We put our money and our faith in online banking but can we rely on it?
Recently, I tried to log into my HSBC bank account via my iPhone, but the system would not grant me access. This was doubly frustrating given that I was looking to confirm some incoming payments had gone through so I could, in turn, dish out some cash to the tradesmen working on my house.
Resisting the temptation to ask if they would rather be paid in Tetley tea bags (of which we currently have plenty given the rate they go through), I nipped upstairs and tried to log in via a desktop browser instead. Again, no joy.
At this point, I did what everyone appears to do in a crisis these days and headed to Twitter. There I found the answer to my problem: HSBC had been targeted by online criminals in a denial of service attack, and I was merely one of 17 million personal and business customers affected. The workmen began to eye up the tea, scoffed some buns and said it would be okay to try again the following day. All, it seemed, was well with the world again.
And that would have been a relief had it not been the second time in a month that HSBC had been affected in such a way. Such occurrences do two things. They make you realise just how reliant we are on technology for our financial stability, and they also make you wonder just how safe our cash actually is. If a DoS can lead to a minor SOS in instances such as this, then what would happen if the criminals actually managed to breach a bank’s security and took away our meagre earnings?
As it turned out, HSBC was full of glee. “HSBC UK internet banking was attacked this morning,” it tweeted, “We successfully defended our systems.” It conjured up images of a gang of bank robbers trying to bust their way through the door of a safe while an army of financiers pulled it shut from within. Yet, as we’re seeing more and more, physical bank robberies are proving to be so last decade. Will it therefore only be a matter of time before a criminal group makes a major breakthrough?
Shoring Up Defences
Currently, we can breathe a sigh of relief. “We haven’t seen mass account compromises as a result of weaknesses in the overall security of online banking,” says Javvad Malick, security evangelist and community manager at security company AlienVault. But, even so, there are limits to how far online banking can go to protect our money. “Online banking, much like other aspects of banking, is as secure as it needs to be from a business and financial perspective,” Malick continues. “Just like credit card fraud, mortgage fraud and so on exist, there is a cost to increasing security to the point of diminishing returns.”
So as attacks continue to evolve and increase, what is secure – or sufficiently secure – today, may not be the case tomorrow. “Banks need to keep one eye on today’s trends and one eye on future developments,” Malick warns. And that begs questions about whether we’re sitting ducks on the verge of something rather nasty. Experts are unanimous in agreeing that the denial of service attacks may only be the start of an action that can quickly escalate into something much bigger and far more dangerous to our economic stability.
As it stands today, DoS attacks are relatively harmless, simply flooding a system and making it unavailable, to the frustration of customers demanding greater reliability. It means the biggest issue is availability, but there are wider repercussions. “The DDoS attack against HSBC was at the end of January when many people are submitting their tax returns, as well as waiting for their pay,” says Malick. “The impact to many individuals was greater than had it been towards the beginning of January. Also, as consumers and businesses become more reliant on online transactions, they don’t necessarily have sufficient backup processes in place to cope with a flood of online users such as call centres or branches.”
What, though, if criminals seek to take things one step further? “We’ve seen many instances in recent months where DoS attacks are used as a distraction tactic,” Malick continues. “By launching a DoS attack, a company will try to remediate the impact of it – creating the perfect opportunity for an attacker to exfiltrate data or install malware.”
Malware is one of the biggest problems facing the online banking sector. In November 2014, news began to emerge of a strain of malware known as Dridex, which was able to infiltrate computers and steal usernames and passwords. It was spread via an email containing a Microsoft Word or Excel document, which victims were tricked into opening on the pretence that it was an attached invoice from a bank, online retailer or software company.
Once the malware was installed on a computer, it enabled attackers to upload, download and execute files, monitor network traffic, take screenshots of the browser, add the computer to a botnet and communicate with other peer nodes. So far, it has been responsible for losses totalling some $100 million, and it may have been behind online heists on UK banks worth more than £20 million.
