By Lesley Stones, 26 April 2007 CRIMINALS are making such concerted attacks on SA’s online banking industry that the major banks and internet service providers may co-operate to standardise their technologies to keep the thieves at bay. 

At a sensitive and lengthy exploratory meeting last week, key players discussed the best way to present a united front to beat the criminals and educate their customers. While commitments are yet to be firmed up, the delegates agreed to nominate staff to focus on the issue and investigate the available technologies.

Standard Bank’s media relations manager, Ross Linström, would only say: “We are participating and we think it’s a good initiative.” Nedbank, First National Bank, Absa, Investec and Rand Merchant Bank also attended, along with internet service providers (ISPs) Verizon, MWEB, Saix and Internet Solutions.

The discussion was organised by Striata, a specialist in delivering documents securely by e mail. The issue uniting them is phishing, where e-mails are sent out asking people to update their personal details online. A link in the e-mail directs customers to a fake website that exactly mimics the bank’s website. When they enter their account number and passwords, the details go straight to the criminals who withdraw cash from that account.

Gilbert Swats, CEO of the South African Banking Risk Information Centre (Sabric), says phishing is proliferating because the banking systems are too secure to attack without knowing a person’s account details.

“The banks are continuously looking at their systems and have very sophisticated security measures to parry any attacks. They are very open to saying if there is a new initiative and protection mechanism it will be welcomed and they will look at its merits,” he says. “There needs to be a good partnership between the banks, the industry and customers because there is a shared responsibility to reduce the problem.”

Statistics are shaky, but Striata CEO Mike Wright estimates that every month 1-million phishing e-mails are sent to local customers and up to 100 websites are set up mimicking those of SA’s banks. “If you send a million messages and get a 0,01% success, that’s 100 people who give you their details,” he says.
The volatile rand and SA’s small online banking population have kept the country relatively safe in the past. “Why phish in rands when you can phish in dollars, and why phish for 2-million customers when you can phish for 20-million?” Wright says.

But the far larger foreign banks have introduced anti phishing measures and educated their clients, prompting phishers to seek easier markets. “We don’t educate clients as much, so we have a virgin client base to phish,” says Wright.

Two agreements were reached at the meeting. The first is for each bank and ISP to nominate a key contact so when any incident is detected the information is shared instantly.

The second, and no doubt slower step, is to adopt digital certificate technology that guarantees an e-mail is genuinely from the bank. The technology checks which server was used to send the message. If e-mail supposedly from a bank is sent from a machine the bank does not use, the ISP carrying the traffic will not deliver it to the customer.

That will prevent the bulk of phishing e-mails from being delivered. Moreover, compliant e mails are marked with a red rosette, and customers could be taught to ignore any without a rosette.

The banks will not say how much cash has been stolen through phishing. They are taking the pain and refunding victims. That compassion will not last forever.
“Absa has not lost any money to phishing, but Barclays in the UK has been targeted and lost money,” says Carl Louw, the head of Absa’s internet channel. The banks have taken a soft stance because phishing is new and customer education is not yet at an optimal level. “Slowly but surely the banks will start pu