Online banking theft -- who pays?

commentary Miami businessman Joe Lopez could change the face of Internet banking.

Lopez discovered his company bank account was US$90,000 short and a quick check online revealed the amount had been transferred -- without his knowledge -- to a Latvian bank.

The Bank of America was duly notified, with Lopez urging its officers to stop the transfer. Unfortunately, it was too late. About US$20,000 was already withdrawn from the Latvian bank account, with the bank freezing the remainder.

After the US Secret Service combed through Lopez's computer, they realised the culprit was a trojan horse called Coreflood. Seemingly harmless when first discovered in 2001, subsequent variants proved malicious -- Backdoor.Coreflood was one example which could give control of infected machines to an attacker.

Not wanting to be left high and dry, Lopez filed suit against the Bank of America, claiming it failed to protect him from online theft. The financial institution had allegedly neglected in its duty to warn him of the security threat. It was like the bank knew someone else had a key to the vault but didn't warn customers, claimed Lopez's lawyer.

As expected, the Bank of America denied all charges saying the onus lies on customers to install security software, including regularly updating patches.

Some banks in Australia practice a two-pronged security strategy for fund transfers: customers are required to re-enter their password before money can be wired and transactions bear a cap of between AU$1,000 and AU$5,000 per day.

These limits also act as a obstacle for clandestine activities. At the moment, bank tellers are to report suspicious transactions -- such as repeat transfers -- below AU$10,000 to anti-money laundering regulator Austrac (Australian Transaction Reports and Analysis Centre).

Other authentication methods or devices in the market such as smart cards, USB tokens, password generators, and biometric readers -- are technologically sound but unwieldiness and cost barriers continue to hamper mass adoption. In terms of user friendliness, Citibank's dynamic PIN-pad login -- the mouse (instead of keyboard) used to click on random digits to form a password -- is more likely to catch on with other financial institutions and users.

But history has shown that any system can be beaten. A Malaysian man nearly walked away with around AU$625,000 before his scam was busted by authorities. Ng Kok Meng used a skimming device -- which captures data from a customer's ATM card -- to gain illegal access into the account.

Meanwhile, the Lopez vs Bank of America court ruling is still pending but this case holds valuable lessons ... primarily that Internet banking, while extremely convenient, comes with its fair share of risks. There's no silver bullet so don't expect Internet scams, hackers, trojan horses and the like to vanish overnight. The challenge for banks and customers to minimise their exposure to losses will continue. Security is neither about the journey nor the destination ... it's like an infinite loop which requires our constant attention.

• Related stories

• Alerts

Sign up for an e-mail alert

ZDNet Australia Alerts is an e-mail alert service which provides personalised news, features and reviews to readers’ inbox on an hourly, daily and weekly basis.

Alert:

E-mail: *

Frequency: *

Hourly Daily Weekly

Add alert

Add your opinion

Add your opinion

All fields are required

Subject:
Comments:
Full name:
E-mail address:

Your e-mail will not be displayed

Posting options:

Display all details Do not display details

Security Code:

You must read and type the 6 chars within 0..9 and A..F

 

1. Dear Fran, Yes - there is a "magic bullet" - just like you have evry time you visit your local supermarket and pay by EFTPOS - and it's the "PINPad". Over 20 years ago its was known that a cash register was NOT safe to use fo Anonymous -- 26/02/05

   Dear Fran,
   
   Yes - there is a "magic bullet" - just like you have evry time you visit your local supermarket and pay by EFTPOS - and it's the "PINPad". Over 20 years ago its was known that a cash register was NOT safe to use for such financial purposes and Australia led the way in creating a safe and secure system based upon advanced crypto and trusted hardware attachments for the checkout or cash register. There is no other way at present for the home PC! We know that - we knew that. Even Microsoft agrees with its NGSCB project clearly outlining the need for essentially putting that PINPad on the motherboard of every PC to be used for secure transactions purposes. In simple terms, why do banks even say that a PC is safe and secure to use for this home banking purpose? I can take a horse and cart onto the F3 in Sydney but I would not call it safe - and it could be illegal! No the home PC was NEVER DESIGNED AND BUILT for safe and secure Internet transactions and to sway that it was, or is, is itself - well - utterly amazing!

