Monday, June 15, 2009

Banks Have Serious Phishing "Issue"...and Opportunity!

Banks have a "serious issue" with phishing attacks aimed at their online banking customers.  It's time they take a long and serious look at a simple solution. (see left) 

The nature of this beast known as "phishing" is to lure these online banking folks, with a sophisticated and genuine looking trap which includes genuine looking emails which provide links to genuine looking sites. (a new "type" of bait and switch)

Once there, users are simply instructed to do what they've been programmed to do since day one with online banking. 

They are told to "type" in their username and password to log-in.  Problem is, once they "type" in their "username | password"  they provide full access to their accounts to the phisheries.

If you haven't figured it out already, allow me to point out the major flaw in this process.  If online banking customers had not been originally programmed to  "type" anything into a box the first place, then this type of phishing would not have cropped up in the second place. 

Case in point: Imagine if you will, that when ATM's first came out,  users were instructed to  "make up" a username and password for which would have provided full access to ATM's? How smart would that have been?

Fortunately the banks were smarter than that and they required that their ATM customers insert their card into a built-in card reader AND enter their PIN. Two factor authentication 101.  What you "have" (card) and what you "know" (PIN)

I'm puzzled.  Maybe perplexed.  Why would they believe for a moment it should be any different for online banking log-in? What has happened since then to make them believe "typing" is safer than "swiping?"  Why are they suddenly dissin' the card?

Window of Opportunity

Instead of dissin' the card, I say "DISCARD" the antiquated username | password log-in process and instruct customers "USE THEIR CARD" (what they have) and their PIN (what they know) thereby replicating the exact same process these customers use gain access to an ATM.  True 2FA.  The only difference would be that authentication would be done in the safety (no skimmers/no cameras) of the online banking customers own home...with their HomeATM SafeTPIN!

If the online banking community introduced their customers to a simple new log-in process, one whereby they require that theironline banking customers log-in the "same way"  they do at ATM's... with "THEIR CARD, THEIR PIN, & THEIR HOMEATM," they would greatly enhance the security of their online banking sites.  

This two factor secure log-in would eliminate the issues they are having with these phishing attacks altogether. My opinion is that it is an opportunity they can't afford to pass by.

Why?  Because it would also eliminate issues they are having with cloned websites, cloned cards, DNS Hijacking, etc.  In addition, they would arm their online banking customers with a weapon of phish destruction, one that fights cybercrime and "empowers" them as mini-profit centers.  Does anyone disagree with the statement that  "Bill Payments, Money Transfers, and secure online transactions" ALL make money for banks? 
That said, I humbly suggest it's high time to "studythese issues" more closely.  There are three "key" issues banks need to contend with if they want to come out of this ahead.   I call it online banking "CPR." 

Let's look at "these issues" one at a time

Bank "ISSUES" the Card,
Bank "ISSUES" the PIN, 

So Where's the Issue with a secure Card/PIN Reader

Did you know that the average phishing attack costs the bank and the bank customer $350. Well it does.  $196 for the banks and $154 for the consumers.  Want proof?  Okay, here it is from Gartner Research:

According to research firm,Gartner, banks, online payment organizations and other financialinstitutions are bearing most of the financial cost of phishingattacks.  (A survey of nearly 4,000 US consumers revealed a 40% increase in the number of phishing victims in 2008 over the year before to five million.) 

The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved.  (That's $196 to the banks and $154 to the consumers)

"The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner.  (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)

Banks could (in quantity) issue around 70 HomeATM's for each successful phishing attack.  It's the last remaining issue they need to contend with.

Speaking of phishing, here are a few of the latest as compiled by

HSBC Bank14th June 2009
Security Measures.

Halifax14th June 2009
Important Message

Egg Bank14th June 2009
Online Account Alerts !

Halifax Bank14th June 2009
Important message from Halifax - Action required

Abbey14th June 2009
Online Service

Halifax13th June 2009
Reminder Message - Must Read

Cahoot Bank13th June 2009
Unable to Verify Your Account

Halifax Bank13th June 2009
Dear Customer Account Has Been Suspended

MBNA13th June 2009
MBNA Online Banking Access

Halifax13th June 2009
Dear Customer Your Bank Account Has Been Suspended

Cibc13th June 2009
Using Your Information

HSBC12th June 2009

Abbey12th June 2009
Your Online Account Needs Update.

Abbey12th June 2009
You Have a New Message

Alliance and Leicester12th June 2009
Online Banking Update

Halifax Bank12th June 2009

Lloyds TSB Bank12th June 2009
You have a secure message from us

Cahoot Bank11th June 2009
Cahoot Bank -Account Access Denied

Halifax Bank11th June 2009
You have one new message in your Halifax Bank Plc Folder

MBNA11th June 2009
Protect your account fully

Commonwealth Bank of Australia11th June 2009
Netbank Account Reactivation

Egg Bank11th June 2009
Online Security Alert

PayPal11th June 2009
We were unable to process your most recent payment

Reblog this post [with Zemanta]

41% of Americans Say No to Online Banking Citing Security Fears

Editor Insight: When 41% of your market state that "security fears" prevent them from using your product, you can either say, okay, I understand, have a good day, or you can say, here's a device that solves that problem. I have an inkling as to which one banks would prefer to say, which is why I feel good about the markets "first and only" PCI 2.0 Certified PED designed specifically for eCommerce use.

