Handing thieves the keys
So, you do most of your banking online? Maybe you shouldn’t. As a computer hacker tells NICKY HAGER, it is alarmingly easy for scamsters to break into your accounts.
A QUEENSLAND teacher on holiday in New Zealand is paid $A1650 a fortnight to teach “Christian values” at a private school, and seems to spend a lot of her time in pubs. Her Westpac bank account had a $36,000 balance during her visit here.
A Wellington couple starts the day as they often do, buying expensive magazines in Lambton Quay, and later lunch at Caffe Mode in Kelburn. A computer consultant and accountant, they are Westpac customers and have a healthy $200,000 bank balance.
An employee of road management consultancy Opus International apparently spends over a quarter of his modest weekly income on gambling_mostly by direct credit from his PSIS account to the TAB.
Alarmingly, these details of real people and their spending habits were obtained by a New Zealand computer hacker who last month used hidden software to hack into dozens of private bank accounts.
He was not trying to steal the $500,000 in the accounts he reached, but wanted to demonstrate how unsafe it is to use internet banking in this country. He has agreed, on the condition of anonymity, to tell the Sunday Star-Times how he did it.
He began by visiting a Wellington internet cafe and installing a programme called a “keystroke logger” or “sniffer” on the public terminals. Easily downloaded off the internet, this programme quietly records everything typed on the computer.
In the following weeks, hundreds of people used the internet cafe, typing letters home, visiting dating sites and doing their internet banking. Each time they typed in their bank’s web address, user ID and password, they were recorded by the key-logger programme. The internet cafe computers automatically sent this information every six hours to an email account in another country where it was gathered by the hacker.
Soon the hacker could access a growing number of bank accounts, often with the same rights as the real account holder. He could make internet payments, transfer funds, check the person’s loans and spending history and change their personal details.
The same problems apply to internet banking from home and work computers. There are viruses designed to release a key-logging programme into your computer and websites that deposit a key-logger into your computer when you visit.
This New Zealand demonstration occurred the same week as Miami businessman Joe Lopez sued the Bank of America in what is believed to be the first legal action against a bank to recover money from internet banking crime. The Sun Sentinel reported that Lopez had $US90,000 withdrawn from his account last April by a Latvian hacker-thief. He is suing the bank for negligence and failing to protect him from online banking risks that it knew about.
Examination of New Zealand internet banking shows most banks here have the same low levels of security that allowed the Bank of America theft, where only a simple password is required to access a person’s bank accounts.
The implications are bluntly stated on the New Zealand Police website: “If you use internet banking a key-logger can record your bank account password_which is then used to remove all the money from your accounts.”
But most banks continue to advertise internet banking as “safe and secure” while dragging their feet over spending money to introduce secure access systems.
Although banks treat it as a customer’s responsibility if their password is used by others, one Auckland man managed to negotiate a confidential settlement with the BNZ, after a hacker from Estonia managed to steal $20,000 from his bank account.
A BNZ investigation found the man had a keystroke logger on his laptop, which “probably came through an illegal email attachment or via a dodgy pop-up on a website advertising plasma TVs”, the BNZ told Consumer magazine.
It is not known how many other settlements there have been to New Zealand victims, but the BNZ told the Sunday Star-Times it usually settled with its affected customers.
Keystroke loggers have become more widely available in the past few years, so internet banking crimes are set to increase.
Maarten Kleintjes, national manager of the Police E-Crime Lab, told Consumer last year that he warned banks “years ago” about the risk of account user names and passwords being captured by hacker thieves. The problem continued to get worse, he said, but the banks had told him that changing their online banking systems would take time and be costly.
Kleintjes told the Star-Times internet banking had “become a very risky way of doing your banking”. He often hears of cases of internet banking crime and said the main problem was that only one form of identification was needed_the user name and password, “which can easily be stolen”.