Dridex is still active and the National Crime Agency in the UK has been taking it very seriously. In October last year, it issued a fresh warning, urging people to update operating systems and anti-virus software. The Agency says it has been “conducting activity to ‘sinkhole’ the malware, stopping infected computers from communicating with the cyber criminals controlling them”.
“This is a particularly virulent form of malware, and we have been working with our international law enforcement partners, as well as key partners from industry, to mitigate the damage it causes,” says Mike Hulett, head of operations at the National Crime Agency’s National Cyber Crime Unit. “Our investigation is ongoing, and we expect further arrests to made.”
It has emerged that Dridex was developed by cyber criminals in Eastern Europe, but the problem is very much a worldwide one. According to security company Kaspersky Labs, in the third quarter of 2015 there had been 5.68 million notifications about attempted malware infections to steal money from users via online access to bank accounts. Last February, the firm also said there had been an “unprecedented” cyber-attack on up to 100 banks. Criminals had accessed bank networks by sending spoof emails to staff.
It is at this point that alarm bells should be ringing. We’re often told what we need to do to protect ourselves from online thefts but, as we’ve also seen from past cyber attacks, human error far from our own hands can also be to blame. Add that to systems that are not quite as robust as they’re imagined to be, and it soon becomes clear that questions about the safety of our internet banking really do need to be asked.
Extent Of The Problem
Last year, online banking fraud reached £130 million, up £70 million on the year before. And last October, figures collated by the RBS Group showed that 5,000 of its customers had fallen victim to various scams from January to September, with the amounts stolen amounting to some £25 million. The amount of money people are losing from scams is rising, and it now sits at £13,000 on average. Worse still, 70% of victims never see any of their money again.
In some cases, we’re our own worst enemies. According to the RBS Group, the main reason for rising levels of fraud, certainly among customers of NatWest, is vishing. This is short for ‘verbal phishing’, and it describes when rogue callers trick victims into revealing their account details and passwords. But according to Ross Anderson, a professor in security engineering at the University of Cambridge, the banks also need to take on a greater proportion of the responsibility. If criminals become more sophisticated, customers cannot be expected to be the vulnerable front line soldiers.
Anderson has frequently gone on the record to say that he refuses to bank online, and one of his main problems is that banks have moved the liability for fraud from themselves to the customers. It means if someone manages to get into your account using your passwords, then the liability is entirely yours. It doesn’t matter if the details were taken from you without your knowledge or if you’ve carelessly written them down on Facebook: the outcome is the same. It’s your responsibility, and if you’re found to have allowed criminals access to your accounts through negligence or accident, then you can wave goodbye to your money in a lot of cases.
Former hacker Mustafa Al-Bassam said as much during the Wealth Management Association’s Financial Crime Conference in January. As part of the underground hacking group Luzsec in 2011, when he was just 16 years old, he saw the problems faced by the banks from the other side, and his message was simple: “We care more about convenience than security.” Tellingly, that ‘we’, he says, is not just us, the general public, but the banks too. Damningly, he says there is no incentive for them to update security.
Does that mean we’re wide open, though? No, not in the slightest. Banks do make strong attempts to protect their customers, and they go out of their way to advise people on the best approaches to banking online. Their terms and conditions stress over and over again the need to be careful and the dangers of customers being lax with their own security.
Some banks make customers leap through hurdles to get at their money, the aim of which is to make it harder for an unauthorised transaction to take place. It’s broadly welcome, because if it’s too easy for us, it’s easy for criminals too. It is self-serving to a degree: the banks are aware we all make mistakes, and these kinds of measures save them a lot of hassle from customers complaining that their money has gone. Nevertheless, they’re ultimately aiming to protect us.
For this reason, HSBC, for example, asks customers logging in from a desktop computer to input an ID banking number and parts of a password, neither of which should be written down. It asks for a personal piece of information such as a primary school. And it asks for a PIN (that only the real customer should know) to be entered into a special gadget (which only a real customer should possess), which then generates a one-off code that can be entered as the final login step (a case of two-step verification). This should be about as secure as putting up two or three thick lead walls between you and your cash.
