European Banks Threatened by Identity Theft

European banks, from Sweden to Austria, are likely to face, in the near future, an unprecedented wave of attempts at identity theft. Hackers from Latvia to Ukraine and from Serbia to Bulgaria are now targeting financial institutions. The global crisis has added to the rows of unemployed former spies, laid-off bankers, and computer programmers. Networks of secret agents, knowledgeable financiers, and computer-savvy criminals have sprung all over Eastern and Central Europe and the Balkans.
How can Europe’s banks defend themselves?
1. By assigning account or relationship managers to all business accounts and individual accounts above a certain size. This is the practice in private banking and investment banking, but it has yet to spread to retail. A one-on-one line of communication between client and specific bank officer places an insurmountable obstacle in front of hackers and criminals.
2. Banks should allow their clients to “block” their accounts at no charge to the client. Account blockage means that all transfers from the account require the confirmation and approval of one or two specific bank officers who know the client personally. Thus, even if a hacker or a criminal were to succeed to effect a transfer of funds, such illicit and damaging activity could be blocked by the bank.
3. Banks should ignore and disallow instructions in the account received by e-mail. E-mail communication is amenable to spoofing, hijacking, hacking, and other forms of impersonation. Even Web-based e-mail services such as Gmail are highly insecure, especially over wireless networks.
4. Instructions by fax should be accepted only after the client provided, verbally, a one time code (see below).
5. Verbal communication should be conducted via mobile phones, not fixed or land lines. The mobile phone’s SIM card guarantees the identity of the specific device used and allows for tracing in case a crime has been committed. On many networks the communication flow is encrypted. Man-in-the-middle attacks and interception are more difficult with cell phones.
Online Banking Safeguards

All of Europe’s major banks offer to their customers financial services and products through the Internet. But there’s a problem: computer security. To withstand the coordinated onslaught of hackers and cyber-criminals, who are constantly trying to empty the bank accounts of their victims, online banking Websites must incorporate many defensive safety features. These render the entire experience cumbersome and complicated and deter the vast majority of clients.

Generally speaking, European banks are far safer than American ones as far as online banking and their online presence go. The list below is short and by no means exhaustive and is based on a study conducted at the University of Michigan by Atul Prakash, a professor in the department of electrical engineering and computer science, and two doctoral students, Laura Falk and Kevin Borders:

1. All the pages of the bank’s Website must use SSL (Secure Sockets Layer) and TLS encryption technologies. In the Internet Explorer Web browser, a small, yellow padlock icon appears at the bottom or the top of the page when such encryption is available. It prevents hackers from tapping into the exchange of information between the user’s computer and the bank’s servers and routers. Most browsers now offer also a wide variety of anti-phishing protections.

2. Users should not use their computer keyboard to type in passwords. Many computers are infected with keyloggers: small software applications that monitor the user’s typing and pass on the information to networks of criminals. Instead, the bank should provide a “virtual keyboard” (a tiny on-screen graphic that looks like a keyboard). Users can then click their mouse and press the various “keys” of the virtual keyboard to form the password. Some banks use Java “sandboxing” and virtualization technologies in order to isolate the online banking session from the user’s potentially-infected browser or computer.

3. The banking Website should not re-direct the user to other domains or sites (which potentially are not as secure).

4. The bank should insist on strong passwords: minimum five characters, allowing combinations of numerals and letters, including capitalized ones. Few banks adhere to this rule, though. Many of them allow passwords with only 4-5 numerals.

5. The bank should never send any information pertaining to the account – especially not passwords – via e-mail. Many European banks violate this cardinal rule by sending a staggering amount of information about the account via email, including account numbers, balances, movements, and ownership.

6. The bank should insist on “two-factor authentication”. The user would need a username and password to access the Website. But, to transact in the account, he would make use of one time “tokens” (codes). Each user should be equipped with printed lists of such codes or with a special device that generates them. They can also receive the codes via SMS. The codes are used to transfer money, change the password, change the limit of withdrawal, give instructions regarding securities and deposits, etc.

%d bloggers like this: