article looks for the online banking industry, the NBC Nightly News with Tom Brokaw got even more carried away. They took an even bigger number, 4.5 million, which Gartner said is the number of people who have ever had an unauthorized checking account withdrawal, and mistakenly said that all those people were robbed via online banking. Here’s MSNBC’s synopsis of the TV feature posted online next to the Sullivan article (see inset):

An estimated 4.5 million Americans have had money stolen from their Internet bank accounts. NBC’s Bob Hager reports.

This is a great example of what happens when a respectable piece of research is taken out of context. It begins to have a life of its own as other news media echo the original broadcast.

While many subsequent news articles echoed the conclusions of the original MSNBC piece, some dug deeper. For example, NBC affiliate WEEK-TV quoted Peoples Bank (Bloomington/Normal, IL) CEO Ed Vogelsinger as saying that despite having 20% of their base using online banking, so far no one has reported any Internet banking fraud. Way to go, Ed.

We urge our readers to take appropriate steps through their PR channels to set the record straight. At a minimum, be prepared to rebut the MSNBC numbers if approached by the media, and feel free to send any reporter our way to corroborate your position.

Contact: Jim Bruene, Editor, Online Banking Report, 206-517-5021 or email jim@onlinebankingreport.com .

¹ Reference: < http://www.msnbc.msn.com/ /id/5184077/>

² Banks Must Act Urgently to Stop Account Hijackers, by Avivah Litan, Gartner, June 14, 2004

New Zealand

Westpac
 http://www.westpactrust.co.nz/

United Kingdom

 HSBC

 http://www.hsbc.co.uk/  

Lloyds TSB

 http://www.lloydstsb.co.uk/

All three banks on this page have overdone their
homepage education efforts, especially Nationwide.

Intellegent Finance/Halifax PLC

 http://www.if.com/

Nationwide

 http://www.nationwide.co.uk/

NatWest

 http://www.natwest.com/

NatWest has been hit hard, even taking the
unprecedented step of briefly shutting down online
banking during a Dec. 10 phishing attack.

 Co-operative Bank

 http://www.co-operativebank.co.uk/

Royal Bank of Scotland

 http://www.rbs.co.uk/

First Direct (existing customer homepage)

 http://www.firstdirect.com/

Like Citibank.com, First Direct includes a small
homepage link.

 Smile  http://www.smile.co.uk/

 Smile’s news item about email fraud is an
homepage response to the problem.

United States

 Citibank

 http://www.citibank.com/

Citibank’s anti-phishing education efforts are
the best we’ve seen.

Chase

http://www.chase.com/

Chase was the onlybank with two warnings
on its home page.

Chase recently posted a 14-page PDF document entitled “Chase Identity Theft Kit” which includes tips for prevention as well as detailed instructions and worksheets for victims. Any bank could use FTC resources to develop a similar kit at a minimal cost
(a great college intern holiday project), refer to the FTC’s 37-page booklet “When Bad Things Happen to Your Good Name”,  www.ftc.gov/bcp/conline/pubs/credit/idtheft.pdf  

FleetBoston

 http://www.fleetboston.com/

US Bank

 http://www.usbank.com/

 U.S. Bank posts its fraud warning only on its online banking login page. It’s good placement, but it’s not likely to be seen by many users. The bank should also send the warning to online banking customers via email.

In part 1 we concluded that the combination of fraudulent emails, spoofed websites, and identity theft is perhaps the biggest assault on online banking since its invention. This is much worse than previous bouts of bad publicity, such as the dotcom bubble, which served to strengthen the bond traditional financial institutions had with their customers.

This crime wave threatens to undermine customer trust in the new medium just when it was starting to become ubiquitous in many countries. Email spoofs won’t stop customers from logging into your website to check their statement (in fact, it may give them an incentive to do so more often), but it will make users more leery of anything new you try to do, especially when marketed via email.

We think the media attention to the problem is just beginning. In 2004, we expect a mini-backlash against online finance, as customers become frustrated with the perceived lack of security of all things financial. It will blow over in 12 to 18 months as financial institutions do a much better job equipping users with security tools to monitor their own accounts  and as digital signatures or similar email authentication schemes catch on .

