/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsPhishing, and subsequent identity theft, is proving to be one of the biggest threats plaguing the banking sector today. While online banking and, more recently, mobile banking may be a convenient alternate to long cumbersome queues, it is still not a safe option for customers who are unaware of the associated threats.
An increasing number of customers using Internet banking facilities of leading Indian private banks and financial institutions in the major metros are becoming victims to extremely sophisticated cyber criminals, who have come up with new and innovative ways to steal net banking passwords, and money, from their accounts.
Phishing on a High
There have been reports of phishing incidents in Indias large state-owned banks like the State Bank of India, Bank of India, and large private banks like ICICI Bank and Axis Bank, in the recent past. As per the findings of Axis Banks security department, phishers have sent more that 1,00,000 emails to account holders of Axis Bank as well as other banks.
Bank of India faced a phishing attack in July 2008, where one of our users started receiving mails from an entity claiming to be a representative of the bank. We soon discovered that the site was a duplicate being hosted from Korea and sought the help of CERT-IN, and shut down the spurious website within eighteen hours, says PA Kalyansunder, general manager, IT, Bank of India.
Similarly, in January, two top banking organizations HDFC and ICICI were targets of phishing attacks in which emails were directed to users that said the banks were updating their online security mechanism, so the user should key-in his banking information in the website that the fake email led them to.
Considering that phishing was pretty much unheard of in India a few years back, this frequency is something to be concerned about. Over the last one year the biggest challenge faced by banks is the lack of awareness that Indian Internet banking users have about such fraudulent practices. With the success rate being high, phishing attacks have multiplied and become more advanced.
According to a survey conducted by Singapore-headquartered software product company ReadiMinds, security was one of the top three concerns for Indian banks this year, with almost 30% of them being victims of phishing attacks in the last one year.
Symantec has observed many phishing trends during the second half of 2007, a majority of brands targeted by phishing attacks were in the financial services sector, accounting for 80% of the total volume. The financial services sector also accounted for the highest volume of phishing websites during this period, at 66%, down slightly from 72% in the first half of 2007. Symantec observed 87,963 phishing website hosts during the second half of 2007. This was an increase of 167% from the first half of 2007, when the company detected 32,939 phishing website hosts.
As per CERT-IN, a total of 392 phishing incidents were reported by various national and international agencies during 2007. The threat has taken an upward toll in terms of the number of incidents reported in the year 2008, with 27% of the incidents reported being phishing attacks.
Worsening with Time
The techniques used for phishing have changed little but their distribution and sophistication in deployment have changed greatly. In addition to website phishing using botnets making them increasingly untraceable, other sophisticated techniques such as Vishing (phishing over VoIP), Skimming (fraudulent act of reading and storing the information encoded on the magnetic stripe of a debit card or credit card), Spoofing (duplicating an original bank site) and Smishing (SMS Phishing) are being employed by hackers to cheat the users off their money.
The industry experts are also witnessing a new trend called Spear phishing, which is a technique whereby emails that appear genuine are sent to employees or members within a certain company, government agency, organization, or group to gain access to a companys entire computer system.
Banks have tried their best to deal with the growing number of reported phishing incidents by pushing for some legislative changes, user training, public awareness, and technical measures. However, despite advanced filtering, better law enforcement, greater efforts at user education, and other measures, reports of phishing have not declined. So what are banks doing to reduce the number of attacks and prevent customers from falling prey?
Prevention & Cure
Better communication and customer awareness is the key, says Anil Jaggia, CIO, HDFC Bank. As a first step toward further tightening their anti-phishing strategies, all banks have taken up better customer awareness and education strategies.
According to ReadiMinds, only 57% of the Indian banks had a formal plan in place for creating customer awareness against online identity theft and financial frauds last year. As a rule, banks have now started issuing instructions on their website about the dos and donts of Internet banking and have also started mailing customers on the necessary precautions that need to be taken to secure their financial information.
Banks are also taking the initiative to remind customers to update their anti-virus software and browser application, so that their PCs do not support any back door entries and Spyware installations. They have also initiated a 24-hour customer response team where customers can report any form of identity theft or account discrepancies.
Presently, many leading banks have appointed agencies to carry out a 27X7 monitoring of the Internet, activities on the banks website and also the profile of the users and nature of their transactions at any given time, says Kalyansunder. In addition, most banks have been partnering with law and enforcement agencies and organizations such as CERT-IN to shutdown spoofed sites quickly.
ICICI, HDFC, Bank of India and few other public as well as private banks have started implementing dual factor or second factor authentication, 128-bit SSL (secure socket layer) encryption, scrambled keyboard, adding multiple layers of security which helps a user identify a fake website and not divulge his credentials.
Axis Bank is in the process of implementing second factor authentication to enhance the security features of the online banking gateway, says VK Ramani, CIO, Axis Bank. Besides, almost all banks today send out post transaction alerts to customers on their mobile and Email id, so that the customer response time is quick and any illegal transactions can be reported quickly. The post transaction alerts sent to HDFC customers is directly monitored by the risk management team, says Jaggia.
Another key development is that Indian banks have appointed Chief Information Security Officers (CISO) to manage all the security concerns within the bank. The CISO leads a team dedicated only to security and functions separately from the central IT team.
At BOI, information systems security is treated as a separate division from IT. This is a separate team which is headed by the CISO (chief information systems security officer), who reports directly to the general manager, Risk Management, and not to the general manager, IT, says Kalyansunder. Other private sector banks such as ICICI and HDFC also have appointed CISOs to deal with security as a whole.
According to ReadiMinds, more than 57% of the banks still do not have a dedicated budget for online security, choosing instead to include online security as part of their overall IT budget. However, the appointing of CISOs is slated to reverse this trend going forward.
Though banks have been the pioneers in embracing the latest of technologies and have constantly been scaling up their security procedures, vulnerability to hackers remain. Threats are evolving and becoming more dynamic with the increasing number of customer touch points and delivery mechanisms.
Hence, phishing can no longer be handled by a technology solution alone. Banks have to put in place the right blend of technology, policy guidelines, and user awareness to keep pace with the increasing sophistication with which fraudsters operate.