SUMMARY
Phishing is becoming a serious problem in Financial Services, and will cost the industry $400 million in 2004. But this amount pales in comparison to the credit card fraud with Visa alone at $4Bn pa. However the perpetrators are the same – given the movement to curtail fraud in the card industry, I believe the criminals are hedging their activities to prepare for a big onslaught into the debit card and online banking industry, and phishing is the start.
PHISHING
Phishing occurs when a replica of an exsting web page, usually a Financial Services company’s page, is presented to a user, and requests personal, or password data. This information is collected, usually by foreign crime syndicates, typically in Russia, and in turn used to steal money from bank accounts.
Banks not clear on such things as guarantees, but assuming no complicity by the customer, will make good on the loss.
But I believe the cost is much greater than the dollar amount mentioned and of a completely different characterisitic. Certainly the dollar amount will rise, and there will be different changes to try and contain the issue, but its not that simple.
If we go back to the origin of internet, the core change was the ability to navigate anywhere by simply clicking on a link. As time passes and smart people think this through, this is also internets greatest weakness. Clicking on a link is expected to produce an html link. However as defined in the internet standards, the click could be invoking an application, a script or any type of malicious code. Depending on how your computer is set up, this application could run, or it could firrst ask you for permission to run. Obviously the second scenario is preferrable, but its virtually impossible for even an expert PC user to tweak all the required parts of Windows to ensure that will occur.
The criminals who do this are new and getting very sophisticated, but I believe the serious ones haven’t really got going yet. I recently saw a screen shot where a customer was presented with a page which apeared to have the correct URL but in fact the entire thing was faked.
Credit Card fraud is still huge and its much easier to skim a cards mag stripe and replicate the card, or simply steal the card. Visa alone loses $2Bn per annum, and at current growth rates this will be $8bn by 2008. The other aspect of credit card fraud is that it moves globally, so Visa is going to mandata all cards are chip and PIN based by end of the decade. This will virtually eliminate credit card fraud as we know it today, because even if they steal the card, they can’t use it without the PIN. Similarly the chip card cannot be replicated.
So the ability of the credit card criminals to hedge their activities to the easiest country will be curtailed, so they will require another avenue to maintain their revenue. Thats why they are developing phishing techniques, because they really need to be able to capture PIN numbers and gain access on online services, which don’t (today) require a physical card.
Credit card industry is advanced in terms of customer fraud prevention or reduction through sophisticated computer assessment of customer spending patterns. So as the credit card industry wraps itself in the fraud protection armour of chip, the preapredness of the debit card market is a very valid question for any Bank. Criminals will move to debit, in a much bigger way than previously, and today’s phishing is likely no more than a test bed for organised crime – a pilot for the future.
If the logic and assumptions here are to be believed, then I believe the credibility of internet could see a drop of mammoth proportions, such that the entire internet model as its used for online secure finncial services becomes questioned. Most users are computer neophytes and have inbred suspicion of computers and their ability to do bad things, and phishing is so real, and will be so big that it will prey heavily on those fears.
The risk is that the the security of internet becomes of such concern that Financial Services companies will have to re-assess how they provide online services. They have moved so much activity to the online channel, and the physical channels have been re-strucutured based on that transactional movement, that any shift back would have catastrophic impacts on customer service levels, bank costs, eventually the stock markets.
This all starts to sound somewhat gloomy but it is big enough it cannot be ignored. Today it is managed carefully with customers who have the misfortune to be hit.
There are some things that Banks can start to think about.
1) bypass internet to access their sites. This could be accomplished by PC based applications provided by the Financial Services company, which in effecct bypass the browser for log in purposes.
2) chip based smart cards and PC based smart card readers might be a solution, which would permit smart cards to be used for all Financials Services channels including ATM’s and online banking.
Bankwatch 