Banks need to accelerate consumer understanding and acceptance of online risk with an extensive education plan delivered via website and email. We’ll outline what we think needs to happen over the following two pages.

The latest fake email targeting Citi customers uses
the old contest-winner scam (posted 12/4/03).

Anti-Phishing Plan

 

1.       Personalize all email messages with the user’s first and last name, effectively differentiating it from most SPAM, especially the fraudulent ones.

2.       Send copies of all emails to the user’s secure online banking mailbox (if applicable), so they can verify
the authenticity of bank messages received over the Internet.

3.       Create a form for users to report suspicious emails, spam, and any other online abuse; consider providing an incentive, such as yourbank fraud fighter shirts to the first person that reports each email hoax.

4.       Post an email address for forwarding suspect emails, use autoreply to confirm all submissions, and lay out the next steps the bank will take to minimize damage.

5.       Post a special fraud/lost password hotline telephone number (if possible, different from your regular customer service number).

6.       Post FAQs covering:
* What to do if you receive a suspicious email
* What to do if you’ve inadvertently provided
   personal information to a fraudulent site
* How to report lost or stolen cards, checks,
   laptops, or password/userids
* Links to third-party resources

7.       Post copies of known frauds including the email message and screenshots of any popup windows.

8.       Develop a Security icon for your website that points to the security education area.

9.       Each time a new user signs up for online banking or opt-in email marketing, reply with an anti-phishing message detailing exactly what is and is not sent via email.

10.    Send this same message to all users at least once
per year, more often if you are being targeted by email scammers.

11.    Have a “Know the URL” contest . Users enter the URL in the box to enter the contest.

12.    Sponsor an annual “fraud-fighting” week where you enlist the branches and media to educate against all types of fraud, on and off-line, for example, in South Africa, First National Bank’s recent Card Security Week.

13.    Use full-screen educational messages at login .

14.    Help customers put a permanent button or toolbar in their browser that links to your website .

Copyright 2003 Online Banking Report (ISSN 1095-2829) is published monthly by Financial Insite, Inc., 4739 University Way NE, Suite 1002, Seattle, WA 98105, USA. Phone: +1(206) 517-5021, Fax: +1(206) 524-0351, Email: info@onlinebankingreport.com, Web: onlinebankingreport.com. Subscriptions: US$795 per year worldwide, includes paper and electronic editions. Editor & Founder: Jim Bruene, jim@onlinebankingreport.com; Business Manager: Anita Schultz; anita@onlinebankingreport.com; Sr. Analyst: Margaret Quinn, mq@onlinebankingreport.com; Circulation: Kate Schultz, kate@onlinebankingreport.com; Webmaster: Kelsey Marshall, kelsey@gagedesign.com; Web Database: Claire Powers; Copy Editor: Jennifer Russell; Editorial Board: Bruce Bruene, The Principal Financial Group; Vera Wildauer, Cascade Bancorp. Warning!! Federal copyright law prohibits copying this report. Contact the editor for reprints or electronic rights.

PayPal has long-used this effective technique to communicate important information. After login, users are served a one-time splash screen. This screen, which was displayed after our Dec. 8 login, dealt with phishing.

Recommended Website Approachh

We firmly believe the place to deal with specific security incidents is not on the homepage, but within a defined Security Center reachable through a dedicated link and/or icon located on every page. While we applaud the unprecedented efforts to educate users about phishing threats, prominent homepage warnings go too far . It’s like draping a 12-foot banner across your brick and mortar branch that says, “Be careful, you may be robbed.”

A better approach is to develop a robust Security Area to promote general customer and employee education as well as detailing specific frauds warnings. Citibank has by far the best anti-phishing section we’ve seen .

Even more important, because general website content is not often viewed by online banking customers, are security warnings sent via email and posted in your online banking area (see PayPal above). If you feel you must call attention to the problem on your homepage, use restraint. Citibank recently added an About email fraud link in the lower right navigation area. This strikes us as an appropriate level of emphasis; although Citibank used an in-your-face banner several months ago when the first wave of fake emails hit .          

Generic Visa card phishing attempt circulate Dec. 5 aimed at anyone in the world with a Visa card. Clicking on the link takes you to a spoofed website (source: http://www.anti-phishing.org//).

