New security features to make online banking safer

Sunday, December 26, 2010

BERLIN - Fraudsters keep on finding ways to steal money from accounts online. But banks are also stepping up their security measures to protect online money transfers.

Online banking was first introduced to the world 30 years ago in Germany, when the Verbraucherbank AG bank set up a system to allow customers to transfer money from computer screens.

Even back then, money transfers could not be completed without a pre-assigned transaction number in combination with a PIN (personal identification number). The principle is largely the same today.

But transaction numbers that are printed and distributed might be seeing their last days, because online thieves keep finding ways to get a hold of these numbers.

Banks have tried to get around this problem by requiring customers pick specific numbers from a list for each transaction, even predetermining a random order to be used from the list, in the vain hopes that will foil thieves.

But none of that has proved a guarantee against thieves. That inability has cost thousands of euros from innocent customers.

Germany’s federal police logged about 2,900 cases of phishing in 2009, in which thieves used online trickery to steal transaction numbers. That number is expected to have doubled for 2010.

Thus, the printed lists are becoming a thing of the past. “The current system with paper lists is ending and will be shut down, at the latest, by mid 2011,” says Juergen Ebert, a spokesman for Germany’s Postbank.

Some banks have already gotten rid of the printed numbers. Several have already offered to provide the numbers to customers as mobile phone-based text messages, meaning the mobile phone number needs to be linked to the bank account number.

This system is seen as safer, since the transmission of data via text messaging means there’s a second data transmission channel to secure the money transfer.

But already, smartphone users have seen malware programmes cropping up, targeting operating systems like Nokia’s Symbian or RIM’s Blackberry, to capture these transaction numbers or reroute them to the phone number of a swindler.

Thus, security analysts have recommended only using these mobile numbers on secure smartphones or simple mobiles that are not linked to the internet.

Other German banks have begun to move to a system whereby two devices are needed to receive the transaction numbers. Information is inputted on a regular computer, while the transaction number information is displayed on a separate device that resembles a pocket calculator.

A debit card is inserted into this secondary device to access the transaction number. “Con-artists have no way to manipulate both devices simultaneously for their own ends,” says Ebert. The new service “is optimised for customers who don’t have a mobile phone or want to do banking while underway”.

A simpler option, available for about 15 euros ($20), means users don’t have to type in the number displayed on the secondary device, but can let the information be transmitted to their PC via light signals from five light sensors on the number generator.

Those sensors then receive the recipient’s account number and the transaction confirmation, which must be confirmed by the user. The generator then releases the proper number to complete the transaction.

The new system has received high marks for safety from groups like the German Federal Office for Information Security (BSI).

“Hardware-based solutions are generally recommended, since the cryptographic key is securely stored on a special platform,” says BSI spokesman Tim Griese. Using the extra hardware also makes online banking less vulnerable to attacks like phishing.

Filed under: Accidents and Disasters

will not be displayed