At the security coalface

The online environment is a little like the Wild West, with threats becoming more targeted as online crime syndicates become more sophisticated. These gangs are playing for serious money, and online banking systems are at risk. Carl Louw, head of Internet banking at Absa Digital Channels, talks to ITWeb about how his team copes.

"On the hacking and vulnerabilities side, there's a lot of work done in that space in general. We hire external companies to do vulnerability and penetration tests all the time. To date, we have not picked up any."

Louw and his team spend a great deal of time and effort monitoring activity on the hacking front, all of which are diligently followed up on. "We know people try to hack [into our systems]. We see it daily. We follow up and check, and, to date, no hacking has occurred."

He says on the social engineering side, exploitation of customer weakness is more of a problem, which is where most banks find themselves. "The big thing is still identity theft. One way or another, fraudsters get hold of people's identities and misuse them. We do a lot of work with vendors and look at what [analyst firms] Gartner and Forrester are saying around online security. We look at where various types and forms [of security] have been successfully implemented. We're very close to who is using tokens, card-readers, chip-pin combos, and weigh these up. We have a monthly security forum where things are discussed, assessed and understood in terms of their impact. We weigh up convenience and security."

There are inherent security issues with card-reader/chip-pin combinations, particularly logistical problems. However, in the European market, for example, Barclays has implemented a pin/chip and random key generator combination very successfully to more than one million of its customers. According to Louw, this exercise has reduced fraud to almost zero. But, would it work in South Africa?

"Where South African banks and Absa specifically, stands, the logistics around issuing something like that are a problem. What if it breaks and needs replacement? These and other issues put the customer at a disadvantage, and we don't want to go there. A cellphone, on the other hand, is carried by most people in this country. Most banks have implemented one-time passwords, which have proved to be very successful."

Absa identified the SIM card swap problem. The result was that local banks combined their efforts in an attempt to hinder criminal syndicates. "We managed to arrest a bunch of them. In most cases, there was internal collusion or there were fraud syndicates operating in retail cellular outlets," says Louw. "We work together with the cellular companies and know when SIM swaps happen and identify them on our network. We've come a long way in understanding customer behaviour and can now identify SIM swaps and fraud, and block these at a system level."

He adds that communication with customers has improved to the point where customers have started to understand the difference between e-mail that is legitimate and a potential phishing attack.

"We have an early warning process, which means we know about fraudulent e-mail and phishing attempts upfront. The banks also collaborate here and are starting to close down spoof sites as quickly as they go up."

The way forward, says Louw, is to continually communicate with customers about good online banking habits, including providing them with advice on how to protect PINs and passwords.

Anti-virus software, provided by Absa to its customers, has also been taken up in droves - a clear sign that online security is being taken seriously and that things are moving in the right direction.

"We've also implemented log-on alerts. If you're on Fourth Beach sipping a pi~na colada and your phone buzzes, you know someone has logged into your account. We've also implemented a one-time password for when users create beneficiaries or change portfolio details."

What's clear is that there is no silver bullet for security - customer education, physical security and making use of alliances and networks helps. "Security is not a competitive space. We really work with other banks on security and how we can share information and route out base causes. Potential fraud cases are investigated by the Absa forensic department as well as the South African police," says Louw.

Online security is indeed taken very seriously by the large financial institutions. All that's needed now is for consumers to do the same.