Sample Educational Email:
Email Safety Tips

Audience: New users of online banking and/or anyone opting in to email messages or statements

From:                 Yourbank Customer Service
To:      Pat Q. Customer

Subject: Email Safety Tips

Thanks for signing up for _______. It’s important for you to be able to recognize an authentic email from Yourbank. Recently, a number of banks have reported crooks sending fake emails that look like they are from the user’s actual bank. These fake emails try to get recipients to reveal usernames/passwords, ATM card number/PIN, or credit card number/expiration date, and so on. Sometimes the emails instruct the recipient to enter the information into the body of the email, while others use popups and fake websites to collect the info.

Although Yourbank customers have not yet been targeted by this scam, you should be on the lookout for fake emails. Here are five rules for safe email banking:

1. All messages from us will be personalized with your first and last name in the body of the message.

2. Never reveal any personal information such as username and password in response to an email request, even if it looks like it’s from us. We will
NEVER ask for personal information via email.

4. When completing any online form, make sure the URL has an https:// in front of it, e.g., our login page is <;https://secure.yourbank.com>. You will also see a locked padlock in the lower portion of the browser window.

5. A copy of each message sent to you over the Internet will be sent to your secure bank inbox, so you can always check there to verify the authenticity of an email from us.

If you receive a suspicious message, please forward it to us at security@yourbank.com. If you believe you may have inadvertently given your password to an unauthorized party, notify us immediately via telephone so we can reset your password and monitor your account for suspicious activity.

Please let us know if you have any questions and thanks for banking with Yourbank.

Regards,

 

Kim Strong
VP Online Customer Service
(888) 255-5515

Sample Educational Email:
Know-the-URL Contest

Audience: All website users

From:                 Yourbank Customer Service
To:      Pat Q. Customer

Subject: Win a Portable DVD player by knowing
              Yourbank’s Web address

To safeguard against imposters posting fake websites, called “spoofing,” it’s important for you to recognize the genuine Web address of your bank:

www.yourbank.com

Sometimes, we may substitute a different “name” for the “www” portion, or we may add a filename after the “.com,” for example::

secure.yourbank.com
www2.yourbank.com
www.yourbank.com/apply.htm

But yourbank.com will always be part of the Web address, also referred to as URL.

We will be calling and emailing online banking customers at random asking them to name the
Web address of Yourbank. To win, all you have
to do is reply:

www.yourbank.com

For a complete list of prizes and contest rules, please follow this link:

www.yourbank.com/know_the_URL.htm

Please let us know if you have any questions. Thanks for banking with yourbank.

Regards,

Kim Strong
VP Online Customer Service
(888) 255-5515

Definition:

IP geolocation: n. The geographic place of the end-user, derived from its Internet Protocol (IP) number which is  communicated to the Web site during a browsing session

The anonymity of the Internet is a mixed blessing for financial institutions. On the one hand, many of your best prospects find it more convenient to submit a loan or product application from the comfort and privacy of their own PC. Unfortunately, crooks all over the world find it equally convenient to submit fraudulent applications from the comfort of their local Internet café terminal. 

But unlike thornier fraud problems such as kids accessing their parent’s accounts without permission, fraudulent applications submitted from outside your geographic footprint can virtually be eliminated by a relatively inexpensive IP address-location tools offered by Quova and others.

For a mid-five figure investment, banks can use Quova’s so-called geolocation service inhouse or on a service bureau basis. With a fairly precise level of accuracy, Quova can identify the city and/or country housing the server your customer is using for their browsing session. According to audited numbers, Quova can identity the country of origin with 99% accuracy and coverage of 99% of the world. On a city level, the company can identify the city of origin with 94% accuracy across 94% of the world. And after the system went into production, accuracy would increase as it learned the legitimate IP addresses used by your customers.

www.digitalenvoy.net/security_fraud.shtml.

The service has applications in fraud prevention, marketing, and regulatory compliance:

1.       Inexpensive screening for out-of-area loan applications: Loan applications showing a mailing address in a city/state/country other than what’s listed on the application can be kicked out as fraudulent. In many cases, especially for applications originating outside your country, this early warning system could allow you to deny the application before incurring any costly application processing expenses, such as credit bureau checks.

