In the face of smarter and more sophisticated criminal attacks, Standard Bank of South Africa is ramping up its efforts to protect its customers.
A massive e-mail fraud scam in May that targeted the customers of various banks, including Standard Bank, saw a criminal syndicate recruit runners in South Africa (SA), via e-mail sent from South Korea, under the auspices of a genuine business opportunity, whose accounts would be used to launder money gained from the attack. The spam containing the spoofed message from Standard Bank was then sent from a Brazilian IP address to SA, and directed local users to a Russian Web site, where they were asked to fill in their details.
Using the details garnered on the Russian site, the attackers instituted fraudulent transactions from New York, and then attempted to transfer the illegally gained funds into the runner’s account, for the runner to send, via wireless transfer, to Russia. Whilst all eyes were on the phishing attempt, the syndicate also released a Trojan that set about harvesting account information and sending it on to the Russian site.
Standard Bank technology engineering director Herman Singh says that no customers lost any money in the attack. Working with specialist security firm, Cyota, the bank was able to shut down eight domains being used by the syndicate, effectively neutralizing the attack.
It was also able to freeze the runner’s account the minute the first deposit was made, block the relevant ports to prevent any more people accessing the sites (through UUNet, IS and Telkom — SA’s first-tier ISPs), and contact the Scorpions (anticorruption and organized crime unit) once the money-laundering attempt became obvious.
The bank managed to do all this by 3 P.M local time on the day the attack was launched at midnight. The runner was taken into custody the following day.
Singh says that the bank is extending the strategies it uses to protect itself to its customer base. The bank will be introducing several new security measures in the next month or so. Firstly, it is renewing the free access to McAfee software it has offered for the last three years. Further, it is expanding its SMS notification service, so that customers will be alerted immediately about all transactions on their accounts.
It is also introducing ‘payment confirmation’, which will notify both payer and payee that a transaction has been completed. It will be introducing digitally signed mail, and will be encouraging customers to sign up for the MyNotification service.
One-time passwords will be sent to the user once they have signed on, independently of the Internet banking session, and with a short expiry time. This two-factor authentication system adds an extra layer of protection as, even if a user’s account details are hacked, the hacker is unlikely to have access to their cell phone, for example, and be able to receive the one-time password needed to complete the log-in process.
Customers wanting to use their credit cards online will have to register them for online use beginning in August, says Singh. The bank is launching the SecureCode (a Mastercard product) service locally, which will ensure that all online credit card transactions are authenticated by the bank before completion.
In other words, once a user gets to the ‘check out’ on a Web site, they will be automatically directed to a Standard Bank page, where they will be authenticated, before going back to the e-commerce site to complete the transaction.