First National Bank, along with the other big South African banks, is making major changes to its online banking facilities in an effort to counter the surge in fraud that is being committed through the internet. Between 500 000 and one million of the bank's customers have been switched over to a new platform to do their online transactions. For added security, they will have to use a one-off personal identification number each time they log on to their accounts.
A worldwide rise in online banking fraud and a 1 000-percent increase in the incidence of phishing emails in the past year prompted First National Bank (FNB) to switch its online banking customers to a different platform last week.
Chris Kotze, the chief executive of online banking at FNB, says another reason for the switch-over to the new platform was that the previous technology used could no longer support the current and anticipated number of online FNB clients.
"We did a pilot switch-over with 80 000 clients last November and then started a full-scale migration to the new platform last week," he says.
Although he would not divulge the exact number of FNB online banking clients, Kotze says it is "somewhere between 500 000 and one million".
Online clients were first informed of the pending switch to the new platform last October via a message on the bank's website. This message has become more prominent on the website in recent weeks.
The bank has also switched to a one-off personal identification number (PIN) system by which clients are issued, by SMS or email, with a new PIN for each internet banking session. This PIN cannot be used again by anyone.
Internationally, online banking has become a prime target for fraudsters, who use key-logging devices at internet cafés to capture your user name and password.
More recently, there has been an increase in phishing emails (see accompanying table) that ask you to update your personal details. The email directs you to a bogus website that may look similar to your bank's website.
Kotze says there has been growth of about 650 percent and 800 percent in phishing in the United States and the United Kingdom respectively in the past year.
"Between February 2006 and February 2007, FNB has witnessed a 1 000-percent growth in the number of phishing attempts regularly, with up to 20 customers a day falling prey to this," he says.
FNB advises online customers not to use the links provided on an email to access a bank's website but rather to type the address in the internet browser's address bar yourself.
Anti-virus software
For the past four years, Absa has made anti-virus internet security software available to its internet banking clients free of charge, at a cost to the bank of about R484 a client.
Although the bank declined to divulge how much this has cost, Christo Vrey, the general manager of digital channels at Absa, says the bank has saved its internet banking clients more than R45 million in anti-virus software purchasing costs.
This year alone, Absa security staff have noted six phishing attempts, which, ironically, have titles such as "security update" and "account security verification". The emails warn you about fraud attempts and direct you to a bogus website where you are asked to enter your PIN and account details.
"None of the banks would ever request your PIN or password in an email. You should ignore these mails or contact your bank's customer service centre immediately to verify the mail," Vrey says.
Absa customers who want to add a new beneficiary to their account are sent a random verification number, which (as an additional security measure) is sent to them by email or SMS.
You can also opt to receive SMS notification of any internet banking activity on your account. Although the first 20 SMS notifications in a month are free, you will pay 60 cents for each additional SMS for the rest of the month. This policy is to be reviewed soon, Vrey says.
If you have received a phishing email and have already replied to it, providing your details, you should immediately change your PIN and password either online or at your Absa branch.
Free firewall
Standard Bank offers McAfee anti-virus and firewall software free of charge to its 600 000 online banking clients.
The online customer base is growing at a rate of up to 30 percent a year, says Standard Bank spokesperson Erik Larsen.
Herman Singh, the director of technology engineering at Standard Bank, says two years ago the bank responded to a 290 percent increase in phishing attempts by introducing anti-fraud software from the New York-based Cyota Corporation.
You can also use an update facility, which informs you via SMS whenever a transaction takes place on your Standard Bank account, as well as a confirmation of payment, which is sent both to the person who is paying in the money and the person receiving it when the transfer has been successfully processed.
As with the new system being deployed by FNB, Standard Bank customers also use a one-off password for each of their internet banking sessions and, more specifically, to update their profile, add or change beneficiaries, reset their PIN and make one-off payments.
SMS authorisations
Nedbank has implemented SMS-based authorisations for payments to third parties. This means that any payment that has not been pre-registered on your online profile will require a second level of authorisation. A one-off reference number is sent to your cellphone and this has to be entered by you before the payment can go through.
"Since the reference number is independent of your computer, it is highly unlikely that fraudsters using key-logging software can access this information," Maire Eltringham, Nedbank's head of virtual channels, says.
If you suspect you have been a victim of online fraud, you can contact Absa on 08600 08600; FNB on 011 303 0960; Standard Bank on 0800 020 600 or Nedbank on 0860 115 060.
According to the Electronic Communications and Transactions Act, banks must provide a sufficiently secure payment system that conforms to the latest technological standards. The Act also requires banks to disclose what measures they have taken to secure their clients' information.
HOW TO PROTECT YOURSELF
- Never save your password on to your desktop because it may allow other users of your computer to access your personal information without your permission;
- Create passwords that consist of random numbers and letters;
- Never provide your online password or personal identification number (PIN) to anyone, not even a bank official, and never write them down;
- Never provide your password or PIN to any website that you do not recognise and fully trust;
- Enter only your PIN or password when your browser indicates that your computer has made a secure socket layer (SSL) connection directly with the bank;
- Do not leave your computer unattended after you have entered your password or your PIN;
- Always log or sign off at the end of a banking session;
- Beware of emails that ask you for your passwords, PINs, or credit and debit card information;
- Avoid doing your banking from public computers, such as those at internet cafés, because you cannot know what software is loaded and if it will compromise your banking transactions;
- Make sure no person has unauthorised access to your computer;
- Check that no security cameras are trained on to your computer and keyboard.
- Ensure that you install the latest anti-virus software applications on to your computer and update them regularly;
- Make sure the software on your computer is correctly licensed as you then have recourse should it fail to protect you;
- Update your operating system and browser with the latest security patches;
- Install a personal firewall programme;
- Provide your credit card details only to reputable companies; and
- Look for the lock and key icons and security certificates to ensure you are shopping on a secure website.
Safety tips supplied by Absa
HOW ONLINE FRAUD IS COMMITTED
Phishing:
You are sent an email, ostensibly from your bank, that asks you for personal information, such as your identity number and your personal identification number (PIN). No South African bank will ask you to verify your PIN in an email. In fact, the banks do not generally expect you to verify your PIN, so this type of communication should immediately put you on the alert. If you do receive such an email, forward it immediately to your bank and do not respond to it.
Spear phishing:
This describes a targeted phishing attack where the fraudsters send their emails to a specific group of people rather than randomly selected targets.
Spoofing:
Fraudsters create a website that looks like your bank's website but is not. They send you an email or another form of communication that has a link or information that directs you to the bogus website. Once there, you are asked to carry out your transactions - giving the fraudsters the opportunity to steal your personal details.
Key-logging spyware:
This is often used at public internet cafés, or the spyware can be sent to you as an email attachment. If you open this email, the spyware installs itself on your computer rather like a virus. The software captures information about the keys you press when banking online. The fraudsters then use this information to log on to your bank account.
Pharming:
You are redirected from a legitimate website to a bogus website without your consent or knowledge through viruses the fraudsters sent to your computer through emails or attachments. The fraudsters are then able to capture your log-in name and password on their bogus websites. One way that they can do this is to corrupt a legitimate domain name system, which translates internet and email addresses into numerical strings. The fraudsters alter the numerical strings to reflect their false information, which will then shuttle you to their bogus website even if you have typed in the correct address.