Security group calls for user education to beat net fraud

21 Aug 2006

The head of an influential group of IT security professionals has said that banks should do more to educate consumers, in light of recent phishing attacks which have seen several Irish people be defrauded of substantial amounts of money.

Eoin Fleming, secretary of the Irish chapter of the ISSA (Information Systems Security Association), said more needs to be done to help educate the public to the dangers of the fraud, which works on the basis of fooling people into revealing their passwords and access details to their online bank accounts.

“No matter what security measure you put in place, you’re essentially dealing with a people problem because what phishers look to exploit is human behaviour. User education is really the only way to combat this,” Fleming told

Phishing attacks have become increasingly sophisticated since they first appeared more than two years ago, he added. Early efforts were usually badly spelled and the websites were often crude. Now, research suggests that many trained professionals would be hard pressed to spot a fake banking site.

“One of the oldest frauds is presenting people with what they expect to see,” said Fleming. “Phishers are providing all the visual cues to say to the user that this is a legitimate site. The only real difference between a phishing site and a legitimate banking site is the URL [web address] and there are lots of URL obfuscation techniques.”

One possible technological solution to the problem would be to prevent all of the user authentication from taking place over the internet, which is what currently happens when people are prompted for some or all of their PIN code when they enter the bank website. “If you really want to deflect this, you have to take a dual-channel approach,” said Fleming.

This second channel, in addition to the internet, could involve the customer’s mobile phone, he suggested. When the customer logs in to the banking website, a challenge is sent to their phone via text message. That way, even if an attacker had somehow got access to the customer’s website password, it would effectively be useless without the mobile phone – which could only be obtained or cloned at considerable cost. “The object is to make it expensive to commit the fraud,” said Fleming.

However, he cautioned against banks adding too many further layers of security to banking websites which he said would simply cause criminals to improve their efforts to beat the system. “It’s an arms race that the banks can’t win,” he said.

In addition, this would remove much of the attractiveness of the online channel for banks themselves. “The purpose of internet banking is low-cost banking and if you’re front loading [security], it goes against that,” he said.

Some banks have opted to limit what the user can do when they have logged on to online service, so that even if an unauthorised person gains access, they are prevented from easily transferring money to another account.

Another problem that banks have to wrestle with, according to Fleming, is user acceptance. “You can’t have perfect security, but you can damage your business by having too much security that makes the site difficult to use.”

“Major high street banks have to be very careful about what security they implement because they don’t want to drive customers away. But if people lose confidence in banking online, once it’s lost it’s almost impossible to get back.”

By Gordon Smith