The Dutch Banking Association (NVB) provided numbers on how much fraud there is in the Netherlands with internet banking (in Dutch). Since we’re doing a project called cidSafe for several companies in the financial sector in the Netherlands on consumer identity (see this recent presentation in English, or the website which is mostly in Dutch), I was very interested in these numbers.
The fraud with internet banking in NL is €4.3M for the first 6 months. Although I agree with the NVB that this in itself is not a huge number, the increase is very big. In the whole of 2009 the fraud was €1.9M, thus an increase of about 450%! By the way, victims of internet banking fraud are usually reimbursed by their banks, and all Dutch banks use two-factor authentication. Compared to the numbers recently released in Germany, internet banking fraud seems a somewhat bigger problem in the Netherlands than in Germany (with an estimate of €17M in 2010 about twice as much fraud as NL, but with 5 times more inhabitants). Also in Germany there is a big increase in internet banking fraud compared to 2009.
The NVB press release mentions phishing as the main method of fraud. I couldn’t find more details on this, but simple phishing of username/password won’t work since all internet banking services in NL use some form of two-factor authentication (smartcard or SMS one-time-password based). Malware attacks are becoming more advanced, as e.g. the recent “Zeus In The MObile” malware showed that can even spread from desktop to mobile using social engineering. This article (sorry, again in Dutch) states that most attacks are a combination of relatively simple phishing or malware (keylogggers) with social engineering to get the second factor.
If the increase in internet banking fraud would continue for a couple of years this will become a very serious financial problem (€39M in 2011?, €174M in 2012?). Add to this the emotional impact on victims and reputation loss for banks, and this increase in fraud is something to worry about. The weakest links appears to be 1) the home PC (and smart phone) and people’s ability to keep this malware free, and 2) people being subject to social engineering attacks. The question for me therefore what is more effective for banks to invest in:
- educating their customers, on the importance and ways to keep their PC/smartphone malware free, and to make them less susceptible to social engineering attacks, which will no doubt help but is not a silver bullet, or
- invest in technology, by providing more secure authentication means that are (not or) less sensitive to malware and social engineering attacks, which is very expensive and can be very annoying for users.
The alternative for banks is to wait and see if others (police, government, operation system vendors, anti-malware vendors etc) will be able to counter this increase in internet banking fraud, this is however not what I expect they will do, as is also shown by the new awareness campaign by NVB.
(cross-posted from http://maarten.wegdam.name)