Online Banks Exposed

Discover if your bank is leaving serious security holes or lacks cutting-edge features in our in-depth analysis of online banking.

[Click the reviews to the right, to see how each bank rated]

Is your bank taking you for granted? Does it offer all the services you expect from a leading financial institution and give them to you online where they’re most convenient?

And does it provide the security necessary to protect your money over the internet (without charging you an arm and a leg)? If not, you need to seriously think about switching – something that is far easier than you probably expect.

What we looked for
We know PC Authority readers are more demanding than the average banking customer, so we’ll highlight the banks that offer advanced services such as integration with home finance software, mobile text and internet banking, and portable security devices.

Security
Of course, for most people it’s not a flashy front-end and a plethora of features that will influence their choice of bank. Security remains the prime concern. Our online security expert and Davey Winder scrutinises the safeguards provided by our online banking services.

He talks to banking security experts who offer alarming insights into the authentication methods used by many of the leading banks and reveals flaws in even seemingly bullet-proof solutions.

Is it easy to switch?
Yet even if our report does reveal worrying holes in your bank’s security set-up or a dearth of features you wish your bank offered, isn’t switching an infernal headache? Not necessarily.

The Federal Government has recently begun implementing a series of reforms to the banking industry that will make it easier than ever to switch banks without having any automatic payments go astray. These should come into effect from November this year, but even without them in place, switching is not as painful as you might think.

So there’s no good reason not to defect if your bank fails to meet your expectations. Read our report and find out whether your bank is providing a strong enough case to retain your custom.

Our extensive feature table provides an at-a-glance comparison of the banks in our test, while we have individual reviews of each bank.

Click to enlarge: Internet banking features

How secure is your bank?
With online banking becoming the norm rather than a nerdy extra, security has to play a part in the selection process. Yet few potential customers know the right questions to ask.

Knowing the access process employed by a bank and actually understanding its security implications are two completely different things, which is why we’ve been talking to industry insiders to find out how secure our leading banks really are and help you avoid making what could be a very costly mistake.

Online banking fraud in Australia is no small issue, says Wing Fei Chia, Security Response Team Manager at anti-virus and security company, F-Secure. According to Chia, it’s difficult to ascertain the dollar figure for banking fraud, as many banks are reluctant to disclose numbers. However, Australia ranks sixth in the world as a target of recent banking trojans and phishing scams, says Chia. This makes it all the more crucial that you are confident in your bank’s ability to protect your money.

Passwords
John Colley is Managing Director at the international not-for-profit security organisation, (ISC)2, and used to be group head of information security at the Royal Bank of Scotland and head of risk services at Barclays in the UK. He readily admits there is a lot of truth to the assumption that some banks are willing to accept a certain amount of fraud by sticking to ‘old’ security technology.

“Every bank needs to make a risk decision,” Colley told us. “It can be very expensive to change banking front-ends and so a bank will weigh up the investment against fraud losses.”

For example, most banks in Australia still use only a single password to gain access to online banking, which is far from being bullet proof. “Single passwords are easily broken, they can be guessed, discovered and then used by hackers or fraudsters that want to gain access to online bank accounts,” Colley says.

A more preferable system, sadly not seen amongst the banks in this roundup, is the so-called 2QV, or two question verification. This is where the bank asks for your username, password, as well as the answer to one of several preset questions such as “what was your first school”. While it’s far from watertight –the answers to many of the questions can be gleaned from social networking sites – it’s still an improvement on a single password.

Phishing and screen scrapers
Ken Munro, managing director at independent penetration testing company SecureTest, regularly puts financial institutions under the microscope. Munro argues the real problem with security is users not protecting their data adequately.

“Virtually nobody would disclose their cash card PINs when asked, so why do users disclose banking passwords in response to phishing emails?” he asks.

David Harley, part of the research team at security vendor ESET, says phishing’s success rate is so high that other means of bypassing security are rarely needed. “Blackhats won’t generally waste a lot of time trying to get banking access by guessing, they tend to rely on getting the information they need directly from the victim, using social engineering approaches.”