Security Concerns
But is every procedure welcome? Anderson, for example, has asked questions of some of the measures put in place by our banks, notably discussing credit card authorisation. In an academic paper written with colleague Stephen J Murdoch in 2010 entitled ‘Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication’, he claimed the 3-D Secure protocol used by the credit card companies used “lousy technology”.
Also known by the brands Verified by Visa and Verified or MasterCard SecureCode, 3-D Secure will be familiar to many people who shop on the web. When you make an online transaction with a credit or debit card, you’re taken to a screen that asks for parts of a password to be entered before the payment is authorised. This is a good move, because it means anyone who steals your card and tries to use it should hit a dead end (unless you’ve written your password down and taped it to the card, that is).
Yet one of Murdoch and Anderson’s main beefs boils down to why and not how 3-D Secure is used. The paper says, “its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions”, which again comes back to that blame game. The idea here is that if someone has used your card and then verified it with your password, then the chances are that you’ve given the go-ahead, so you have to prove otherwise. This is difficult to do, so it puts the customer at risk of losing out.
Anderson is very much against the bank providers transferring their liability of fraudulent transactions to us when they’re made using our passwords. He sees that as inherently unfair. Indeed, when asked if the reason why he’s never banked online is because he feels the systems are unsafe or because the risk of any potential problems lie with the customer rather than the bank, he tells us, “The latter”. It means the vulnerabilities we face when banking online have direct consequences for us, and it would seem your bank is not going to automatically bail you out if a criminal gets hold of your password and manages to take away your entire life savings.
Toe The Line
So what are we all to do? There’s no getting away from the fact that online banking is, as Al-Bassam says, convenient. We can check our balances, pay our bills, set up standing orders and move money from one account to another. With fewer bank branches, inconvenient opening times and wages that are paid directly into accounts, online banking removes travel and hassle.
Assuming you don’t want to follow Anderson and vow never to use to online banking, then you have to be savvy. Even though banks are potentially at risk of a mass breach at some point in the future, under those circumstances we customers should be protected. No bank is going to penalise customers for its own failings without the public kicking up a stink. For this reason, Jonathan Sander, VP of product strategy at the Lieberman Software Corporation, says, “the weakest links in the security of online banking tend to be the users”. Then again, that’s true of most technology.
“Users choose poor passwords because they can’t recall them. Users decide to use the same username and password combination to secure their online bank account and their online cat food ordering account,” Sander says. “When the bad guys break the poor security at the pet shop, they now have the keys to your bank account. But even with the poor choices of the users, they’re still very well protected. Bad guys stealing money online will never really become the user’s problem. Insurance will get them their cash back, and the bank is left with the higher premiums in the end.”
Sander says the power to secure your online banking mostly rests with you, the online banking user. “Of course your bank may get attacked. If the bad guys get into the systems of the bank itself, you’re protected by insurance and other mechanisms that mean you will have no real financial hit. Most often, though, online banking is exposed one poorly secured account at a time, as bad guys get username and password combinations from much weaker targets and then find someone used the same password at their bank too.
“The moral of the story is use every single security feature your bank gives to you. Turn on the bit that sends codes to your phone when you log in. As annoying as it may be, use a completely different username and password for the online banking account – at least a very different password. Don’t make yourself an easy target. Understand that you are a target for sure – we all are. But also understand that with all those other easy targets out there, just a bit of precaution can make you too annoying for the bad guys to spend time on.”
Limit Your Liability
According to Professor Anderson, customers who want to bank online need to do all they can to limit their own liability. But what steps should we be taking?
1. Don’t fall victim to phishing
“The main risk to alert people to is phishing, and specifically of the more technical kind where you get malware that facilitates a man-in-the-browser attack,” Anderson says. “The bad guy sits between you and the bank, and when you think you’re authorising a payment of £50 to me, you’re actually sending £5,000 to him.”
