Bank web scammers slip through net
Financial institutions can’t agree on the best way to catch internet ‘phishers’, writes Ranjana Wangvipula
Internet banking needs to implement stronger online security to better protect customers who fall prey to web “phishing”, an online expert says. An inspection of bank websites found only some banks have installed what he calls “anti-web phishing” to double-protect their customers while many do not have this feature on their networks.
A check by the Bangkok Post found that Bangkok Bank and Kasikorn Bank use different measures to deal with phishing. The state-run Krung Thai Bank was not available for comment.
Under the phishing scam, customers who are deceived into clicking on a link in emails claimed to be sent by banks are taken to websites made by online fraudsters. On these pages, which look almost exactly the same as bank websites, if they enter user identities and passwords, the information can easily be collected by criminals.
But with anti-web phishing programmes, customers who are not fully aware of the trick will know immediately whether they come to fake sites. The programme, now being used by CIMB Thai Bank, sends customers “secure words”, or private messages or codes which they earlier gave to the bank, after they type in their user ID. A Pantip webboard member says he was tricked into revealing private information after he registered for Prompt Pay.
This enables them to check whether they are logging into the right place as only the customers and the bank know the secure words, said Orathip Wongkajorn, first vicepresident of the Kuala Lumpur-based bank.
If the customers do not get their correct secure words, Ms Orathip said, they will not go to a next stage to enter their passwords, cutting short the scam to get their information.
“This is a simple but effective measure against the ploy to phish unaware customers,” said the expert.
Yet some banks have not installed it even though the matter is not complex, he said, after his visits to many bank webpages. This makes the intensity of online security measures different from bank to bank, he said.
“Perhaps the banks think it’s not convenient for their customers as they are required to go through additional steps under the anti-web phishing programme to get into their bank accounts,” he said.
But different security standards can lead to legal disputes if customers are exposed to phishing and subsequently money to online criminals. It is currently hard to determine who — banks or customers — should be held responsible for the damages, he said.
He called on the Bank of Thailand to set a stronger minimum security standard to commit all banks to adopting the same online security approach against cyber attackers. If the banks do their best to reinforce their cyber safety, nobody will point a finger at them if customers still fall victim to tricksters.
It does not mean major banks’ current attempts to deal with web phishing are not good, said the expert, whose work involves handling various online fraud cases. These steps, including the launch of warnings against those emails with dangerous links, are helpful. “But how can the banks make sure message receivers understand these warnings?” he said, basing his experience on victims who rarely took the warnings seriously.
The target of phishing gangs is not tech enthusiasts or the so-called millenial generation, those born between 1982 and 2005. It’s people in the classes of “baby boomers” and “generation X”, born between 1945 and 1960, and 1961 and 1981 respectively, the expert said. People of this age often have more money and, as a result, more damage is caused if they are swindled, he said.
The Bangkok Post has found a mix of reactions to banks warnings against online phishing. Senior employee Sujinda Borvorn said such warnings are not enough, and urged banks to install anti-web phishing programmes to help customers, while Techawit Sompetch, a younger office worker in his mid-20s, said the warnings are helpful but he was not confident they can help everyone.
One man who signed up for the muchpromoted Prompt Pay scheme, an online money transfer system, became a victim after he received an email last month with the bank logo and what it said was a “message alert” which prompted him to click on a link to check the message. Posting a complaint on Pantip.com, he believed there might have been a problem with his Prompt Pay registration and claimed he had never been warned by the bank.
“About 80% of internet users fall prey to web phishing,” said Technological Crime Suppression Division’s police inspector Patompong Sillapasuk.
They get their email addresses from online shops which bank customers leave their information with and invent a story saying their accounts have been hacked. Alarmed victims easily fail to check whether it is a lie and easily forget banks’ warnings because they are more worried about their money, Pol Maj Patompong said.
Leading financial institutions such as Bangkok Bank and Kasikorn Bank are aware online criminals are exploiting these customers’ weak points as the banks’ online system is intensively guarded. Executives insisted they are helping their customers by working with experts to block access to phishing webpages and shutting them down.
The anti-web phishing programme is only one solution as there are many threats in the cyber world, especially harmful computer viruses which can put customers at risk. Multi-prong measures, including increasing customer awareness are needed to help banks combat cybercrimes, Kasikorn Bank’s first senior vice-president Art Wichiencharoen said.
Web phishing is not an easy issue to deal with as it occurs outside a bank’s security wall, Bangkok Bank executive vice-president Prassanee Ouiyamaphan said. One of the best prevention measures is to educate customers, she said.
Perhaps the banks think it’s not convenient for their customers as they are required to go through additional steps under the anti-web phishing programme to get into their bank accounts. AN ONLINE EXPERT
Sending money and paying utility bills used to require a trip down to the bank during office hours. Today, thanks to smartphones and tablets, those same tasks can be done anytime and anywhere through websites or mobile financial apps.
But the increasingly sophisticated methods used for committing mobile phone banking fraud have raised questions about the trade-offs between cybersecurity and convenience.
