Online risks
Online risks

Know the risks of online business

As the bad guys get smarter, what can you do? James Watson and Emma Nash find out

Written by James Watson and Emma Nash

Computing, 10 Aug 2004

For companies operating on the internet, the challenge of providing a safe and secure environment for customers has grown significantly.

For the financial services industry in particular, it's a major problem: bringing customers online helps lower the cost of doing business, but the rising volume of digital menaces threatens to erode public trust.

One of the fastest-growing scams is phishing, a form of online identity theft.

A recent report from researcher Financial Insights reported that phishing will cost financial services firms $400m (£217m) worldwide in fraud losses in 2004.

"The trend is worrying," said Barclays chief technology officer Kevin Lloyd. So why are so many people falling for these tricks?

Inside a phishing scam
Part of the challenge is that the technical prowess of the conmen is increasing faster than banks can come up with ways to combat it.

"What is clear is that these are very sophisticated fraudsters and they've turned their attention to the internet channel," said Lloyd.

The scams typically target customers by sending emails pretending to be from their bank.

The email convinces recipients to click on a link, which takes them to a near-perfect copy of their online banking site - but usually missing the padlock symbol at the bottom of the web browser indicating that it is secure.

People are asked for their full password, rather than the variable selection of characters requested by the real site. "Hey presto, you've given away your details," explained Lloyd.

Many scams are sophisticated enough to use those details and dynamically link users to the real banking site and log them on as normal.

"But when you log off, your details have been kept by the fraudsters who then log in, change your password and typically set up a third-party beneficiary and pay out the maximum amount available," said Lloyd.

The money will be collected almost instantly by a debit card transaction, which appears completely legitimate to the bank. "And then everyone disappears," added Lloyd.

Another method used by scammers is a Trojan horse virus that accesses banking sites by monitoring and capturing the keystrokes typed.

To combat this, some banks have changed their sites to make people select numbers from a drop-down list rather than typing them on the keyboard.

"But now the criminals are clever enough to measure the mouse movements so they can detect which numbers you've clicked on. There's not much you can do about that, because that's real sophistication," warned Lloyd.

And the bad guys are becoming smarter still. "The grammar used to be poor and it was a hit-and-miss affair," explained Barclaycard technology consultant Dave Taylor.

"We are now seeing emails that are marketing-focused. The grammar is excellent and you'd never know it came from a hacker.

"We're also seeing a lot of really interesting code that is being deployed on our customer PCs. They're much more successful than they were six months ago."

Dealing with the problem
So how can banks cope? Customer communication is a priority, according to Matthew Timms, head of internet banking at Lloyds TSB. "We need to educate customers on how to use the internet," he said.

The next step is to change login screens to warn customers of fraud and advise them how to act online.

"We also encourage customers to have the latest software on their PCs, but there's no real way for us to check up on this," said Lloyd.

"We could do some checks as to what people are using when they log on, but there's a fine line between what's reasonable to expect from customers and what's not."

Tactics can also move away from technology solutions and involve changes to the way the business operates.

"We can dynamically change the pay away limit on people's accounts or make it harder to create a new beneficiary," said Lloyd.

"All banks have turned down the transfer limit, and we've all made it more difficult to set up a third party."

"You might ask the customer to contact you on the phone to validate it, or send a text message.

"Another thing you can do is set up a delay on the transfer so that it doesn't go through immediately, giving customers a chance to pick up on the problem and alert us."

Barclaycard believes it has come up with a potential solution in the form of its chip authentication technology.

The company is testing a small portable device, similar in shape to a calculator, that allows owners to insert their credit or debit card, enter a Pin and receive a unique one-time eight-digit number that is used to confirm their authenticity.

The credit card provider started issuing readers to customers in June. So far it has 2,000 of an anticipated 5,000 customer pilots underway, according to Taylor, who co-authored the chip authentication specification.

He explained that the idea is for consumers and businesses to have one device that will interoperate with all their cards, regardless of the issuer. A draft standard is expected in September.

But until a mass-market solution is in place, banks will be forced to accept the dangers of doing business on the web.

"I think most banks will take it as a cost of being in that business, like we do with cheque fraud," said Lloyd.

"We have an acceptable risk profile for cheque fraud, and I think we'll have an acceptable profile for internet fraud."

Case study: Online bookmakers
The bookies are an attractive target for organised criminals looking to make a quick buck from your bet, reports Daniel Thomas.

Betting is one of the industries to have benefited the most from the growth of the internet.

There are an estimated 1,700 gambling websites where you can have a flutter, and analyst Datamonitor predicts that revenues will reach £559m by 2005. Some £49m is expected to be gambled online this year.

But where there is money, there is crime, and online bookmaking is no exception.

The National Hi-Tech Crime Unit (NHTCU), working with the Russian authorities, last month smashed an online fraud racket believed to be responsible for extorting thousands of pounds from sports bookies.

