12 December 2017
Ted Egan

Ted

Ted Egan - ThreatMetrix Inc.

3Posts 10,920Views 7Comments

Dont blame banks for not pushing visible security

01 September 2009  |  4488 views  |  0

 

Visible security is needed not just for banks, but for any eCommerce site e.g merchants, retailers,trading platform or social networking.

 

Consumers groups should be applying the same visible security rule across all online business websites! 

Yes, the online banking services of some leading financial institutions may have weaker visible security measures in place than some of their rivals, however the real issue is that Which?Computing fails to point out that there is very little visible security when it comes to other popular websites where consumers also need to type in private and confidential details when logging in, e.g. Social networking websites and Online Merchants. 

Although there are many banks needing to improve their security measures when their customers login or when transferring money, we should agree most banks have better security measures than most non-banking websites. Too many merchant websites and social networking websites fail the visible security test also and are increasingly becoming perfect opportunities for online criminals to steal consumer identities, even passwords and credit card details.

Online criminals use keylogging software, cross site scripting techniques and other more sophisticated malware attacks, i.e. the infamous torpig trojan or my favourite trojan called Zeus (known to steal your private and confidential details to on sell on the black market) equally as they do when targeting banking websites. For the criminal, they do not even have to visit the consumer bank website to get enough information to access a customer’s banking details, access their accounts or use the customer’s credit card.

With the lack of visible security whereby the customer computer is not secured when the customer logs in, the criminals can also be quite creative when attempting to access consumers bank account. For example, depending on how or if authentication or a second factor is implemented, if they are able to use malware placed on the customer computer undetected, they can access the bank account also undetected, then second factor may not be effective to stop a transfer funds to approved accounts such as a credit card, which the criminal also has access to. In this case the criminal  bypasses any one-time-password authentication.

Then there is phone porting where the criminal gains access to a text message one-time-password needed to authenticate a specific transaction. Without visible security that secures the computer and will alert the customer if there is a problem before the transaction or authentication process begins, the use of phone porting allows the criminal to gain access to the customer’s account allowing them to set up a mule account while hoping the customer does not notice the One-Time-Password on their phone, but really this is creative and efficient and they only need a few minutes to succeed. 

These creative activities are equally being used effectively to access what is potentially more of a dangerous issue, customer identities in non banking websites.  Arguably with someone’s identity you can do more than just access a few funds.

However, there is still a lot more that most banks need to do to protect customer details. Protection needs to begin before the customer starts typing in their passwords and this is true again for all other non-banking websites. The challenge for all online businesses is to provide true visible online security that also allows consumers to be alerted to a potential malware threat or alerts them to whether basic security precautions are working correctly or not (i.e. firewall switched on, AV switched on and up to date or Windows Updates switched on) before they log in.

Consumers should be alerted when there is a potential problem!

More importantly consumer behaviour is generally to fix the problem if they know and are alerted to the fact there is a potential problem, but they always want and should be allowed to just log in (securely). For this to be effective, security information needs to be relevant to the account holder, in real-time and at the point before they begin typing. Security cannot happen afterward and not the generic security information most people never read and we see everyday on a banking websites, let alone never see or there is very little security information on merchant or social networking websites to warn consumers of potential threats.

Online transactions can be much safer for all online websites, and Which?Computing should not just focus on banks, as building trust and generating increased satisfaction in all online transactions is an industry responsibility. Trust can be generated if visible security is implemented right. Visible security should become the norm across all social networking, online merchant, trading platforms and banking websites before the customer begins logging in and during the period of the transaction.

This is an industry-wide responsibility!

 

 

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Ted

Chinese online gangsters target Aussie celebrity builder

14 February 2010  |  3197 views  |  0 comments | recomends Recommends 0 TagsSecurityRetail banking

Dont blame banks for not pushing visible security

01 September 2009  |  4488 views  |  0 comments | recomends Recommends 0 TagsSecurityRisk & regulation

The nastiest ebanking trojan just got nastier

14 July 2009  |  3236 views  |  0 comments | recomends Recommends 0 TagsSecurity

Ted's profile

job title Vice President Sales & Ops Asia Pacific
location Sydney
member since 2008
Summary profile See full profile »
Today he is Vice President of Sales for ThreatMetrix in the Asia Pacific where he is responsible for enabling Merchants, Payment processors, Financial institutions and Government agencies to REDUCE op...

Ted's expertise

Member since 2008
3 posts7 comments
Ted's blog archive
2010 (1)2009 (2)

Who's commenting on Ted's posts