Typically, the websites and apps for banks and financial institutions are fairly safe from outside intruders as they have the resources needed to upgrade their defences against cyberattacks. However, this does not mean their digital systems are 100% hack-proof. Users themselves must be careful and learn how to keep themselves from falling victim to cyberthieves.
The golden rule of being safe from hackers: Don’t let anyone know your personal financial information or most important passwords.
Here are a few other security tips from Citibank Thailand to keep you safe online.
Protecting devices from WiFi threats Strong password
When you bank online, you should not use public or shared computers, such as those in internet cafes, or even devices belonging to acquaintances, as you may be open to harmful or specific software programs housed on them which could steal your personal information.
To set up your password for online financial services, it should be a combination of at least six alphanumeric characters, without repeating any character more than once.
Your password should not be based on a user ID, personal telephone number, birthday or other personal information. One’s date of birth and telephone number are easy to guess, so more complicated pieces of information are better suited for use as passwords.
In order to strengthen and keep your password safe, you should memorise it and not record it anywhere, including in your mobile phone. You should also change it regularly and not use the same password for online banking that you use for logging into non-banking websites.
Ensure that no one is watching you while you key in your password or any other sensitive information. Do not share your password or make it accessible to others. Importantly, you should not reveal your password to anyone, even if they purport to be banking staff. Misplaced trust has led to several fraud cases.
You should not allow anyone to keep, use or tamper with your mobile phone, and the number that was registered with banks to receive your one-time password (OTP) should not be revealed to anyone. Notify your bank immediately when you change your mobile phone number. Avoid auto log-in function
Internet banking users should never select the option auto-save on browsers for storing or retaining user names and passwords when logging into their online accounts.
Install antivirus software
Anti-virus installation on both personal computers and mobile phones is another important measure to help protect from online banking fraud. Make sure your computer and mobile phone have the most current anti-virus software installed.
Anti-virus software needs to be frequently updated to guard against new viruses. Make sure you download antivirus updates as soon as you are notified that a download is available.
Install a firewall
Install a personal firewall to help prevent unauthorised access to your home computer and mobile phone. Be sure to update the firewall with security patches or newer versions on a regular basis.
Update operating systems and browsers
Make sure the operating systems on your computer and mobile phone, as well as your browser software, are updated with the latest security patches. Clear your browser’s cache and history after each session so that your account information is removed, especially if you are using a shared computer.
If you are running Windows OS, ensure File & Print sharing is disabled while online.
Make regular backups of critical data. Consider the use of encryption technology to protect highly sensitive data.
Secure personal WiFi password
You should set a password for your personal wireless network. This will prevent unauthorised users from accessing and using your wireless connection. Disable broadcasting to your network name (SSID — Service Set Identifier) to prevent casual surfers from detecting and connecting to your wireless network.
You should use encryption on data transmission to protect your wireless network and only allow registered machines onto it.
Don’t click any links or install software from untrusted sources
A fraudulent (also known as spoofing, impostor or phishing) e-mail address is one that has been forged. It usually tricks you into providing sensitive personal information either on the spot (e.g. by replying to the e-mail) or including links to a fake website that tries to get you to disclose personal data or log in.
As a result, do not disclose personal, financial or credit card information to little known or suspect websites. Do not open e-mail attachments from strangers or install software or run programs of an unknown origin.
Spyware is a piece of software inserted onto your computer that collects information about you and your internet activity. It is stored in your PC (with/ without your consent) when you download software, games, screensavers or other content from the web. It usually claims to be able to improve your computer’s performance.
Spyware can be used maliciously to gain access to your passwords, PINs, card numbers and internet browsing history. They can also be used to scan files on your hard drive and slow down your computer by consuming system resources, leading to system instability or a crash.
Do not log into your online bank account(s) while such software is installed on your computer. If you have installed any software that claims to speed up your internet connection, or have additional third-party toolbars on your browsers, then you may be using software that has the ability to track your internet sessions. We recommend that you uninstall such software.
Maintain personal information privacy
Under no circumstances will a bank ever send you an e-mail asking for your personal information. You should not respond to such e-mails or reveal your PIN and/or password to anyone.
If you suspect that there has been any unauthorised breach of your account online, or that an online transaction has taken place that you did not initiate, you should notify your bank immediately.
In addition to these suggestions by Citibank, you should also sign-up for real-time notification services with banks or credit card issuers to be alerted every time purchases or cash withdrawals are made. That way you will be aware of any unusual transactions, helping you protect your hard-earned money.
Meanwhile, Chatpong Watanajiraj, head of Kasikornbank’s advisory department, says call centre and internet banking fraud through phishing attacks are on the rise.
Phishing can involve using counterfeit banking websites to obtain personal information such as username, password and credit card details. Phishing is usually done by sending an email or SMS that appears to come from banks.
With call centre fraud, criminals can contact victims regarding alleged prize winnings, debts or urgent financial problems as pretences to obtain their personal data.
To safeguard oneself against such fraud, consumers should never tell their sensitive information to anyone.
You should also remember that banks have a policy of never sending emails or SMS to customers asking them to log on to their websites and enter personal information.
If you feel something is amiss, it is important that you inform your bank immediately.