e-commerce general manager, Commonwealth Bank of Australia

The National Australia Bank Ltd. is giving its online banking users access to two-factor ID in an effort to combat online fraud which the Australian Banking Association estimates costs the industry A$25 million (US$19.5 million) annually.

The NAB will now offer randomly generated code via SMS — to be used as a one-time login — to the registered phone of a user.

The free service follows a three-month pilot between the NAB and KAZ for solutions that minimize the potential of Internet banking fraud through phishing attacks and fraudulent e-mail notices.The system has a capacity of 1.6 million messages per month to service the NAB’s existing 250,000 Internet banking customers.

Phishing facts:

  • 81 per cent of phishing attacks target financial services
  • Phishing Web sites grew to almost 3000 in February 2005
  • User education stifles phishing success
  • Increasing keyloggers – between eight and 10 new keyloggers weekly from more than 100 malicious Web sites were discovered between February and March 2005

KAZ Computers CEO Mike Foster said NAB had been looking specifically for two-factor authentication that was highly personalized but simple to execute.

“After considering various options a randomly-generated code sent by SMS to the registered mobile of an authentic user was a unique and relatively simple way to add another layer of security,” Foster said. Financial services firms are the most prominent target for spoofed Web pages or phishing attacks and, according to the results of a new survey, average 81 per cent globally of all brands hijacked for phishing attacks.

The Anti-Phishing Working Group March 2005 global activity trends report found the number of active, phishing-specific Web sites rose by 245 for the month from 2625 recorded in February this year.

However, more alarming is the increase of keyloggers used to record personal data entered while online. From November 2004 to December 2004, one or two keylogger variants were discovered, with between 10 and 15 new Web sites to host the code popping up each week.

Between February and March 2005, research found between eight and 10 new keyloggers weekly from more than 100 malicious Web sites.

Graham Connolly, Australia and New Zealand territory manager for Websense security labs, which provided statistics for the report, confirmed that end user education is stifling the success of phishing attacks, but added that this knowledge is pushing scammers to use other methods to harvest information, such as the use of keyloggers.

“I think if a cyber criminal could choose how they infect machines then keyloggers get more information,” Connolly said.

“You can get everything with a keylogger and it hits people harder than phishing.

“Anecdotally, we are seeing the success of phishing decreasing slightly.”

The Commonwealth Bank of Australia (CBA) admits it is tough to keep ahead of Internet scammers, despite a multimillion revamp of its online banking service, Netbank.

Marcus Judge, CBA’s general manager of e-commerce, said it is difficult to second-guess online fraudsters.

“Security is one of the things you keep moving on, the bad guys keep developing what they’re doing and we have to keep developing what we’re doing,” he said. Security is one of the things you keep moving on, the bad guys keep developing what they’re doing and we have to keep developing what we’re doing.Marcus Judge>TextThe largest Internet banking site in Australia, Netbank, services around 1.9 million customers and attracts about 30,000 new members a month.

CBA started to overhaul the Web site in 2003, in a project that is expected to total A$100 million over a five-year period.

The new version of Netbank features beefed-up security, providing customers with enhanced identification questions, full access to the audit trail for transactions and the ability to trim online access to the accounts and services they need.

Hugh Harley, CBA’s group executive for retail banking services, said the Web site could not be designed to prevent e-mail hoaxes, but added that it would help the bank to handle them.

“[It can not prevent them] because those sort of attacks are directed at the customer,” he said.

“But we do have things that help you respond to that.”

All four of Australia’s major banks have been plagued by “phishing attempts” in the past couple of years.

Related links:

WSIS : Australia takes spam war to UN

Spam balloons in Australia despite legislation

Europeans worry about online banking security