   • Reply to comment
   • Reply to story
   • Report offensive content

2. Instead of suing the bank for "failing to protect from online theft" (kind of like suing the bank when the get robbed) - why not SUE the maker of the Operating System. Checked on line, and Backdoor.Coreflood infects, you've guessed it, Anonymous -- 28/02/05

   Instead of suing the bank for "failing to protect from online theft" (kind of like suing the bank when the get robbed) - why not SUE the maker of the Operating System.
   
   Checked on line, and Backdoor.Coreflood infects, you've guessed it, WINDOWS SYSTEMS (9x/Me/NT/2k/XP) Why not SUE Microsoft for releasing an insecure system?

   • Reply to comment
   • Reply to story
   • Report offensive content

3. Part of the problem in my opinion is that no security consultant will ratify any system as being safe unless it is absolutely 100% safe. I have seen it over and over again. Heck, even a simple XOR based encoding dongle would probably suffice. I Anonymous -- 28/02/05

   Part of the problem in my opinion is that no security consultant will ratify any system as being safe unless it is absolutely 100% safe. I have seen it over and over again. Heck, even a simple XOR based encoding dongle would probably suffice.
   
   I disagree with the ****umption that authentication devices are too expensive. Fingerprint readers are around AU$100, and USB thumb drives can be had for around AU$30 (imagine the key size that would fit on a 32MB drive).
   
   The banks could preload these keys with two partitions, a fat32 partition with a client program and an encrypted partition containing the public identification key. In fact, they could do it cheaper with a SD card that would fit in the coin section of any wallet or purse, and card readers are only AU$20. (Cheaper if you presume as I do that in a years time it will be near impossible to buy a computer without a card reader built in.)
   
   Sure they could still offer their https banking service, but there would be a big disclaimer and spyware warning.
   
   The clickable PIN (which one of my banks has adopted) is a bit of a stop gap. If that is the way it goes, then the spyware will simply take a screenshot of about 100 square pixels at every mouse click at a particular site. A bit harder to do than key logging sure, but back to square one with security.

   • Reply to comment
   • Reply to story
   • Report offensive content

4. Despite shutting branches and automating services, bank fees have risen. The online banking service should not be currently available, and if it is, it should be free of charges. The bomb went off some time ago, and in the settling dust, messages are los Anonymous -- 02/03/05

   Despite shutting branches and automating services, bank fees have risen. The online banking service should not be currently available, and if it is, it should be free of charges. The bomb went off some time ago, and in the settling dust, messages are lost or mixed the very next day for different reasons. SHA-1 has been broken. There is no safe combination. Screen capture software has been combined with key logging and downloaded via trojans for over six months, and a large majority of people dont pay enough attention to their funds - life is far to fast to read statements - don't they have accountants for that? Now where is that key?

   • Reply to comment
   • Reply to story
   • Report offensive content

5. European banks sleep well at night because they issue PIN protected tokens to customers. These tokens can generate not only One Time P****words to authenticate customers at the front door of an ebanking application but also authenticate transactions, when Anonymous -- 29/03/05

   European banks sleep well at night because they issue PIN protected tokens to customers. These tokens can generate not only One Time P****words to authenticate customers at the front door of an ebanking application but also authenticate transactions, when they were carried out and tied to the amounts of the transactions and even the account numbers involved. It is not inconvenient - just ask the European banks that have already issued many millions of these devices.
   
   Eftpos terminals in every household? I don't think so. Security is a trade-off between ease of use v cost v security. The cost to a bank of issuiing a connected eftpos terminal to every customer rules this out on the Help Desk calls 'can of worms' this would open up. They're not portable enough either.
   
   Internet banking can be made secure with appropriate cost effective authentication. Just look at Bendigo Bank.

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Login

E-mail Password (forgot?)

Login Remember

Like 124,000 other people join the community and get the latest news from the IT industry.

Reader Services

Popular Topics

Essentials