2. Check the website you’re on
Watch out for sites that are looking to get hold of your personal details, passwords and PINs. Check the URL of the banking site you’re on. Does it look legit, and does it have https in the address? Type the URL directly rather than going through a search engine or clicking on a link from another source such as an email.
3. Look for your name
Is an email supposedly from your bank addressing you by your name, or is it starting ‘Dear Customer’? If it’s the latter, then you really ought to steer clear, because it’s a sure sign that it hasn’t come from your bank and, even if it has, then it’s most likely going to be some generic junk that you can simply ignore.
4. Catch those spelling mistakes
Hey, we all make spelling mistakes, but if you spot some unusual arrangements of letters in your emails, then the alarm bells should be ringing – even more so if it’s then accompanied by some odd requests. No online banking service is ever going to ask for your bank card’s PIN and certainly not via email.
5. Don’t bank using your PC
This may sound surprising, but Anderson says, “Don’t use a Windows machine if you must bank online. Use something like an iPad, for which there is no malware currently available, at least to low-grade crooks (the NSA has some, but if they’re part of your threat model, there are other things you have to do).”
6. Keep things to yourself
Careless talk costs money, so don’t tell anyone your security details either verbally or by writing them down (and if you’re on the phone, check who’s listening). It goes without saying that if you really do need to make a note of them, that you should use some of code known only to you, and you don’t place them in the same pile as the rest of your banking documents and devices.
7. Choose secure passwords
Don’t choose a banking password that is the same as any other password you use, and make it as complex as you possibly can. Certainly don’t choose anything that is obvious or personal, such as a favourite football team or your date or birth. And go for two-factor verification wherever it’s offered, because it adds an extra layer of security.
8. Be aware of current con tricks
“Many people let themselves be fooled into deliberately making payments to people they shouldn’t,” Anderson continues. “If you owe a supplier some money and they email to say that their bank details have changed, check on the phone, or you may end up sending money to the wrong place. This is a rapidly growing scam, and many company finance departments are quite blind to it.”
9. Leave the prince to his own devices
Don’t give assistance to under siege princes desperate for a bank account, who promise to pay handsomely for your help. “And that’s before we talk about the sad vulnerable people who send money to a ‘young lady’ who says she loves them and just needs plane fare, or to the widow of a Nigerian politician who says she’ll share her stolen money if only the mark will pay an advance fee,” says Anderson.
10. Log out of your account
Most banking services will automatically log you out after a certain time, but don’t rely on that. If you nip away from your screen during an online banking session and there are others around, then there’s a risk that someone could jump on and have a poke around. This is certainly true when logging in using a public computer.
What The Banks Say
We look at the terms and conditions of some leading UK banks.
HSBC
We won’t make an immediate refund if we suspect fraud or that you intentionally or with gross negligence failed to keep your card, security device or your Security Details (including PINs and passwords) safe. However, we’ll investigate the transaction as quickly as possible.
RBS Group
Where a transaction on the account is confirmed by use of the security details and the service but you subsequently show that the transaction was not authorised by you, you will not be liable for that transaction provided you have kept your security details secret, you have acted with reasonable care and in accordance with these conditions, and you have not acted fraudulently.
Santander
You will be liable for all transactions or payments requested from your account using any of the services and/or any charges or interest incurred on the account as a result of any of those transactions or payments or payment requests in the following cases: a) any misuse, fraud or abuse of any service by you; b) you have disclosed your security details to another person; c) you failed to follow any of the safeguards set out in these conditions, your account terms and the user guide for your account.
Lloyds
If we can prove you have been grossly negligent with your device or security details, you will be liable for payments from your account but only until you have told us your device or security details have been lost, stolen or could be misused. In some cases, you will not be liable for a payment instruction you did not give yourself. These include where we have failed to tell you how to report that your device or security details have been lost, stolen or could be misused or where the unauthorised payment was made by telephone or internet.