This is one of the latest scams that have been doing its rounds on the internet. The word "phishing' is pronounced the same as in "fishing". Some of you may have of recent received an e-mail purporting to have been sent by an international bank advising you to access an indicated link to a website that looks just like the bank's website, but it isn't.
The purpose of the bogus site? To trick you into divulging the PIN to your on-line banking account. Probably the e-mail claims that the bank is carrying out an upgrade of the software and unless the process is carried out, the upgrade cannot be completed. Believe it or not, there have been cases where people were successfully duped into accessing the bogus sites in response to such an e-mail. This is known as the art of "phishing" or what may also be referred to as social engineering.
When it comes to scams or hoaxes, this is the easiest way of duping someone into giving you information. Pretend to be someone else, and the rest is easy. Really no technological expertise is needed - just the oldest trick in the book - bluff your way through.
Banks advise their customers never to divulge their PIN to anyone, not even bank staff; however, in practice, it still happens.
It has been an accepted practice that banks provide their customers with a plastic card and a PIN to go with it. This is known as 'two factor authentication' i.e. something you have and something you know. The customer needs both to access an ATM (automated teller machine). Indeed, the PIN is generally never transmitted over the network in ATM systems.
Relatively speaking, an ATM system is by far more secure than using the internet that is known to be inherently insecure. But notwithstanding these known weaknesses, some banks, even the major ones, have launched their internet banking facilities based on single factor authentication i.e. PIN or password i.e. something you know.
The primary weakness here is that PIN alone is susceptible to scams such as "phishing". The internet is also rife with tools that one may easily download to steal passwords. Take for example, an internet café, where the unsuspecting on-line banking customer comes along to access his bank account. Unknown to him, there are what are referred to as "key-stroke" loggers that will record all the user's keystrokes, including the PIN. The rest is left up to your imagination. Admittedly, some banks have included a disclaimer warning the customer that they should not use an internet cafe, as the privacy of their transactions cannot be guaranteed.
When it comes to using the internet to offer banking services, relying on single factor authentication is outdated by any means and not sufficient to adequately secure the service.
Two factor authentication is not new - as I just explained - ATM security has been based on it, so it makes good business sense and indeed, the channel will be more secure, especially if the medium is the internet, that banks secure their on-line banking applications with two factor authentication.
Really it is only a matter of time before all banks around the world will introduce it. The practice of using token-based access to systems is also catching on in the private corporate sector, where users, especially system administrators, use this securer way of accessing critical systems.
Customers are given a small credit card-sized token that generates a one-time password using a time-sensitive algorithm that is in sync with the bank's back-end server. Now even if someone were to obtain the one-time password, it would have to be used immediately to perpetrate a fraud and pre-empt the user's own access attempt. There is also specific logic built into the token cards that support what is referred to in information security terms as non-repudiation, i.e. the user cannot deny carrying out the transaction since the transaction would have been "electronically signed" with a value that only the respective token card could have generated.
Bank of Valletta plc, along with a number of major European banks, have adopted two-factor authentication using a token in its approach to designing a very secure internet banking service and avoided at all costs of adopting the much cheaper alternative of relying on PIN alone. BOV recognised that it had to provide its customers with a securer internet banking system.
Access to its internet banking system is based on the concept of two-factor authentication - each customer is given the BOVSecurKey. This token enables the customer to carry out various types of transactions including payment to third parties and bill payments.
To date over one million transactions have been carried out by customers using the BOVSecurKey. |
