Banks have a "serious issue" with phishing attacks aimed at their online banking customers.  It's time they take a long and serious look at a simple solution. (see left) 

The nature of this beast known as "phishing" is to lure these online banking folks, with a sophisticated and genuine looking trap which includes genuine looking emails which provide links to genuine looking sites. (a new "type" of bait and switch)

Once there, users are simply instructed to do what they've been programmed to do since day one with online banking. 

They are told to "type" in their username and password to log-in.  Problem is, once they "type" in their "username | password"  they provide full access to their accounts to the phisheries.

If you haven't figured it out already, allow me to point out the major flaw in this process.  If online banking customers had not been originally programmed to  "type" anything into a box the first place, then this type of phishing would not have cropped up in the second place. 

Case in point: Imagine if you will, that when ATM's first came out,  users were instructed to  "make up" a username and password for which would have provided full access to ATM's? How smart would that have been?

Fortunately the banks were smarter than that and they required that their ATM customers insert their card into a built-in card reader AND enter their PIN. Two factor authentication 101.  What you "have" (card) and what you "know" (PIN)

I'm puzzled.  Maybe perplexed.  Why would they believe for a moment it should be any different for online banking log-in? What has happened since then to make them believe "typing" is safer than "swiping?"  Why are they suddenly dissin' the card?


Window of Opportunity

Instead of dissin' the card, I say "DISCARD" the antiquated username | password log-in process and instruct customers "USE THEIR CARD" (what they have) and their PIN (what they know) thereby replicating the exact same process these customers use gain access to an ATM.  True 2FA.  The only difference would be that authentication would be done in the safety (no skimmers/no cameras) of the online banking customers own home...with their HomeATM SafeTPIN!

If the online banking community introduced their customers to a simple new log-in process, one whereby they require that theironline banking customers log-in the "same way"  they do at ATM's... with "THEIR CARD, THEIR PIN, & THEIR HOMEATM," they would greatly enhance the security of their online banking sites.  

This two factor secure log-in would eliminate the issues they are having with these phishing attacks altogether. My opinion is that it is an opportunity they can't afford to pass by.

Why?  Because it would also eliminate issues they are having with cloned websites, cloned cards, DNS Hijacking, etc.  In addition, they would arm their online banking customers with a weapon of phish destruction, one that fights cybercrime and "empowers" them as mini-profit centers.  Does anyone disagree with the statement that  "Bill Payments, Money Transfers, and secure online transactions" ALL make money for banks? 
.  
That said, I humbly suggest it's high time to "studythese issues" more closely.  There are three "key" issues banks need to contend with if they want to come out of this ahead.   I call it online banking "CPR." 

Let's look at "these issues" one at a time
:

Bank "ISSUES" the Card,
Bank "ISSUES" the PIN, 

So Where's the Issue with a secure Card/PIN Reader

Did you know that the average phishing attack costs the bank and the bank customer $350. Well it does.  $196 for the banks and $154 for the consumers.  Want proof?  Okay, here it is from Gartner Research:

According to research firm,Gartner, banks, online payment organizations and other financialinstitutions are bearing most of the financial cost of phishingattacks.  (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.) 

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved.  (That's $196 to the banks and $154 to the consumers)



"The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner.  (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)


Banks could (in quantity) issue around 70 HomeATM's for each successful phishing attack.  It's the last remaining issue they need to contend with.

Speaking of phishing, here are a few of the latest as compiled by Millersmiles.com.uk


HSBC Bank14th June 2009
Security Measures.

Halifax14th June 2009
Important Message

Egg Bank14th June 2009
Online Account Alerts !

Halifax Bank14th June 2009
Important message from Halifax - Action required

Abbey14th June 2009
Online Service

Halifax13th June 2009
Reminder Message - Must Read

Cahoot Bank13th June 2009
Unable to Verify Your Account

Halifax Bank13th June 2009
Dear Customer Account Has Been Suspended

MBNA13th June 2009
MBNA Online Banking Access

Halifax13th June 2009
Dear Customer Your Bank Account Has Been Suspended

Cibc13th June 2009
Using Your Information

HSBC12th June 2009
ONLINE CUSTOMER MESSAGE

Abbey12th June 2009
Your Online Account Needs Update.

Abbey12th June 2009
You Have a New Message

Alliance and Leicester12th June 2009
Online Banking Update

Halifax Bank12th June 2009
UPDATE AND VERIFY YOUR INFORMATION

Lloyds TSB Bank12th June 2009
You have a secure message from us

Cahoot Bank11th June 2009
Cahoot Bank -Account Access Denied

Halifax Bank11th June 2009
You have one new message in your Halifax Bank Plc Folder

MBNA11th June 2009
Protect your account fully

Commonwealth Bank of Australia11th June 2009
Netbank Account Reactivation

Egg Bank11th June 2009
Online Security Alert

PayPal11th June 2009
We were unable to process your most recent payment










Reblog this post [with Zemanta]

Posted by John B. Frank Monday, June 15, 2009

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers