Network Health: Identity Crisis
By Dr. Seamus Phan
Online banking security has come into the limelight again, and the DBS incident shows how easy it is for someone to pose as you.
Sometime ago, Professor Tsutomo Matsumoto showed that he could fool 11 commercially available fingerprint sensors by simply creating moulds made from real fingers and digitally enhanced images. Journalists from the German magazine c't had also demonstrated that they could fool a number of fingerprint sensors by simply breathing or resting a small bag of water on them.
And closer to Asia, the Development Bank of Singapore (DBS) had a huge public relations disaster when they claimed that a Chinese hacker had stolen 21 customer user names and passwords, and then logged on to its online banking system. He then made away with US$35,000 in under two hours.
DBS insisted that there was no compromise in its Internet banking system, and that its customers should have been more careful in securing their systems.
In this incident, it was clear that DBS had explicit clauses that protected itself and placed the responsibility of preventing online fraud in the hands of customers. Out of "goodwill", it did returned the monies to the affected customers.
In the US however, such incidents would have led to class action suits by the bank customers. Even the Monetary Authority of Singapore hinted that banks should come under more responsibility for their online banking systems, although it stopped short of meting out further guidelines to protect consumers.
Nothing is foolproof.
It is easy to fool digital authentication systems if you are skilled. If you possess someonešs user name and password, you can assume that person's identity, especially if the system has no other way of authentication or protection.
Even if the system uses fingerprint or facial recognition detection, there are ways to bypass the rudimentary machine intelligence and database. This is because biometric systems are really an experiment in progress, and not entirely foolproof yet.
There are specific hardware tokens in use at government agencies worldwide, and even "use once" passwords at highly secured facilities. But these only create more hassle for online banking customers who demand convenience. There is always a fine line between convenience and security, and I lean towards security rather than irrational convenience.
Protecting yourself online.
There are ways to protect yourself in online banking and shopping. First, you need to be in control instead of being controlled. There are plenty of banks and shops after your money, and it will be wise to shop around for the most customer-centric policy. Ask about online fraud and protection, and what the implications are in these instances.
Do not simply believe that firewalls and antivirus solutions will solve all security issues regarding online transactions. These tools are part of the entire security workflow and you should understand how to configure them first. When in doubt, disable all incoming calls, and actively erase your tracks every time, including your cache, history, cookies, and so on. If possible, do not ever use online banking in Internet cafes and computers that are not your own.
You should also treat your user name and passwords as sacred, and change them frequently if you bank online.
Remember that computers, no matter how intelligent, are still dumb terminals.
They do not know who you are, and will not protect you from someone who
pretends to be you.
[ BWW Society Home Page ]
© 2003 The BWW Society/The Institute for the Advancement of Positive Global Solutions