2.       Early warning system for identity theft:
It could also be incorporated into your underwriting to help identify trickier identity theft applications where the crook may have all the necessary information, but is submitting the application from a suspicious location, for example, a city in the correct country but other than what’s listed on the application. In these cases, a call to the victim would quickly identify the problem, potentially avoiding costly fraud exposure.

3.       User-controlled login safeguard: The virtual equivalent of checking your picture ID at the point of sale, geolocation screening at login could eliminate anyone from logging in from an out-of-area IP address. Strictly applied, this would eliminate one of the benefits of online banking, the ability to access your account from any place at any time. So a more desirable implementation would be to let the customer choose whether or not to participate in the location screening, opting in or out depending on travel schedules. Even better, out-of-area customers could log in after correctly answering an additional challenge question.

4.       Monetary transaction safeguard: Geographic screening could be used in lieu of an additional password in front of bill payments and funds transfers out of your bank. As long as the geographic location of the bill-payment request matched the customer’s location, it would be approved; otherwise, the customer would have to answer challenge questions or input another password to get the transaction through.

5.       Transaction tracking: Even if you don’t immediately use IP location as a login- or application-screening tool, you might still be able to justify it as a tracking mechanism for disputes. For example, if a customer said they did not authorize an electronic transaction, you would have an electronic receipt showing the IP address of the originating request. If it matched the customer’s location, it would be more difficult for them to repudiate the transaction.

6.       Automatically present state- or city-specific pricing/programs: Many banks have different products, pricing, and services depending on where the end-user resides. This can lead to confusion and dissatisfaction if, for example, a customer in Pennsylvania finds out they could get a better deal if they lived in New Jersey. Even though you may ask customers to enter their zip code to get the “correct” Web pages, there’s nothing to keep curious customers from trying other zip codes to search for a better deal. You can avoid these problems by automatically serving the appropriate pages based on the geolocation of the user’s IP address.

7.       Automatically present state- or city-specific content/offers: Even if your pricing is the same across all cities/states, you can improve your Web site by delivering geographically targeted content automatically. For example, temperature and weather forecasts could be automatically presented based on the location of the customer’s login. Or, if you are running a promotion in a single city, only users logging in from that city will see the information.

8.       Customers from different states or countries often need to be treated differently due to the regulations of their home state/country. Geolocation services can be used to ensure that you follow all the proper rules and regulations.  

You can see geolocation in action at GeoBytes.
The system identifies visitor locations, including yours, in real-time.

www.geobytes.com/WhoIsOnNow.htm?WhoIsOnNow&buttonid=27358

Table 1

Geolocation Service Providers

Source: Online Banking Report, 3/03

On the Internet however, within a matter of minutes I can create a fake virtual branch running on a server with a slight variation of a bank’s .com domain name (see steps on previous page). Upon arrival, unsuspecting users would be presented with an exact replica of your Web site and/or login screen. Why wouldn’t a user type in their username and password?

When a user attempts to log in using their valid username and password the less sophisticated thief could simply return a message such as, “Sorry, the server is down for maintenance. Please check back tomorrow. We appreciate your business.” Users might be frustrated, but they would be completely unaware that they had just handed over the keys to their accounts. Within seconds the crooks could use the lifted password/ID to enter the real bank site and drain a user’s accounts via fraudulent bill payments to P.O. boxes around the country. We don’t know that this has ever happened, but it will.

A more sophisticated thief might capture the password and login information in the background and then go ahead and log the user directly into their real bank account by passing the information to the real login script. This is extremely deceptive, as the user would experience nothing different from a typical session. The user will not realize anything is amiss until their funds are stolen later. Under this scenario, the thieves could take their time, monitoring the balances on their victim’s accounts over weeks or even months, and strike when balances reach their peak.

But still, would this strategy really work? With 50 million Web pages out there it’s hard enough to find legitimate Web sites, much less some strange imposter. Would real users be foolish enough to enter their passwords at false domain names?

To find out, we set-up a lookalike login screen for Security First Network Bank www.sfnb.com running under the lookalike www.sfnb.net domain name (screenshot right). Within 24 hours, legitimate SFNB customers attempted to login to the fake site. After they pressed “OK” we told users it was a fake. Our login screen did not actually capture anything typed in, but it could have.

