Are Financial Institutions Gambling With Your Security?

Online Banking

The rise of digital interactivity has seen the modern, tech-savvy individual accessing their money on the go, through internet banking, tablets, smartphones and the like. With the deluge of email, SMS and social network spam becoming an all-too-familiar problem, and the most common scams involving financial fraud, the modern mobile user needs to be cautious about how they go about accessing their account.

Scams that try to obtain your bank credentials in order to siphon money from your account are, more times than you would think, successful. That’s because it’s getting increasingly difficult to decipher the real from the fake. More surprisingly, and perhaps worryingly, is that the very institutions we trust with our savings are, in part, contributing to the problem and gambling with our security through common, but negligent communications practices that should be avoided.

Many of us have seen a scam email or text from an organisation purporting to be our bank. The attackers, also known as phishers, are sending texts with messages such as “Your Visa card has been deactivated. Please call [hyperlinked number] to reactivate it.”

When an unwitting recipient calls the number, they are asked by a rather professional sounding individual who appears to be from your bank, for their name, bank card number, account number, expiration date, security/pin code and/or address – all the data criminals need to gain access to their credit card or bank account. If there isn’t a link to a phone number, often there’s a link to a legitimate-looking website, where fraudsters can easily get the same information from the customer.

The problem here is that financial organisations are often using very similar communications with customers themselves. This makes it difficult for customers to determine whether a text message or email is legitimate or not. The banks themselves are often making the fraudsters’ work easier by not implementing best practice in the ways they communicate with their customers.

So what do banks need to do to ensure their communications are not confused with phishing attacks? Firstly, legitimate messages should never contain embedded and clickable phone numbers or website links as this is a common technique used by scammers.

Secondly, when supplying a number for customers to call, banks often give the switchboard number, when in fact they should offer a dedicated number to the fraud department. Supplying a switchboard number slows down the resolution of the potential fraud and also gets customers accustomed to handing over more details than necessary on a call (a fraud department would not need to use filter questions to understand the enquiry in the same way a switchboard would).

Through bad practices such as these, banks are actually conditioning customers to fall for fraudulent scams. There have been best practices available for financial institutions for years that lay out better practices for how to communicate with customers, yet many banks still do not follow these. If banks were to consistently follow some basic best practices the fraud problem could be greatly reduced, saving banks and taxpayers significant loss. My advice to banks is:

1. When consumers call your automated services, do not ask them for their full account number or card number along with their PIN.

2. Definitely do NOT ask them for any of their website passwords. To authenticate that the customer truly is who they say they are, ask for the amounts of two recent transactions or parts of their account number (but never the whole thing). Don’t just authenticate the customer — also prove to the customer that you truly are their bank, so that they can authenticate YOU. This will train customers to be cautious of who they are giving their information to, and condition them to expect their financial institutions will also prove to them who they really are.

Consumers should always remember:

1. If you receive a message that is suspicious, report it.
a. If the message is an email click the “Spam” button in your email interface.
b. If the message is on a social network, click the “Report Abuse” option.
c. If the message is an SMS message forward it to 7726 (“SPAM”) or other reporting service offered by your operator.

2. Never contact your financial institution by clicking on a link in an email or text message. Also never contact your financial institution by calling a phone number in an email or text message. Instead, go to your bank’s website by typing the address manually in to your web browser, then go to the “Contact Us” page and phone the number provided there to ensure that you are calling the correct number or logging into the correct website.

3. Never reply to a text message or email that is for a service you are not sure you opted into and trust. If you receive a message offering a service that sounds too good to be true, or seems a bit odd, then proceed with caution. Be aware that replying to text messages could sometimes lead to extra charges on your phone bill if number you send to is a special premium rate number.

4. Be aware that unusual behaviour on your phone or unexplained charges on your phone bill could be a sign that your phone has been compromised.

5. Don’t use the same password for different websites or services. Create different passwords for all your online logins and avoid simplistic passwords, such as the last four digits of your phone number, or public information. As a general rule of thumb, if the password information may be available on Facebook—don’t use it.

The mobile channel presents a very useful tool for banks to communicate with customers, but they must take measures to ensure that they are not contributing to fraudulent activity. For the channel to be as effective as possible, it is vital that banks institute the best practices recommended here to ensure that their messages cannot be copied and co-opted by the fraudsters themselves.

As Chief Technology Officer, Jamie de Guerre is responsible for Cloudmark's technical strategy and roadmap and oversees Cloudmark's Technology Services, Sales Engineering and Service Provider Support teams. Through Jamie's leadership a strong relationship and collaboration is ensured between Cloudmark customers and internal solutions development. Since joining Cloudmark in 2003, Jamie has played a central role in shaping Cloudmark's products and technologies. Starting as a core member of the design team writing the first design specifications for Cloudmark Server Edition and Cloudmark Authority, Jamie was also instrumental in dramatically growing Cloudmark's Global Threat Network. Jamie helped drive the development of the Cloudmark Network Feedback System enabling automatic incorporation of feedback from all subscribers within a service provider's network. Prior to Cloudmark, Jamie was with Microsoft working on the .NET Compact Framework, where he first began working with service providers. Jamie has spoken at numerous industry events and panels in the areas of email security, mobile technologies and future security threat vectors related to emerging messaging mediums.