Posted on 28-3-2003
Beware
Of Emails From Banks
By Richard Wood, NZ Herald, 28 March 2003
The public can no longer trust emails claiming to be from banks
or other
secure services on the internet, following a fraud aimed at
the
Commonwealth Bank of Australia's NetBank last week. Banking
customers are
being warned not to click on hyperlinks in emails that purport
to point
back to any secure internet service. They are advised to type
the URL into
the internet browser or use bookmarks.
A hyperlink contains two parts. The visible part is text and
can appear
legitimate, but the actual internet address (or uniform resource
locator -
URL) is hidden underneath. This could be an address misleadingly
similar to
the genuine address, or a numeric IP (internet protocol) address
offering
no clue as to the site it will take the user to.
The case in Australia used this second method to direct users
to a fake
bank site that collected the passwords. The fraudster had reportedly
accessed a few accounts. The CBA assured its customers their
funds were
intact and asked them to change their passwords.
E-crime New Zealand forensic analyst Chris Budge said an email
pointing to
a service could not now be regarded as normal business practice,
and banks
would have to take responsibility for providing a secure service.
Internet
banking and customer services operations needed more advanced
encryption
and digital signature systems and to be open with their customers
about
fraud. Budge said many users had hidden the URL in their browser
to give
them more screen space, but it was not then possible to see
where the
browser was going. "Be aware of what is happening on your screen.
Do not
enter personal details unless you are 100 per cent sure. If
you are not
sure then phone the service."
Clayton Wakefield, general manager technology operations and
property at
local CBA subsidiary ASB Bank, said the public needed to understand
the web
was an open communication tool and a lack of security was inherent.
Wakefield said the public needed to be able to verify the URL
was genuine,
and watch for unusual behaviour. In the CBA case the email was
sent to a
person who was not a customer, who became suspicious.
Maarten Kleintjes, national manager of the police electronic
crime unit,
said that when people connected with secure sites the padlock
in the
browser should be closed. Clicking on the padlock or opening
the security
options would show the "certificate" sent by the bank, and who
had signed
that certificate.
Mike Spring, director of the Centre for Critical Infrastructure
Protection
(CCIP), run by the Government Communications Security Bureau
said that if
the fraud had occurred in New Zealand, the CCIP would have had
the site
closed. New Zealand has a 24-hour service to deal with all suspicious
online activity. The public can lodge notifications at the CCIP
website.
|