Fraud Fears in Internet Banking 1.Introduction - Dissertation Example

ID: 07033010 Fraud Fears in Internet Banking Introduction Computer technology has broken the geographical barriers and congregated the world on a single platform. Computer technology has intervened in all walks of life; the field of education has been revolutionized by the advent of e-learning and virtual learning management systems, businesses have become more structured and organized due to the adoption of information management systems, medicine has witnessed remarkable inventions that have made medical procedures more accurate and reliable. Banking industry is no different; banking operations and processes have become more accessible and convenient for the customers due to the introduction of internet banking. Banking operations are no longer restricted to the limited business hours of the bank, rather can be done at any time via the internet. However, this technology has also proved to make customers’ details and intellectual assets of the companies vulnerable in the presence of increasing security threats from hackers and intruders. Internet frauds related to the banking sector have become major concerns for customers around the world. Some of the most common online banking frauds have been discussed in the paper, along with the discussion of few real life instances of such crimes. 2. Internet Banking Internet banking offers a wide range of activities like balance inquiries, transfer of accounts etc. The acquisition and transfer of customer details and information on the internet makes the whole process vulnerable, along with the presence of internet scams that aim to steal the information of customers. Financial institutions have suffered great losses over the years by becoming victims of malicious activities of cyber criminals. Cicutti (2008) quoted the results of a research study by Association of Payment Clearing Services (Apacs); it concluded that instances of ‘cardholder not present’ are increasing around 37% after every year. The losses reached to an enormous amount of ?290m in 2007. These figures include fraudulent attempts via the internet, mail and phone. Few other figures have been reported by Financial Fraud Action UK in Sky News (2009); it pointed out that only first half of 2009 marked a 55% increase in the rate of internet banking frauds with the figure of ?390m as compared to the figures for the year 2008. The alarming increment of internet banking crimes denote that the cyber criminals are getting more technology savvy who are adopting innovative technologies to overcome the security measures of the financial institutions to violate the privacy of the customers’ data. Internet banking has been widely accepted by customers due to its convenience. Spam Laws (2009) stated that around 45% of the 141 million grownups in US opt for online payment of their bills. Along with convenience, comes a huge price for the customers who prefer online banking. Spam Laws (2009) also provided the information that around 2 million Americans became victims of fraudulent actions in the year 2004, where customers were reported to suffer losses of around $1, 200 on average at every instance of fraud. After the analysis of the findings, it was concluded that the increasing number of fraudulent actions were known to have the source as online banking. 2.1 Types of Internet Frauds There are numerous types of internet banking frauds. Few of the most common ones have been discussed below: 2.1.1 Phishing/ Scam Emails The concept of phishing originates from two words; password and fishing. Zin andYunos (2005) explained that this technique is used to retrieve customer’s bank details by making the activity look like a regular procedure from his respective bank. Several types of information may be aimed to be extracted by the user, such as social security numbers, online banking credentials, credit card numbers etc. The sender might pose to be a bank officer who wants to update the customer’s data in the bank database. Recipients might reply to such emails with the understanding that it is a part of a routine update operation of the bank database or be lead to a compromised page for the entry of the details. The format of the emails is identical to the original documents and layouts of the respective bank to fool the recipients into thinking that it is an authentic email. Few incentives or rewards might also be used to provoke the customer to reveal his personal details, like lotteries or inheritance of a fortune etc. However, some phishing emails can be identifiable due to some grammatical mistakes; this might be possible due to international origin of the hackers. Such emails are also built around a warning and threatening tone, such as the closure of the account or credit card. Banks do not adopt threatening tones unless the account holder has violated some crucial policies or procedures. Sky News (2009) reported that there had been 26,000 phishing attacks in the first half of the year 2009; this is approximately 26% more than the figures of the first half of the previous year. As stated earlier, the increasing rate of phishing attempts denotes the adoption of even more effective strategies and techniques by hackers. Dhamija, Tygar and Hearst (2006) conducted an experiment to test the effectiveness of the phishing websites. The experiment constituted a sample of 22 participants who were asked to provide their feedback about 20 websites. The results concluded the following factors: 90% of the phishing websites look genuine and authentic due to which the participants did not question their authenticity. Prevailing anti-phishing indications are not useful since they are often easily ignored by the participants. 2.1.2 Trojan Attacks Trojans are considered to be emails or websites that may contain malicious intent attachments or software, respectively. When the attachments are opened or compromised links are clicked, malicious software is installed on the user’s system without his knowledge. Such software is capable of monitoring the online activity of the user. Upon the initiation of the online banking transaction, the software is alerted and predefined harmful actions are performed. The banking details that are entered by the user on the bank website are secretly transferred to a predefined location. This facilitates the theft of sensitive information of a bank’s customer without the knowledge of the owner. Zin and Yunos (2005) pointed out that public computers are known to be at most risk with respect to these attacks. According to M86 Security (n.d.); around the middle of the year 2010, a massive Trojan attack was initiated against customers of a large financial institution. It was estimated that around 3000 accounts were affected by the attacks and a total of ?675,000 were stolen from the respective accounts within a month. The respective attack is significant since it highlights several techniques that are adopted by cyber criminals. They adopted the following techniques to plan a large scale attack: Installing malicious software on authentic websites Developing compromised online advertisement webpage Incorporating infected advertisements on authentic websites Upon the successful installation and activation of the malicious software in the user’s system, the activities of the user were monitored in a usual manner. However, instead of sending back user credentials to the cyber criminals, the software automated funds transfer from the user’s accounts to a pre-defined account of the cyber criminal. 2.1.3 Pharming Another type of fraudulent activity that is highly feared by internet banking users is pharming. The cyber criminals develop websites that are replicas of the original websites of financial institutions. CatBird (2006) stated that the user might be attracted towards the fake website by means of a social networking platform, email or changing the hosts file on the user’s system. Another strategy involves changing the entry in the original Domain Name Server (DNS) software. Domain Name Server translates the names of the websites into IP addresses which are the true identification of any destination. Trojans can also be programmed to play their role in this type of attack. When the user opts to visit the website of his financial institution, the Trojan redirects the user to a compromised replica of the website of the respective bank. The user assumes that he is connecting with an authentic financial institution websites, whereas he is directed to the compromised source. Schouwenberg (2008) explained that any information entered on the fake website will be easily extracted by the criminals and hence used for his spiteful activities. This type of attack is also referred to as redirecting traffic. Figure 1: Pharming Attack (Zin and Yunos, 2005) 2.1.4 Man-in-the-Middle Attack A malicious server is used in this type of attack to eavesdrop all the communication between the customer and his financial institution website. All the operations on the website seem to take place in a usual manner, while the message exchange is being observed by the eavesdropper. The user and banking server assume that they are talking to each other via one-on-one connections, although the messages are being transferred by means of the eavesdropper. Sakhalkar (2009) explained that the eavesdropper reads all the messages between the communicating hosts and alters the desired messages for his own gain. As a result, the customer might authorize a fraudulent transaction upon the verification of his own transaction. It has also been witnessed that the cyber criminals tend to hide the browser notifications about security certificate or present fake ones to the user. Figure 2 shows the man-in-the-middle attack: Figure 2: Man-in-the-Middle Attack (Sakhalkar, 2009) A common type of man-in-the-middle attack that is used in online banking transaction is discussed below: Man-in-the-Browser Attack Man-in-the-Browser is a Trojan that provides the browser capabilities to alter the content of the webpage, alter the attributes of the transaction or even add new instructions to the original command of the user. Man-in-the-Browser attack achieves the malicious activities by making use of browser helper objects; this utilization of built-in features of the browser makes it very difficult to identify the attack. The attack takes place in the following manner: Bank’s customer connects to the online banking website to make an online transaction. Customer enters his login credentials and submits the request for the respective transaction. As soon as the request is submitted, the malicious software in the infected system of the user alerts the hacker about the on-going activity of the victim. After the hacker is alerted, the customer is presented with a pop-up message that provides the information about the processing of the data and directs the customer to wait for a few seconds. Whereas, on the other side, the hacker reads the messages that the connection has been made with the web server of the bank and that the transaction can begin. As a result, the hacker acquires control of an active account that may be used to perform any banking operation with the customer’s credentials. 