We pulled the test site of the Web after a few days and buried the program in our hard drive forever. Had we been real crooks we could have run the scam for a few days easily compromising dozens of accounts or more before detection. Posting the false address in search engines and directories could have increased traffic to the fake site.

Using the same techniques, an identity thief could post credit applications on the Web using a bank’s name and trademarks, and capture social security numbers, bank account numbers, and the like.

All is Not as it Appears on the Net

This is actually a fake login screen. Notice the name, Security Fist (instead of First) and the lookalike domain name  sfnb.net  instead of  snfb.com .

The login screen above is an exact replica of the SFNB screen with a couple of important exceptions.

1. Not logged in to a secure server. Notice the broken key and the “http” instead of “https.” Though we could have run our scam on a secure server to avoid this tell-tale clue.

2. Notice the bank name is Security Fist instead of Security First. Again, real crooks wouldn’t do this.

3. The “E-mail Support” link is bogus too. Any email sent using this link would go to the crooks instead of the bank. Also realize the text displayed on the page has nothing to do with the actual underlying <mailto:> hyperlink.

Number three is significant for another reason. Even without going to the trouble of setting up a fake Web site, the owners of a lookalike Web domain could get emails destined for the bank. The fake site would also receive email exchanges from vendors, friends, relatives, and co-workers. This is why it’s important to educate employees and customer’s not to send sensitive information via unsecured email and to double check email addresses before hitting send.

The message returned to the “victims”
of our spoofing demonstration.

Register Your .net Today

Look at these domain names:

www.wellsfargo.net

www.keybank.net

www.wachovia.net 

www.sfnb.net 

These must belong to Wells Fargo, Key Bank, Wachovia and Security First, right? Actually, none are currently registered to the banks involved. They were all registered by my company, NetBranch  www.netbranch.com  this year. (By the way, we were only trying to prove a point and will gladly transfer the domain names upon request.)

Don’t make the same mistake. It will only set you back $70 to lock-in the .net version of your name.

For those of you still reading (I assume some are already emailing your Webmaster), you can take several steps to prevent this situation.

1. Register every similar name you can think of, they only cost $2.92 per month. At a minimum, lock in <yourbank.org> and <yourbank.net>. Credit unions should register <yourcu.com> if you haven’t already. Check for domain availability at  rs.internic.net/cgi-bin/whois . Do the same when new top-level domain names are introduced.

2. Don’t allow access from any server with a permutation of your domain name.

3. Check your access logs. Look for a large volume of requests to your login script from a single IP address or domain name. Also look for a high number of requests for your login graphics.

4. Restrict access to your login script. Your login script should only work when the referring IP address of the requesting server is the server that houses your official login screen.

5. Create a two-step login process for bill payment, interbank funds transfer, or any feature that could be used to move money out of the rightful account holders’ pockets. First-level passwords could be stored as cookies, or could be simple things such as the user’s last name. The secondary password would be the crucial one safeguarding monetary transactions. Any type of two-step password scheme would defeat the simple attack outlined here. Although sophisticated fraud artists could attempt to mimic your two-step process as well.

6. Use the VeriSign logo/certificate on the login page. But realize the crooks can steal this image as well.

7. Educate customer service staff and end-users.

User Advice:

•  Be cautious with your passwords
•  Verify the domain name/spelling
•  Verify site certificates
•  Use bookmarks
•  Never give account info via email

8. Search and scan the Web and newsgroups for uses of your name including misspellings and permutations. Some brokerages have full-time employees devoted to this process. They also look for compliance violations from their own brokers.

9. Hire a security consultant who looks beyond encryption and firewalls and applies common sense techniques to protect you from spoofs and other low-tech hacks.

10. Allow users to set their own security parameters on their accounts such as:

•  Allow access only from specified domains.
•  Maximum dollar amount of bill payments/day
•  No logins after midnight or weekends without special override password.

11. Send an email to users every time their account is accessed and every time a bill pay is initiated.

Alan Martin is President of NetBranch  www.netbranch.com , a consulting and design company specializing in banking and financial sites. He is also Webmaster for Online Banking Report. He can be reached at (770) 736-5956, or webmaster@onlinebankingreport.com .