Subscribe
About

Experts slam Absa on ID fraud

Johannesburg, 23 Jul 2003

Cyber security experts and industry commentators have criticised Absa for its handling of the e-banking fraud, and have cautioned online bank clients to reconsider Internet banking.

Absa says it is doing everything possible to share information to prevent similar incidents from happening again.

This follows weekend reports in which several Absa online banking clients in the Bellville area of Cape Town suffered losses from their accounts. Absa said its own systems were secure, and that the online bank users` security had been compromised

Info-security specialist, Andrew Thomas of Hobbs & Associates Chartered Accountants, says customers should demand better security from their bank or stop using Internet banking altogether, if they feel unsafe.

Thomas says Absa should have been aware of the dangers of spyware, since it has been available for decades.

Alfie Naidoo, Absa managing executive of e-channels, says: "Of course we knew about the technology, but only once suspicious incidents came up did we have occasion to do a forensic audit. It was then that we officially recognised spyware as a modus operandi."

Thomas also slams Absa`s stance on customers taking responsibility for negligence, saying the costs of having to disprove negligence may be excessive.

Naidoo responds: "Every case will be evaluated on merit. We`re not saying it`s your PC, and therefore your problem. However, since it is your domain, you must take reasonable steps to secure it. I don`t think Absa has been high-handed in its approach."

E-banking time-bomb

According to Olaf du Randt, IT forensics expert and technical manager at security solutions and services provider AVeS Cyber Security: "Online banking in SA was a time-bomb waiting to go off. It just happened to be Absa first."

<B>African Bank site hacked</B>

In a separate incident affecting a local bank, a hacker has defaced the African Bank Web site. IT law firm Buys Inc Attorneys reports that a hacker calling him or herself "7up" hacked into the African Bank Web site and defaced it.
7up removed all the content from the bank`s home page and left the following message: "7up ownz African Bank ??"
"This hack looks like a classic defacement and there is no evidence to suggest that the hacker gained access to bank accounts," says Reinhardt Buys.
Buys Inc reports that 7up then continued to hack into more than 52 South African Web sites -mostly from the Western Cape - in the next 18 hours.

Du Randt feels that strong authentication for online banking must include a combination of at least two authentication methods: what you know, such as a pin or a password; what you have, such as a smart card; and what you are, such as a biotech authentication device.

Du Randt says the Absa incident was probably not an Internet-based attack by a hacking group.

"Usually, the major anti-virus systems would detect and report a keystroke-logging application. I would be inclined to think this ID fraud involved hardware or software placed at a strategic point, such as the branch`s own unprotected Internet kiosk. This would explain why the victims were within the same geographical area.

"If it was an Internet-based attack, it would be unlikely to be as specific and in only one geographical area."

Ease of use vs security

Industry commentators say Absa failed to create sufficient awareness among customers.

Rogan Dawes, a security specialist with Deloitte & Touche, says banks must balance ease of use and convenience with high security.

Dawes adds that if banks follow a more secure approach, and the customer opts for a more convenient, less secure option, then the client will be to blame. "Otherwise, if the bank does not offer this, it has to share some of the blame."

He says Absa appears to be doing this, by refunding clients where fraud can be proved.

Dr Walter Smuts, MD of the Expertron Group, an associate company of Grintek Telecom, echoes the fact that heightened security could get in the way of convenience. "Users could be restricted to banking only from the computer on which they know anti-virus software is installed and up to date.

"But this goes a little against the grain of the banks` slogan of 'doing banking any time, from anywhere`," he points out.

Share