Online banking customers deserve better security

NEWS RELEASE Tuesday April 3, 2007

Online banking customers deserve better security

New Zealanders have a right to better protection from banks against scamming attacks and should demand better security for online banking, said Mike Heath, General Manager of New Zealand’s online savings and investment service, RaboPlus.

“The country’s biggest banks are all encouraging their customers to use online services, however many banks here lag behind in the security they offer to their online banking customers,” said Mr Heath.

Overseas, consumer legislation and the growing number of phishing attacks has motivated many European banks to improve their security measures. Interpol has found that countries which have better protected online industries are significantly less likely to be targeted.

“Unless banks in New Zealand step up the security they offer their online banking customers, it is possible we will see more and more fraudsters targeting New Zealanders,” said Mr Heath.

RaboPlus.co.nz, the online savings and investment proposition from Rabobank, is the only online banking service in New Zealand that offers a three-pronged approach to protecting its customers: two-factor authentication plus digital signatures. In addition, it offers these for free to all of its customers, not just its business customers.

Mr Heath said all other banks should offer their customers the same level of security.

“Many of our customers invest their life savings with us. We take that very seriously, and that’s why we offer our customers the best security available. Other banks should do the same,” he says.

Two-factor authentication requires customers to provide two forms of identification before they can log-on, or conduct any transaction. The first identification step is based on something users already know (their access code and password), followed by a second step based on something that is randomly generated, such as an additional security code.

RaboPlus.co.nz provides all customers with a free Digipass (which looks a bit like a small calculator), to generate a unique, random code every 36 seconds. Customers use this unique code together with their customer number and pin when logging on and conducting transactions online. Some banks charge for this service.

RaboPlus.co.nz also attaches digital signatures to every transaction to protect customers from a new type of fraud (known as Man in the Middle) where fraudsters intercept and change a transaction.

No other bank in New Zealand has the digital signature step in place for its retail customers, leaving consumers open to these types of attacks.

Rabobank Australia & New Zealand is a part of the international Rabobank Group, the world’s leading specialist in food and agribusiness banking. Rabobank has more than 100 years’ experience providing customised banking and finance solutions to businesses involved in all aspects of food and agribusiness. Rabobank has a AAA credit rating and is rated one of the world’s safest banks by Global Finance magazine. Rabobank operates in 43 countries, servicing the needs of more than nine million clients worldwide through a network of more than 1500 offices and branches. Rabobank Australia & New Zealand is one of Australasia’s leading rural lenders and a significant provider of business and corporate banking and financial services to the region’s food and agribusiness sector. The bank has 75 branches throughout Australasia.

ENDS

Fact sheet: online banking fraud

What is phishing?

Phishing is the name given to criminal, fraudulent attempts to trick people into disclosing their bank or credit card details by pretending to be their bank. Victims receive an e-mail, purporting to be from their financial provider, asking for confirmation of confidential customer details or with a link to a bogus – but official-looking – bank website. If the victim enters customer details and/or passwords, these are recorded and used to access the victim’s account and/or credit card to extract money.

The term phishing stems from the increasingly sophisticated lures scammers use as they "fish" for users' financial information and password data. Hackers have a tendency to change the letter "f" to "ph" - a transformation which first appeared in the late 1960s among telephone system hackers, who called themselves phone phreaks.

How prevalent is it?

Internationally, the number of phishing attacks is on the increase. Over the last six months of 2006, 166,248 unique phishing messages, an average of 904 per day, were detected according to global infrastructure software company Symantec. This was a 6 percent increase over the first six months of 2006.

While the number of phishing attacks being reported in New Zealand has decreased in recent months, Maarten Kleintjes, NZ Police National Manager Electronic Crime Laboratory, says new forms of phishing and identity fraud are starting to emerge as criminals reposition themselves.

Mr Kleintjes says we must remain eternally vigilant and adapt to these new threats, in a timely manner, as they develop.

What is two-factor authentication and how does it work?

Two-factor authentication provides an additional level of security that can almost eliminate the risk that your identity and your cash can be fraudulently obtained.

Simply put, it requires two forms of identification before you can access internet banking - something that you already know (your access code and password) and something that is randomly generated, such as an additional security code.

RaboPlus uses a Digipass (which resembles a small calculator) to generate the additional security code. A RaboPlus customer enters a unique pin number to activate their Digipass, which then generates random numbers (access codes) that change every 36 seconds.

Before they can access their account, and for every transaction, the customer must enter their internet customer number, PIN, and Digipass-generated access code.

Currently only RaboPlus, HSBC, ASB, BNZ, TSB, PSIS, and BankDirect, offer their retail customers two-factor authentication. In fact, RaboPlus goes beyond this, with “two- factor plus” authentication, as it also applies a digital signature to each transaction. (See Man in the Middle attacks below).

Does two-factor protect people from phishing?

Yes – because the fraudster must have access to both the customer’s customer number, PIN and their Digipass-generated access code. Even if a RaboPlus customer fell for a phishing scam and provided their customer number and PIN, the fraudster would still need their Digipass to access their account.

Is phishing the end? What is the next anticipated big risk to online banking?

Maarten Kleinjtes, NZ Police Electronic Crime Laboratory Manager, says that phishing is only just the start.

“Once all banks use two-factor authentication, phishing will be almost impossible. Criminals will become more sophisticated, and we expect they will begin positioning themselves between the customer and the bank, where they will be able to read, insert and modify the communication without either party knowing that the security between them has been compromised. In the industry, we call these “Man in the Middle” attacks.”

What can customers do to protect themselves from Man in the Middle attacks?

RaboPlus is the only banking service in New Zealand able to protect its retail customers against a “Man in the Middle” attack. It does this by applying a digital signature to each transaction. RaboPlus calls this “two-factor plus authentication”.

When a transaction is intercepted and changed (as would happen in a Man in the Middle attack) the signature would be broken, alerting the bank that the transaction should not be processed.

No other bank in New Zealand has the digital signature step in place for its retail customers, leaving them open to possible Man in the Middle attacks.

How does NZ online banking security compare to Europe?

The situation varies across Europe. While some countries like the Netherlands and Germany are very security conscious, many are less aware.

Consumer legislation and the growing number of phishing attacks has motivated many European banks to improve their security measures. Some countries have consumer legislation which makes the bank responsible for phishing attacks unless it can show it has taken preventative measures to protect customers. This has motivated many banks to offer two-factor authentication to all of their customers.

Rabobank International – RaboPlus’ parent company – has used two factor authentication since it launched its online banking service in 1995. It was one of the first banks to offer online banking in Europe, and in its home country of the Netherlands, the first to offer two factor authentication.

What could NZ learn from what European banks are doing?

Online banking fraud is growing, especially in those countries where most banks do not offer two factor authentication because they are easy targets. Interpol has found that countries which have better protected online industries are significantly less targeted.

In addition to the good work already being done in New Zealand to raise awareness of phishing scams and other types of online banking fraud, the banking sector needs to step up its work to protect customers, including offering two-factor authentication and other security measures to all of their customers.

© Scoop Media