“The banks say you’re not allowed to give out your user name or your password. But if I type it into a keyboard when I’m sitting in an internet cafe or overseas in some airport trying to transfer money, I have no idea who I’ve given the password to.”
He said it was “unrealistic to expect customers to have any idea of the security of another computer that they don’t own”_and also unrealistic to expect customers to safeguard passwords at home. “There’s nothing reasonable that someone can do to stop this from happening, even on a home computer.”
As an example he points to a virus circulating called BankAsh-A, designed to steal online banking passwords. This is a key-logger, like that used by the hacker in this story, with added features to detect and disable Microsoft Anti-Spyware programmes. It is available off the internet and Kleintjes says you “don’t have to be a rocket scientist” to use it.
He argues that the banks need to introduce effective security for internet banking. The answer, he says, is “two-factor identification” where, to access internet banking, you need “something you know” (your password) and “something you have” (like the bankcard used for an ATM machine).
“ATM machines have been around for more than 20 years now and there’s been very little problem with it because the authentication is based on something that you have and something that you know,” he said.
There are various forms of two-factor identification available for internet banking. In Finland, he said, customers are given scratch cards, with a sequence of numbers that only the bank knows and instructions to use a new number for each internet banking session.
Various European countries routinely provide their customers with a small electronic device called a digital token. Looking like a calculator or electronic car key, the customer presses a button each time they want to access their account and it gives them a different number to type in each time they bank on the internet.
Kleintjes: “When internet banking was introduced about eight years ago, authentication using only a password was sufficient. In 2005, however, when computer viruses and attacks are part of everyone’s daily life, it is clearly not.”
To date, two New Zealand banks, ASB and BankDirect, have adopted two-factor identification. The banks automatically text customers when they want to move money online. The text, which costs customers 25 cents, contains a one-time password that must be used before the payment will proceed.
This precaution applies only for sums over $2500 per day, unless the customer sets a lower level.
Kleintjes: “Even if someone steals your password and can see what you have in your bank account, they can’t take any money away from you because they haven’t got your cellphone.”
Other banks have been slower to respond to the threats.Shona Bishop, BNZ’s general manager of channels, said that there was “world-wide growth” of internet banking fraud, so it was only a matter of time before more New Zealand customers were hit. About 10 BNZ customers a month are victims, she said.
Bishop said BNZ business customers already had two-factor identification and the bank was researching options for other customers and “may have something later this year”.
ANZ spokesman Craig Howie said the bank was confident about the security of its online banking and was “doing all we can in this area”. Howie declined to comment on whether the bank has plans for two-factor identification.
Westpac did not respond before deadline, but its website says: “Anyone using your customer ID and internet password will be allowed access to your accounts, whether they are authorised by you to do so or not. Westpac will have no obligation, or take any further steps, to verify any instruction received from you or appearing to be sent by you via online banking.”
Other bank websites have similar wording and say customers will be liable for some or all losses from unauthorised transactions.
So is there anything you can do? The bank websites advise customers to install and regularly update anti-virus software that detects Spyware; install a personal firewall; keep your browser and operating system software up-to-date, and never download any files from websites (such as programmes, games, screensavers, mp3) that you are not completely sure about.
But Kleintjes says this puts unreasonable and unrealistic demands on bank customers “who should not have to become computer engineers before they can safely use internet banking”.
Internet banking_is it safe?
Police say the safest way of internet banking is having a “two-factor” indentification process, such as “something you know” (your password) and “something you have” (like the bankcard used for an ATM machine). This is the authentication process for online banking in New Zealand:
- ASB: Normal password plus security password sent by text before each money transfer permitted (for transfers over $2500 or less if instructed).
- BankDirect: Normal password plus security password sent by text before each money transfer permitted (for transfers over $2500 or less if instructed).
- BNZ: One password authentication for normal customers but safer `two-factor identification’ for business customers.
- Kiwibank: One password.
- PSIS: One password.
- Westpac: One password.
- National: One password.
- ANZ:One password.