Tag: online banking

Some banks claim their sites are phishing-proof

Some South African banks are claiming their sites are secure, despite the fact that folks continue to lose money through phishing exploits.

For those who just tuned in, phishing is a process whereby you get an email (in this case, from a financial institution), asking you to log into your account to clean up some administrative issue. You click the link in the email, and are immediately directed to a fake website that looks like your bank’s. As you enter your username and password, a thief is getting it instead of the bank’s systems, and the thief then uses it to log into the real bank site and empty your account.

Note that this is a single step process, and requires no additional validation. The only bank I have seen of late that has figured this out is Bank of America. They require you enter a valid account number and the state the account is located in. You are then redirected to another entry page, where you are presented with an image and a keyword (both preselected by you), at which time you enter your password and proceed. That is a multi-step process, and one that would be relatively hard to exploit via a phishing lure, unless you aren’t paying attention to the image and keyword. I might also suggest that Bank of America require its customers to change said image and keyword (or at least re-validate that data) every sixty days or so, to keep customers on their toes.

Nevertheless, this is the only bank I’ve seen doing this (and I’ve seen quite a few bank front ends). Kudos to B of A – to rest, well good luck with those claims.

PS: Spamroll was not paid to shill B of A, and Michael doesn’t own any Bank of America stock either.


It seems Ed Falk, whose comment below outlined the fact that even two-factor authentication was subject to man-in-the-middle attacks, was entirely on target (and a quite timely in his comment as well). Phishers have thwarted the process using exactly that.

Note that the Citibank system used a physical token that generates additional passwords (which recycle ever minute). I’m not fond of such devices, but the fact that the phishing site described can also return error messages, it could be used to catch additional server-side authentication measures as well. The site in question has already been shut down, something that likely happened as a result of someone monitoring those returned messages to Russia.

***UPDATE 2***

Discussion on this at Bruce Schneier’s blog.

Nine out of ten Americans need to think twice

And, possibly hire a financial advisor and/or just get off the “lazy American” kick. When 9 of 10 say they’d like their bank to monitor their online accounts for them, I say be extremely careful of what you wish for.

Trojan doesn’t beat the Christmas rush

A new trojan has been identified whose purpose is stealing online banking passwords. If criminals were smart, they would have released this bug before the holidays – there isn’t any money (or credit lines) left for them now.

Gotta love a good survey

Some firm does a survey about online security worries, and comes up with the notion that interest in online banking has stalled in the US. Of course, they only surveyed 1,000 people when they came to the conclusion that online banking had plateaued. How many polled actually had internet access, I wonder?

The report did say that reports of security breaches and fear of telemarketers were the driving force – that much we can all agree on.