Here's an article from Finextra which reports that 41% of US and 38% of the UK won't bank online citing security fears. Two factor authentication, which exactly replicates ATM authentication (but without the skimmers or camera's) can be achieved with our device. And we've got the cost down to the point where banks could literally give them away. So what's to think about? Whether you want your logo imprinted or not I suppose.

Finextra: Access and income no longer barriers to online banking - Gartner

Access and income no longer barriers to online banking - Gartner

A Gartner survey of almost 4000 consumers in the UK and the US shows that online banking take-up continues to grow across income and ages, with 47% of US and 30% of UK adults using the Internet channel in the previous month.

"Over the past several years, online banking has been seen as a way of appealing to more affluent and younger clients," says David Schehr, research director at Gartner. "However, what is becoming clear is that the overall level of consumer Internet use and the increasingly narrow segment of non-users - particularly in the US - are shifting the dynamics of who is using online banking and what they seek from it."

The most-frequently cited reasons for not using online banking were channel-related, that is, simply preferring to use other channels, for 61% of US non-users and 58% of UK non-users.

"Forty-one (41%) percent in the US and 38 (38%) percent in the UK
cited security fears as the main reason for keeping their finances offline".

Inertia also appears to play a role, with a quarter of US refuseniks and 31% of UK non-users offering no single deciding factor in their decision not to bank online.

"Compared with younger consumers, preboomers, who are 63 or older, are more explicit in their reasons for not using online banking - they are comfortable with other channels, such as the branch, and they are worried about the security of online banking," says Gartner's Schehr.

"In a way, this creates a great opportunity to convert these nonusers to users,
since the causes of their concerns can be more directly confronted and addressed."

HomeATM - Atmel Joint Press Release

 Atmel's AT91SO25 Secure Microcontroller Helps Achieve
PCI 2.0 Certification for HomeATM’s Safe-T-PIN Internet POS Terminal

San Jose, CA, June 15, 2009 - Atmel® Corporation (Nasdaq: ATML) and HomeATM announced today that the recent Payments Card Industry (PCI) 2.0 certification of HomeATM’s Safe-T-PIN™ is the result of an efficient collaboration between the two leaders on their markets. HomeATM’s Safe-T-PIN, powered by Atmel’s AT91SO25 secure microcontroller, is the first ever Internet Pin Entry Device (PED) to achieve such certification.

Atmel’s AT91SO25 dedicated features and Common Criteria EAL4+ security certification were instrumental in obtaining this first PCI 2.0 certification. This product is offered in a compact BGA144 package which brings high security and extended connectivity in a small footprint. Safe-T-PIN provides secure two factor authentication for e-commerce transactions and secure log-in.

Based on the ARM® 32-bit SecureCore™ SC100 CPU core, Atmel’s AT91SO devices are suited for highly secure systems such as card payment terminals. They achieve an outstanding level of integration of a wide array of peripherals. They feature 256 KB of EEPROM, 100 KB of RAM and 32 KB of ROM, cryptography engines to accelerate DES/TDES, AES, SHA-n, RSA, elliptic curves as well as many flexible interfaces such as USB, SPI, UARTs, GPIOs, magnetic strip and smart card interfaces. All devices are the only ones on the market to be certified Common Criteria EAL4+.

Kenneth Mages, CEO at HomeATM stated, “PCI 2.0 specifications are much more demanding than the previous versions when it comes to protecting a POS system. The choice of Atmel’s AT91SO25 Secure System-On-Chip has been really helpful to speed up and achieve our product certification.” 

Olivier Debelleix, Atmel’s Marketing Manager for Embedded Security commented, “Our AT91SO products for secure systems have been used in many POS applications that have been certified towards previous versions of the PCI standard. HomeATM’s PCI 2.0 certification demonstrates our products help to cope with the increasing demand for embedded security.”

About Atmel

Atmel is a worldwide leader in the design and manufacture of microcontrollers, advanced logic, mixed-signal, nonvolatile memory and radio frequency (RF) components. Leveraging one of the industry's broadest intellectual property (IP) technology portfolios, Atmel is able to provide the electronics industry with complete system solutions focused on consumer, industrial, security, communications, computing and automotive markets.

© 2009 Atmel Corporation. All Rights Reserved. Atmel®, Atmel logo and combinations thereof, and others are registered trademarks or trademarks of Atmel Corporation or its subsidiaries. ARM® and others are registered trademarks or trademarks of ARM Ltd. Other terms and product names may be trademarks of others.

About HomeATM HomeATM owns a global patent for secure Internet PIN based transactions. Leveraging our E2EE PCI 2.0 PED certified solution, a merchant or remitter can move funds from their bank account or open loop/closed loop payment card in real-time. Utilizing HomeATM's patented solution with a bank issued card alleviates the burden for merchants to address fraud issues as HomeATM leverages the issuing bank's KYC/AML (Know Your Customer/Anti-Money Laundering) protocols. No other payment solution serves Person-to-Person, Business-to-Consumer, Business-to-Business, and Mobile Payments with the speed, security and cost-effectiveness of HomeATM. HomeATM is EMV ready and already enjoys strategic relationships with Cardinal Commerce and UATP.


For further information on Atmel’s Secure System-On-Chip family, go to:

Comparing the New Generation of Smart Phones

Banking on the Future of Mobile

Disqus for ePayment News