2.2 Security Measures by Financial Institutions The exponential increase in the rate of fraudulent activities has provoked the financial institutions to invest in the implementation of effective security measures. The foremost step that is required to ensure greater level of security in internet banking is to improve the authentication process for the customers. There are a wide range of authentication mechanisms in the prevailing times that ensure accurate and reliable identification of individuals. Federal Financial Institutions Examination Council (2005) categorized them in the following manner: Knowledge based factor: Something that is known by the user, for example, PIN, password. Ownership based factors: Something that is owned by the user, for example security token or smart card. Inherence based factors: Something that is inherently present in the individual, for example, fingerprints, retinal image, palm prints etc. Each type of authentication mechanism offers a different level of reliability and accuracy. However, it has been agreed by numerous researchers that the authentication process via more than one factor is far more reliable and secure than a single authentication factor, for example, the combination of a knowledge based factor and an inherence based factor is expected to attain greater security in the identification process of individuals. Due to the increasing fears of online banking transactions among the customers, significant steps were taken by Bank Negara Malaysia to make the process more secure and reliable. Shamsiah and Abdullah (2011) stated that they have released orders to base their authentication mechanisms on two factors by the year 2012. This step is expected to increase the usage rate of online credit and debit card transactions. Biometric authentication systems are being commonly used in the authentication of online banking to reduce instances of fraudulent activities and data thefts. Krawczyk and Michaud (2005) stated that Bank of Central Asia has adopted the fingerprint recognition system in their online banking services to secure the process. Current fingerprint recognition systems are even equipped with the mechanisms to detect the live-ness of the fingerprint to ensure that a human being is attempting to access his account, rather than the usage of a dummy finger. Krawczyk and Michaud (2005) provided another example of the largest South American bank- Banco Bradesco. They have integrated the technology of recognizing the voice of the account holder. The account number is required to be read for acquiring access to their online accounts. This mechanism has only been introduced in bill payments in their online banking solution to analyze the level of acceptance and success of the system. 3. Conclusion Online banking is one of the most innovative concepts of the past century that has facilitated convenience and fast-paced transactions for the banking customers. It has been witnessed that malicious intent individuals tend to find loop holes in every technology that gains a name of itself. Online banking platforms have also become victims of such spiteful activities. Internet banking has been subjected to millions of pounds of losses around the world and the figures keep on increasing every year. Hackers and intruders tend to devise innovative techniques to steal customer’s details and hence use them for their unlawful plans. Some of the most common attacks prevailing in the modern markets are phishing, pharming, man-in-the-middle and Trojan attacks. In phishing attacks, cyber criminals pose to communicate with the individuals as executives from the customer’s bank. The customers are mostly asked to provide their personal details for the purpose of updating their databases or to win some reward. Pharming attack redirects the web traffic of an authentic website to another website that is a replica of the original one. The customer does not feel any difference in operations between the two websites; therefore he is not able to detect the malicious intent of the operations on the website. Trojan attacks are feared the most due to the power that comes with them. Trojan attack secretly installs malicious software in the system of the victim; the automated download of the software may take place via attachments, advertisements or social networking sites. The software can monitor all activities of the victim and report it to the hacker. Man-in-the-middle attacks can alter the messages of the victim and even initiate communication with the bank’s server while posing to be an authentic account holder. Due to the appalling figures of internet banking frauds, banks have started investing hefty amounts in the implementation of effective authentication mechanisms. References CatBird, 2006, Pharming- Stealing your online information and identity, viewed 17 May 2011, Cicutti, N 2008, ‘Paperless banking raises fraud fears’, Scotland On Sunday,Premium Article ! Your account has been frozen. For your available options click the below button. Options Premium Article ! To read this article in full you must have registered and have a Premium Content Subscription with the Scotland On Sunday site. Subscribe Registered Article ! To read this article in full you must be registered with the site. Sign In Register 4 May, viewed 16 May 2011, Dhamija, R. Tygar, JD., Hearst, M 2006, ‘Why Phishing Works’, Conference on Human Factors in Computing Systems 2006, April 22–27, Montreal, Quebec, Canada. Federal Financial Institutions Examination Council, 2005, Authentication in an Internet Banking Environment, viewed 18 May 2011, Krawczyk, S., Michaud, C 2005, ‘Biometric in the banking industry’, Michigan State University. M86 Security n.d., Cybercriminals Target Online Banking Customers, viewed 17 May 2011, Sakhalkar, D 2009, ‘Identifying, Mitigating Man-in-the-Middle Attacks’, Cognizant, viewed 19 May 2011, Schouwenberg, R 2008, ‘Attacks on banks’, SecureList, 23 Oct. viewed 17 May 2011, Shamsiah, T. N., Abdullah, T 2011, ‘Two factor authentication in Malaysia by 2012 to Boost growth of Visa Cards’, 18 May 2011, http://www.bernama.com.my/bernama/v5/newsbusiness.php?id=587134 Sky News 2009, ‘PC Users Targeted as Online Fraud Soars’, 7 October, viewed 16 May 2011, Spam Laws, 2009, Internet Banking Fraud: Why is Online Banking so Popular?, viewed 17 May 2011, Zin, A. Yunos, Z 2005. ‘How to make Online Banking Secure’, The Star InTech, April Issue. Read More