So even relatively robust security measures can be breached if the customer succumbs to a phishing attack or discloses their password or PIN.

Keyloggers
Another threat is posed by keyloggers, often buried in Trojans that are surreptitiously installed on your PC while browsing the Web. According to Wing Fei Chia, today’s keyloggers are becoming more sophisticated and can track more than just the key presses as you type your password. Even onscreen keyboards, such as the one used by Westpac, are vulnerable.

“The latest Trojans can take screenshots every time you click on the [oscreen] keyboard,” says Chia. “Once done, the Trojan then sends the screenshots to the attacker.”

Munro still thinks that onscreen keyboards are an improvement though. “A number of banks, particularly those in the Middle East, appear to use the Java keyboard to great success,” he says. “It is still possible to log the position of the mouse on the screen, and work out the character being pressed on the keyboard, but it’s much harder.”

Token security
Even the seemingly uber-secure random number generating hardware tokens that create a new six-digit access code every 30 seconds are not entirely secure. Stephen Howes, CEO of ID authentication developers GrIDsure, warns that if a token is used inadvertently at a phishing site then the cybercriminal has a window of opportunity in which to use that captured code and access the account.

“An automated system will only need milliseconds to do this and so a one-minute token gives the fraudster plenty of time to conduct his/her man-in-the-middle attack,” Howes adds.

The common perception that losing a token is like handing over the keys to your account is wrong - the account is still protected by a user-determined PIN - but of greater concern, as Ken Munro points out, is the fact that most banks have emblazoned their logos on the tokens “so if one is stolen, one immediately knows which online bank to target!”

Using your mobile phone for protection
Possibly one of the best developments in online banking security in recent times is the use of mobile phones and SMS security codes. This reinforces the notion of two-factor authentication: something you have and something you know.

When you bank using an ATM, you have your card and you know your pin. The problem has been finding an adequate replacement for the card when banking online.

This is where SMS codes can come in. Many banks use them today, including Commonwealth Bank, St George and NAB, and others are planning to implement the feature in the future. It’s not fool proof, says Chia, but “it improves security significantly.”

Men in the middle
No matter what security measures a bank implements, experts say there will always be one vulnerability - the internet itself. “All are flawed because they rely on a shared secret, which is then passed over an insecure internet,” says Garry Sidaway, principal consultant for multi-factor authentication specialists TriCipher.

“All the hacker does is sit in the middle of the connection between the bank and the user and pass on the shared secret, then grab the users private information.”

These types of man-in-the-middle attacks have hit large institutions such as Bank of America.

“We are also seeing man-in-the-browser attacks now where the hacker is changing information between the user and the bank on the fly, so ‘what you see is what you get’ can be broken as well.”

Industry groups say banks are constantly adapting their security methods. “Each bank will have designed its fraud prevention solutions to tackle the types of fraud that it and its customers are experiencing,” says Mark Bowerman, spokesman for the financial trade association APACS.

“It is probable that different banks face different types of fraud threat to varying degrees and, therefore, they would need to implement relevant solutions accordingly.

As it stands, there is no one-size-fits-all approach. However, no bank has only a single line of defence in all this and there will be some form of ‘back-end security’ in place. These are not transparent to the customer or the fraudster, but will play their part in preventing fraud.”

There is no doubt that banks are taking online security more seriously, but despite the strides being taken towards better authentication security, it means nothing if cybercriminals can bypass them with keyloggers or social engineering.

As Graham Cluley, senior technology consultant at IT security specialists Sophos, warns: “With these kinds of attacks increasingly being found on reputable websites that have been hacked, any visitor to the page could fall victim, allowing fraudsters to grab all your login details in one go or build up a data profile over time.”

When it comes to online banking, therefore, the message is: couple the strongest authentication security measures with a large dose of data protection common sense, and don’t overlook the state of security on your own PC if you want to stay safe.

This Group Test appeared in the September, 2008 issue of PC & Tech Authority Magazine