Banks must exercise 'extreme caution'

SA's banks have no option but to exercise extreme caution when it comes to permitting their clients to pass on banking details to third parties.

This is according to Johannesburg-based software-as-a-service provider Synaq, which says its latest phishing statistics paint an alarming picture of fraudulent activity within the online banking industry in SA.

Synaq MD Yossi Hasson says the company's anti-phishing database solution identified and blocked 23 668 phishing attacks directed at customers of SA's “big four” in the banking arena in January.

Absa, notes Hasson, is by far the most targeted, claiming a majority 15 676 of the total number of phishing attacks on banking clients. “Our January statistics clearly indicate phishing syndicates target Absa more than any other South African bank. [In addition to the vast number of attacks on Absa clients] we identified an astounding 159 unique - and fraudulent - Absa URLs from which phishing attacks were launched. This compares to 54 unique (fraudulent) Nedbank URLs, a further 13 for Standard Bank and 27 for FNB.”

Hasson says the reason for Absa topping the phishing attack list is simply that it is the largest South African retail bank. Attacks on the other three pale in comparison, with FNB seeing 6 427, Standard Bank 924 and Nedbank 586 attacks last month.

The warning follows the recent highly-publicised launch of personal financial management (PFM) enterprise 22seven. The service has seen resistance from banks and widespread scepticism from some members of the public, who feel that divulging personal banking details to a third party is tantamount to soliciting online criminals. Absa subsequently blocked 22seven's financial aggregating partner, US-based Yodlee, in turn precluding its clients from using the site's PFM tools.

While the outright blocking of Yodlee by Absa “might have been a bit harsh from the bank's side”, Hasson says the danger of third-party financial services providers must be heeded. He adds that some form of collaboration between 22seven and SA's banks needs to take place to ensure a secure banking environment. In Absa's case, he says, both parties “could have gotten together to come up with a more elegant solution and compromise”.

Suggesting an even-handed, rational way forward, Hasson says a collaborative approach between SA's banks and 22seven, whereby a solution is designed that keeps clients' login credentials separate from their transactional bank login details, is the way to go.

“[22seven] is filling a much-needed gap in the South African market and [the two parties] should agree on a trusted path forward whereby 22seven clients can use the service with the banks' trust and approval. 22seven also needs to acknowledge the bank's concerns and adhere to their compliance requirements. Both parties need to work with one another, not against,” concludes Hasson.