AU regional bank signs up for anti-phishing tokens

The regional bank has signed up with vendor Vasco to offer customers the Digipass GO3 token, a small key-ring sized device that generates a different numerical code every 36 seconds so that customers always log-in to their accounts using a different number. Bendigo said the device will be employed to prevent security breaches such as phishing and keystroke logging.

Bank spokesman, Owen Davis, said that although Internet banking as a whole is safe "there is a weakness at the customers' end of the process".

"Customers can either be tricked into divulging their details or their computer may be infected with a Trojan to steal their details," he said. "This device provides greatly increased protection, piece of mind and confidence for customers that they can bank in a secure environment."

The move follows the circulation of several e-mail phishing scams involving the Bendigo Bank brand that attempted to lure customers into giving up their account details with lines such as "due to a technical update we are insisting our clients to verify reactivate their accounts" or asking for customer details claiming the bank has suffered security breaches and needs to verify user access.

According to the suppliers of the Digipass tokens, Vasco, the product has yet to falter.

"There have been no security breaches using the tokens that we know of," said a Vasco spokeswoman.

The device is currently employed in 300 banks in Europe, the spokeswoman said, equating to over 10 million tokens being used by banking customers and 11 million being used in total.

Davis said Bendigo is still deciding whether the tokens will be free or if customers will have the option of buying them, as he said supplying them would come at a large cost to the bank.

"The tokens cost us AU$16.50 each, we have around 100,000 e-banking customers, so it would cost us in excess of AU$1.6 million if we provided them for free," said Davis.

Bendigo said it plans to roll out the devices to its e-banking customers later this month. Davis said in the short term the device will only be used for e-banking log-ins, as the bank has not experienced a high level threat with automatic teller machines or phone banking passwords as yet.

• Related stories

• Alerts

Add your opinion

1. Good one Bendigo. I heard that my bank, National Australia Bank, was going to issue one time passwords by SMS. I know that something has to be done about email scams and keylogging, but they shouldnt force me to use SMS. The mobile phone coverage at my ho Anonymous -- 08/07/04

   Good one Bendigo. I heard that my bank, National Australia Bank, was going to issue one time passwords by SMS. I know that something has to be done about email scams and keylogging, but they shouldnt force me to use SMS. The mobile phone coverage at my house (where I do most of my online banking) sucks, so NAB will force me to go to an untrusted internet cafe to do online banking! Why cant NAB just offer a something like Bengigo Bank.

   • Reply to comment
   • Reply to story
   • Report offensive content

2. Although the cost of each token is only $16.50, you can rely on the bank (whatever ones will adopt the token system) to charge the customer around double. Its a great way to make free money. Anonymous -- 08/07/04

   Although the cost of each token is only $16.50, you can rely on the bank (whatever ones will adopt the token system) to charge the customer around double. Its a great way to make free money.

   • Reply to comment
   • Reply to story
   • Report offensive content

3. I agree with Mike's comment "Although the cost of each token is only $16.50, you can rely on the bank (whatever ones will adopt the token system) to charge the customer around double. Its a great way to make free money." However he lef Anonymous -- 08/07/04

   I agree with Mike's comment "Although the cost of each token is only $16.50, you can rely on the bank (whatever ones will adopt the token system) to charge the customer around double. Its a great way to make free money."
   
   However he left one thing out. The banks will then charge increased fees to any customer who does not have a token to cover the "increased" security threat they pose.

   • Reply to comment
   • Reply to story
   • Report offensive content

4. To become really mainstream, they will have to get it around the $5 mark. In comparison to losing money through fraud, $16.50 is very cheap, but it is quite a steep price. Business banking has been doing that sort of thing for years. What happen Anonymous -- 09/07/04

   To become really mainstream, they will have to get it around the $5 mark. In comparison to losing money through fraud, $16.50 is very cheap, but it is quite a steep price. Business banking has been doing that sort of thing for years.
   
   What happens however if the token device is compromised? If someone finds a way of predicting the challenge-response. If they really wanted to, the phishing could still work, by tricking the user to go to a rogue site. That site could pass on the login details to the legitimate site and receive the challenge code, which the rogue site would echo to the user. The user types in the response code from their token, which is immediately entered into the online banking and the fraudster is in. A simple "We are performing maintenance on our authentication servers at the moment. We apologies for any inconvenience. Please try again later." would trick most users.
   
   In short, always type in the address yourself, and go via the banks main access page. NEVER EVER EVER click the link from an email. It is far to easy to make the link look legitimate when it is not. Always have your virus scanner / spyware scanner definitions up to date, and have your Operating system patched up to date.
   
   I would personally recommend not using the most popular browsers, and choosing hard to guess passwords. Also DO NOT USE THE SAME PASSWORD for email or other software etc. The bank will probably have a very secure hash of your password, your email provider may not. I have seen systems where the password is stored in plain text. In fact I recently modified that system to use 160 bit encryption to protect the users from themselves.

   • Reply to comment
   • Reply to story
   • Report offensive content

5. westpac banking has not thought of what the news item has said but that's alway something new happening and i think that you're on the right track. but here in new zealand there's something here called "Bank Fees" and it's fairly high and that t Anonymous -- 09/07/04

   westpac banking has not thought of what the news item has said but that's alway something new happening and i think that you're on the right track. but here in new zealand there's something here called "Bank Fees" and it's fairly high and that these fees should cover costs to the issueing of these online tokens to bank account holders where ever the bank is even in the usa or australia or new zealand. but them's the breaks though. isee this also, profits before the people too. but that's another subject to look into at another time. thanks for the news item.

   • Reply to comment
   • Reply to story
   • Report offensive content

6. To our kiwi brother, never fear, Aussie banks are more than capable of annoucing profits of several billion dollars and in the next breath turn around and charge an extra $AU5 a month or close a couple of branches. And that is before you attempt to do som Anonymous -- 10/07/04

   To our kiwi brother, never fear, Aussie banks are more than capable of annoucing profits of several billion dollars and in the next breath turn around and charge an extra $AU5 a month or close a couple of branches. And that is before you attempt to do something like use another banks ATM.
   
   Whilst they could finance such technology just using their fees, you can bet your bottom dollar they wont.

   • Reply to comment
   • Reply to story
   • Report offensive content

7. Surely the bank will see the sense of paying for them to offset losses from fraud and excess business at its bricks and mortar locations caused by nervous customers. Anonymous -- 12/07/04

   Surely the bank will see the sense of paying for them to offset losses from fraud and excess business at its bricks and mortar locations caused by nervous customers.

   • Reply to comment
   • Reply to story
   • Report offensive content

8. >>Surely the bank will see the sense of paying >>for them to offset losses from fraud and excess >>business at its bricks and mortar locations >>caused by nervous customers. You would think so, but I doubt they would abs Anonymous -- 12/07/04

   >>Surely the bank will see the sense of paying >>for them to offset losses from fraud and excess >>business at its bricks and mortar locations >>caused by nervous customers.
   
   You would think so, but I doubt they would absorb such a cost. After all, it is a perfect excuse for another bank charge.
   
   I would like to see some sort of improved technical solution. I could tell my bank to only let people log in to my account from one or two particular hosts. It isn't bulletproof in any sense, but frankly I don't want them to let anyone into my account from a .ru host.

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials