|
Riya has just received an e-mail notification from her bank: It has been long
since she has done any transactions on her savings account, which will close
down if she doesn't login and confirm her status. Riya bites the bait. People
like Riya, who may not be as cautious as some others enter their login ID's
and passwords on such pop-up windows, planted by a phisher, and suffer huge
losses.
Internet banking is getting more popular in India, and with this the threat
of expected losses due to phishing is increasing. The most targeted industry
sector for phishing attacks continues to be financial services. According to the
Anti-Phishing Working Group (APWG) this sector averaged 81% of all hijacked
brands in March, with 9 out of 12 new brands falling in this category. According
to CyberSource Corp, which processes financial transactions, Internet frauds, in
general, cost merchants $2.6 bn in 2004-$700 mn more than in 2003.
Unlike Phishing, in the case of Pharming, most victims, even the clever ones,
might have no idea that they are being scammed, until it's too late. Though
DNS attack tactics used by pharmers have been around for a while, the rise in
internet banking, online shopping and electronic bill payment has created a wide
potential profit zone for criminals eager to get hold of login information and
credit card and bank account numbers.
 Especially
after Citibank became phishers' favorite brand, customers have become more
aware of possible cyber swindling. In late 2004 pharmers attempted to exploit a
known vulnerability in firewalls redirecting Google, eBay and Amazon visitors to
sham sites.
Most private and international banks have already setup elaborate Internet
banking infrastructure and nationalized banks are also moving fast to keep pace
with changing times. India till date has been relatively safe from unruly
Internet movements due to relatively low levels of PC penetration and skeptical
users. It is over time that the security drive for Banks has started.
| Consumers Beware! |
|
• In a position where you have given out your debit, credit or ATM card information, report the theft of this information to the card issuer as quickly as possible. Many companies have toll-free numbers and 24-hour services to deal with such emergencies.
• If you have given out your bank account information, report the theft to the bank ASAP. Review bill statements carefully after the loss.
• If you have downloaded a virus or Trojan, install or update the anti-virus and personal firewall software. Fix the system and change the password again. Check your other accounts too.
• Don't tap into a wi-fi network unless you know to whom it belongs. |
|
According to CN Ram, Head-IT, HDFC "The use of digital certificates puts
a safety check on transactions. Though using private digital certificates is
cumbersome and expensive for individual customers, they are used for corporate
customer accounts, operating on both the client and the bank's site. HDFC's
corporate customers are also protected with SAP safeguards that use
server-to-server authentication for any transaction to take place
seamlessly."
Punjab National Bank, which according to the2005 DQ-IDC Mega Spenders survey,
had taken the top slot in IT spending, has appropriate safeguards built in.
According to KS Bajwa, GM-IT "We have to constantly review our products and
ensure that adequate security measures are in place. We get Information Security
audit (including penetration testing) done from external auditors at periodic
intervals.
| Phishing and Pharming Murky Waters |
|
Phishing is derived from “fishing”-a social engineering attack attempting to trick users into revealing personal information like passwords and credit card numbers.
E-mails masquerading as official messages from banks are typical tools used by phishers.
Phishing scams hooked unwary Internet users one by one to divulge data. But pharming threatens to reel-in entire schools of victims. Pharming (from farming) exploits the DNS-the Internet system that translates a computer name into an Internet Protocol (IP) address.
A computer with a compromised host file will go to the wrong website even if the user types the correct URL. More alarming is DNS poisoning where the Domain Name System directory is 'poisoned' and can cause large groups of users to be herded to fraudulent look-alike sites.
Trends: Web site phishing trends suggest that there has been a dramatic increase in the volume of phishing based malicious code attacks designed to run on a machine and log keystrokes when connection is made to predetermined websites. The keylogger sends that information to a remote location for the purpose of identity theft.
A new variation of the scam is wi-fishing, where crooks set up wi-fi networks in public places so people can get wireless broadband connections, ostensibly for free. Criminals can henceforth track keystrokes and passwords. |
|
PNB's web servers are provided with Digital Certificates and are SSL
enabled. Customers are forced to change the passwords at periodic intervals and
a virtual keyboard feature has been provided for Internet Banking login, whereby
the customer uses mouse clicks instead of typing using the keyboard. This
minimizes the risk of keyboard grabbing.
Some financial services companies whose users are the prime targets of
phishing and pharming scams, are experimenting with "multi-factor
authentication" logins, including ways like single-use passwords and
automatic telephone callbacks confirming that a transaction is about to take
place. PNB too is contemplating the possibility of providing 2 factor
authentication mechanisms, which would use smart cards, I Keys and tokens.
As per RBI guidelines on Internet banking, security issues include questions
of adopting internationally accepted state-of-the-art minimum technology
standards for access control, encryption/decryption (minimum key length),
firewalls, verification of digital signature, and Public Key Infrastructure (PKI).
The ifs and buts
According to an SBI spokesperson, India is still relatively safe from such
attacks because identity thefts are dreaded in countries like the US, because of
the widespread use of Social Security Numbers. Moreover, since most of the sites
are hosted, pharmers are more interested in dollars rather than Indian rupees.
|
|
| “Using private digital certificates is expensive for individual customers, but they are used for corporate accounts, operating on both the client and the bank's site” |
| CN Ram, Head-IT, HDFC
|
|
|
|
Once the Multi-Purpose Identity Card (MNIC) Project of the Indian government
is rolled out nationally, it may not be long before India goes the US way, in
terms of higher phishing and pharming risks. Cyber Laws in India also have a
long way to go before they become stringent enough to tackle such crimes.
Companies like Trend Micro, Symantec and McAfee are the global players
offering e-safety solutions to individuals and corporates.
Niraj Kaushik, Country Manager, India and SAARC, Trend Micro says,
"Though Pharming is more lucrative for pharmers, it is all the more
difficult to attempt. Safety solutions are implemented at Gateways, which keep a
track of the email and browsing exchange. According to IDC, 67% of desktops are
infected by spyware."
Invariably, all the banks that Dataquest contacted expressed the utmost need
for consumer education on Internet banking. Most banks advice clients to be
alert and not to divulge their user IDs and passwords in pop-ups.
Security is indeed the last word. According to Neeraj B Bhai, CTO, IDBI,
Internet banking is not a one-time activity. The bank has to persuade its
customers to use the service to achieve cost advantage. In this case, data
security needs to be very thorough." The SBI spokesperson sums it all,
"Banks that cannot provide such security should not be in the
business."
Jasmine Kaur
Page(s) 1
| 
Print
Comment
Email
Digg
Del.icio.us
Reddit
Twitter