The gang, located in St Petersburg and south west Russia, targeted prominent betting firms, including William Hill, Paddy Power, Blue Square and Canbet, using thousands of virus-compromised computers to hit bookies' servers with denial-of-service attacks.

"The criminals then contacted sites demanding between $10,000 and $40,000 at a time," said a spokeswoman for the NHTCU. "Sites were blackmailed and told that unless they paid, the attacks would continue."

In the build-up to the Cheltenham Festival in March, bookmaker William Hill was targeted by the gang.

"The attack lasted 24 hours on our sports book, but we managed to contain it very well," said spokesman David Hood.

"During that time we were only totally down for 30 minutes, but the rest of the time we were at 75 per cent capacity."

Following attacks on Canbet in October 2003, the NHTCU and the online bookmaking industry were already working together to reduce the gravity of new threats, with William Hill only losing 25 per cent of a day's online takings.

"We had put in a number of procedures in anticipation of attacks on our sites," said Hood. "Co-operation between online competitors, BT and the NHTCU really helped prevent further attacks."

Online betting firms are particularly vulnerable, because crime syndicates can judge the potential losses from downtime during a major sporting event, according to Neil Barrett, visiting professor of computer crime at Cranfield University.

"It's an organised crime story, not a hacking story. These people focus on where the money is, and that's why bookies have been targeted," he said.

"With online betting, it's easy for the criminal to work out the loss a site will make and judge the blackmail demands. They make attractive targets for extortionists. A well thought out denial-of-service attack will kill anything."

But Barrett explained that the fatal flaw lies in the ransom demand. "Criminals have to provide a means of communication to get the blackmail ransom and by doing that they can be caught," he said.

Last month's arrests could lead to a rethink by the organised crime fraternity, with fraudsters shifting more focus to crimes such as hacking and phishing that are difficult to police, according to Barrett.

"It will go in two directions: hackers will move into the online extortion market and organised crime gangs will focus more on hacking and phishing," he said.

"But the hackers will get caught really quickly because they don't have a sophisticated way to launder money like the crime syndicates do."

Hood suggested that there are plenty of other targets for the crooks to hit.

"When you consider the travel business, financial services, share dealing and other e-commerce sites, such as Amazon, it is a massive marketplace for them," he warned.

Tags:

reader comments

related articles

Betting on success

The world of online gambling is proving a big winner for betting exchanges 20 Apr 2005

 

Fraud prevention tactics starting to pay off

But identity fraud could rise as a result 26 Aug 2004

Police warn on key-logging spam Trojan

'Swiss Army knife' of online fraud, says Hi-Tech Crime Unit 13 Aug 2004

Impact of phishing now equals virus outbreaks

250,000 phishing emails intercepted every month 11 Aug 2004

Push to educate online customers about fraud

Online bookmakers such as William Hill have been targeted by criminals 28 Jul 2004

Bugwatch: The future of phishing

New tactics are needed in the fight against ever-evolving phishing scams 29 Apr 2004

Phishers using smarter hooks

Fraud attempts grow with Trojans, keystroke loggers and stolen screenshots 20 Apr 2004

today's top stories

Hardware

Analysis: The true cost of printing

Organisations need to get a better sense of how much they spend on printing before finding ways to reduce it 05 Sep 2008

Management

Computing podcast 4 September 2008

Find out what Michael Dell told Computing, and listen to our take on the latest browser wars 04 Sep 2008

Hardware

Looking to the future - exclusive Michael Dell interview

Dell's chief executive talks to Computing about the way the company continues to adapt to major changes in the industry 04 Sep 2008

Internet

Interview: Delivering power where it's needed at Betfair

The online gambling firm is putting its money on grid computing and virtualisation to underpin global expansion 04 Sep 2008

Hardware

E-paper displays are an open book

A display revolution is on the way - but only once the user interface issues are solved 04 Sep 2008

> More news

Most commented stories

> More

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job

Advertisement

White papers

Search white papers

Top categories

VPN, Extranet and Intranet Solutions

WAN/ LAN Solutions

Network Security

Interoperability-Connectivity

Grid/ Utility Computing

Latest poll

Would you use a mobile phone as an alternative to cash?

Would you use a mobile phone as an alternative to cash?

When mobile phones include inbuilt payment technology - would you use one instead of cash?

Previous poll results

> More polls

Latest audio and video articles

BlackBerry BoldVideo

Video Review: BlackBerry Bold

Technology editor Daniel Robinson takes a hands-on look at the latest device from Research in Motion 01 Sep 2008

Podcast imageAudio

Computing podcast 4 September 2008

Find out what Michael Dell told Computing, and listen to our take on the latest browser wars 04 Sep 2008

> More audio and video

Latest in-depth articles

A meetingAnalysis

Turning adversity into an advantage

IT chiefs under pressure to make cost cuts can turn the situation to their benefit 04 Sep 2008

CloudAnalysis

How to introduce cloud computing into your organisation

Best practice advice from Forrester Research 04 Sep 2008

> More in depth articles

Primary Navigation