| Identity theft threatens the viability of online banking | | | | than American ones as far as online banking and their |
| and similar business models. European banks, from | | | | online presence go. The list below is short and by no |
| Sweden to Austria, are likely to face, in the near | | | | means exhaustive and is based on a study |
| future, an unprecedented wave of attempts at | | | | conducted at the University of Michigan by Atul |
| identity theft. Hackers from Latvia to Ukraine and | | | | Prakash, a professor in the department of electrical |
| from Serbia to Bulgaria are now targeting financial | | | | engineering and computer science, and two doctoral |
| institutions. The global crisis has added to the rows of | | | | students, Laura Falk and Kevin Borders: |
| unemployed former spies, laid-off bankers, and | | | | 1. All the pages of the bank's Website must use SSL |
| computer programmers. Networks of secret agents, | | | | (Secure Sockets Layer) and TLS encryption |
| knowledgeable financiers, and computer-savvy | | | | technologies. In the Internet Explorer Web browser, |
| criminals have sprung all over Eastern and Central | | | | a small, yellow padlock icon appears at the bottom or |
| Europe and the Balkans. How can Europe's banks | | | | the top of the page when such encryption is |
| defend themselves? 1. By assigning account or | | | | available. It prevents hackers from tapping into the |
| relationship managers to all business accounts and | | | | exchange of information between the user's |
| individual accounts above a certain size. This is the | | | | computer and the bank's servers and routers. Most |
| practice in private banking and investment banking, | | | | browsers now offer also a wide variety of |
| but it has yet to spread to retail. A one-on-one line | | | | anti-phishing protections. |
| of communication between client and specific bank | | | | 2. Users should not use their computer keyboard to |
| officer places an insurmountable obstacle in front of | | | | type in passwords. Many computers are infected |
| hackers and criminals. 2. Banks should allow their | | | | with keyloggers: small software applications that |
| clients to "block" their accounts at no charge to the | | | | monitor the user's typing and pass on the information |
| client. Account blockage means that all transfers from | | | | to networks of criminals. Instead, the bank should |
| the account require the confirmation and approval of | | | | provide a "virtual keyboard" (a tiny on-screen graphic |
| one or two specific bank officers who know the | | | | that looks like a keyboard). Users can then click their |
| client personally. Thus, even if a hacker or a criminal | | | | mouse and press the various "keys" of the virtual |
| were to succeed to effect a transfer of funds, such | | | | keyboard to form the password. Some banks use |
| illicit and damaging activity could be blocked by the | | | | Java "sandboxing" and virtualization technologies in |
| bank. 3. Banks should ignore and disallow | | | | order to isolate the online banking session from the |
| instructions in the account received by e-mail. E-mail | | | | user's potentially-infected browser or computer. |
| communication is amenable to spoofing, hijacking, | | | | 3. The banking Website should not re-direct the user |
| hacking, and other forms of impersonation. Even | | | | to other domains or sites (which potentially are not |
| Web-based e-mail services such as Gmail are highly | | | | as secure). |
| insecure, especially over wireless networks. 4. | | | | 4. The bank should insist on strong passwords: |
| Instructions by fax should be accepted only after the | | | | minimum five characters, allowing combinations of |
| client provided, verbally, a one time code (see below). | | | | numerals and letters, including capitalized ones. Few |
| 5. Verbal communication should be conducted via | | | | banks adhere to this rule, though. Many of them allow |
| mobile phones, not fixed or land lines. The mobile | | | | passwords with only 4-5 numerals. |
| phone's SIM card guarantees the identity of the | | | | 5. The bank should never send any information |
| specific device used and allows for tracing in case a | | | | pertaining to the account - especially not passwords - |
| crime has been committed. On many networks the | | | | via e-mail. Many European banks violate this cardinal |
| communication flow is encrypted. Man-in-the-middle | | | | rule by sending a staggering amount of information |
| attacks and interception are more difficult with cell | | | | about the account via email, including account |
| phones. Online Banking Safeguards | | | | numbers, balances, movements, and ownership. |
| All of Europe's major banks offer to their customers | | | | 6. The bank should insist on "two-factor |
| financial services and products through the Internet. | | | | authentication". The user would need a username and |
| But there's a problem: computer security. To | | | | password to access the Website. But, to transact in |
| withstand the coordinated onslaught of hackers and | | | | the account, he would make use of one time |
| cyber-criminals, who are constantly trying to empty | | | | "tokens" (codes). Each user should be equipped with |
| the bank accounts of their victims, online banking | | | | printed lists of such codes or with a special device |
| Websites must incorporate many defensive safety | | | | that generates them. They can also receive the |
| features. These render the entire experience | | | | codes via SMS. The codes are used to transfer |
| cumbersome and complicated and deter the vast | | | | money, change the password, change the limit of |
| majority of clients. | | | | withdrawal, give instructions regarding securities and |
| Generally speaking, European banks are far safer | | | | deposits, etc. |