Banks have a "serious issue" with phishing attacks aimed at their online banking customers. It's time they take a long and serious look at a simple solution. (see left)
The nature of this beast known as "phishing" is to lure these online banking folks, with a sophisticated and genuine looking trap which includes genuine looking emails which provide links to genuine looking sites. (a new "type" of bait and switch)
Once there, users are simply instructed to do what they've been programmed to do since day one with online banking.
They are told to "type" in their username and password to log-in. Problem is, once they "type" in their "username | password" they provide full access to their accounts to the phisheries.
If you haven't figured it out already, allow me to point out the major flaw in this process. If online banking customers had not been originally programmed to "type" anything into a box the first place, then this type of phishing would not have cropped up in the second place.
Case in point: Imagine if you will, that when ATM's first came out, users were instructed to "make up" a username and password for which would have provided full access to ATM's? How smart would that have been?
Fortunately the banks were smarter than that and they required that their ATM customers insert their card into a built-in card reader AND enter their PIN. Two factor authentication 101. What you "have" (card) and what you "know" (PIN)
I'm puzzled. Maybe perplexed. Why would they believe for a moment it should be any different for online banking log-in? What has happened since then to make them believe "typing" is safer than "swiping?" Why are they suddenly dissin' the card?
Window of Opportunity
Instead of dissin' the card, I say "DISCARD" the antiquated username | password log-in process and instruct customers "USE THEIR CARD" (what they have) and their PIN (what they know) thereby replicating the exact same process these customers use gain access to an ATM. True 2FA. The only difference would be that authentication would be done in the safety (no skimmers/no cameras) of the online banking customers own home...with their HomeATM SafeTPIN!
If the online banking community introduced their customers to a simple new log-in process, one whereby they require that theironline banking customers log-in the "same way" they do at ATM's... with "THEIR CARD, THEIR PIN, & THEIR HOMEATM," they would greatly enhance the security of their online banking sites.
Why? Because it would also eliminate issues they are having with cloned websites, cloned cards, DNS Hijacking, etc. In addition, they would arm their online banking customers with a weapon of phish destruction, one that fights cybercrime and "empowers" them as mini-profit centers. Does anyone disagree with the statement that "Bill Payments, Money Transfers, and secure online transactions" ALL make money for banks?
That said, I humbly suggest it's high time to "studythese issues" more closely. There are three "key" issues banks need to contend with if they want to come out of this ahead. I call it online banking "CPR."
Let's look at "these issues" one at a time:
Bank "ISSUES" the Card,
Bank "ISSUES" the PIN,
So Where's the Issue with a secure Card/PIN Reader
Did you know that the average phishing attack costs the bank and the bank customer $350. Well it does. $196 for the banks and $154 for the consumers. Want proof? Okay, here it is from Gartner Research:
- Phishing attacks are costly:
The average loss was $350 per phishing attack, but consumers said they had recovered 56% of their losses from the financial institutions involved. (That's $196 to the banks and $154 to the consumers)
"The findings underline the fact that the war against phishing is far from over," said Avivah Litan, analyst at Gartner. (Yes, the very same Avivah Litan who says "never" enter your PIN on the Internet unless it's hardware based)
Banks could (in quantity) issue around 70 HomeATM's for each successful phishing attack. It's the last remaining issue they need to contend with.
Speaking of phishing, here are a few of the latest as compiled by Millersmiles.com.uk