2008-05-01
Abstract
'Banking organizations have failed to pledge that they will stop sending emails that add to the confusion.' Helen Martin, Virus Bulletin
Copyright © 2008 Virus Bulletin
According to a recent report released by UK payments industry association APACS, the rate of phishing attacks in the UK has increased dramatically over the last 12 months, with the number of incidents reported during the first quarter of 2008 up 200 per cent on the same period last year.
At least some degree of that increase may be due to an increased awareness among the public of phishing attacks and how to spot them (and consequently report them) - a theory supported by the fact that the number of people either deleting or taking no action when receiving a phishing email increased from 75 per cent in 2006 to 82 per cent in 2007 and the fact that losses from online banking fraud decreased by a third from £33.5m in 2006 to £22.6m in 2007.
However, it is clear that phishing is still big business - and users of online banking systems are advised by APACS that they should 'just remember that your bank will never send you emails asking you to disclose PIN numbers, login details or complete passwords'.
But are the banks themselves doing enough to help their customers steer clear of online fraud? A new banking code released by the British Bankers Association (BBA) last month included advice for customers on how to avoid falling victim to identity theft and online fraud. The suggestions set forth constituted sound, well-considered advice both in terms of physical security (e.g. don't keep your cheque book and cards in the same place; shred any printed information about your accounts; notify the bank if an expected statement or letter is not received) and online security (e.g. use up-to-date anti-virus and anti-spyware products and a personal firewall; never follow a link from an email directly to a bank or building society; treat emails claiming to be from your bank or building society with caution).
Much was made in the media of a cautionary note contained in the code, which warned that if customers fail to follow this set of guidelines to a reasonable degree banks may hold the customer responsible for any losses that can be deemed to have resulted from such lapses in security.
In practice, of course, it is unlikely that failure to follow the advice to the letter will result in customers being asked to foot the bill for losses - the burden of proof lies with the bank to demonstrate that the customer has behaved unreasonably or irresponsibly and it is unlikely that banks will invest the resources necessary to prove in individual cases that computers are not adequately secured. There is a fine line between scaremongering and giving users an incentive to take security more seriously, and the BBA code treads the line carefully - but in order for this ruling to have a positive effect it must be backed up with readily available information on what adequate protection looks like and how the average user can achieve it.
What was disappointing about the new banking code, and indeed remains disappointing in the banking and financial services industry as a whole, is that, while users are urged to 'always be suspicious of unsolicited emails that claim to be from your bank', banking organisations have failed to pledge that they will stop sending emails that add to the confusion. With phishing emails becoming increasingly stealthy - some even including warnings about the dangers of phishing - emails that are genuinely sent by banks (particularly those that contain links to the banking sites) compound the issue. A concerted and global effort to address the content and style of emails sent by banking organisations would go a long way towards helping reduce confusion.
VB has invited a panel of security experts from the banking and financial services sector to speak at VB2008 on the efforts their organizations are making to counter online fraud - it is hoped that such an open forum will facilitate the exchange of ideas and sharing of knowledge between the banking and anti-malware communities. VB2008 takes place 1-3 October 2008 in Ottawa, Canada. For details of the rest of the programme and online registration see http://www.virusbtn.com/conference/vb2008.
