Thanks to the security breach of Absa customer accounts, the banking and technology industries have suddenly come alive. Solutions abound, everyone`s technology is secure and every bank`s customer assured.
I must have missed something. A week ago, the agony was palpable. Absa called meetings to find ways to soothe and retain its Internet customers. Mailing lists became support groups. Members of the IOZ lists thanked the media for getting "even the most na"ive customer" to ask questions. The IT industry complained of having to endure end-user suspicion borne of ignorance. Some people wouldn`t know a suspicious e-mail if it said "suspicious e-mail" in the subject line, they said.
But then the tide turned. Absa marketing fell back on the old line - customers trusted the Absa brand, it said, and to back it up, revealed that over 1 000 new customers joined in the week since the breach. Although a bit bold under the circumstances, it was a perfectly understandable marketing move.
Where to now?
Where does this leave the customer? Some industry players say customers should demand better security, and turn their backs on banks that don`t provide enough. Others blame customer ignorance and apathy.
But from my point of view, the customer is not king for nothing. Customers know that despite their complete IT ignorance, their money and loyalty will force the industry to do a lot of soul-searching and agonising to come up with the best solution.
Customers know that despite their complete IT ignorance, their money and loyalty will force the industry to do a lot of soul-searching and agonising to come up with the best solution.
Carel Alberts, Technology Editor, ITWeb
That`s power. And boy, did they come up with solutions! It seems everyone`s happy again. Standard Bank was roundly praised for its free anti-virus and firewall solution. First National Bank was celebrated for its assurance of customers` safety. Nedbank was lauded for its SMS communications to clients.
MTN and Vodacom had lots to say about secure mobile banking. The biometrics crowd wanted to change authentication. ITWeb got one letter with at least 35 grammatical and spelling errors, saying the author understood spyware, and could eradicate it, better than anyone.
Trust rode high again. A few spoilsports still agonised though. They found fault with every single solution out there. And though they were shouted down by the deafening product punts and the happy silence of the all-powerful customer, I agree with them. At this point, when everything has been said, the customer must take note of the available security, because not even the king is blameless.
Will this work?
It would be tempting to make the general point that it is not technology that buys customer loyalty. Consumers really only want to know their money is safe, whatever the technology underpinning this assurance. But we must take cognisance of the reasons for a bank`s assurances. These usually centre on good technology, some of which I mention below as noteworthy examples.
Authentication alternatives
Passwords came under attack, specifically the ease with which Windows passwords can be cracked or keystrokes monitored. A biometrics company came up with fingerprint scanning as a way to bypass the problem altogether. Although this seems an elegant solution, commentators point out the expense.
Anti-virus and firewall technology
Standard Bank won plaudits for offering its customers this technology. Pundits point out that anti-virus technology will not necessarily pick up any custom-written Trojans or spyware. Firewalls, however, may be a good solution. Spyware can be truly evil - it cannot be found in the Windows systems tray, Programs folder, does not appear as an icon, only leaves very subtle differences in the registry, has its own mail client and can change the hotkeys for accessing it (default is alt+ctrl+shift and t) - so filtering out unwanted packets may come in handy.
Making sure nobody has unauthorised access to PCs
This one, along with the advice to load the latest anti-virus software, not open suspicious e-mails, make sure the operating system is legally licensed and ensure the secrecy of PIN numbers, has been met with scorn. Suspicious e-mails are not what they used to be. It used to be one doesn`t open exe, then .vbs files from people you don`t know. Then the preview pane came under scrutiny. But any HTML-based e-mail, or even a Web site, can infect the client device, experts point out.
Just keeping PINs safe won`t help either if there is a combination of PIN and account number to access e-banking. By holding the PIN constant and cycling through account numbers, it would take an average of 50 000 attempts before matching a valid account name and password, one expert tells me.
Entering one`s password via mouse rather than typing
This would foil keystroke-loggers altogether, but what about people looking over your shoulder? It has, however, attracted the criticism that some monitoring allows screenshots or actual visual monitoring.
Token-based solutions, such as SecurID, which use a different password with every login
The user has to carry a "password calculator" around, and the cost per token and the fact that they expire work against this.
No time to worry yet
What can the user do when none of the security measures are foolproof and some are simply not practical? One option would be to give up and say the crooks are cleverer than us, or they have time to waste messing around other people`s things.
A more positive way to look at the whole affair is that it gave the average user a sharp wake-up call. Now that the average e-bank user is more careful about security, simple combinations of the security measures available should be enough to deter all but the most persistent attackers.
Share
