INTERNET banking services have been operational in Malaysia since 2001. Presently, only banking institutions licensed under the Banking and Financial Institution Act 1989 (Bafia) and Islamic Banking Act 1983 are allowed to offer Internet banking services here. There are 12 commercial banks (inclusive of Islamic banks) out of a total of 25 in Malaysia currently offering Internet banking services.
According to the 11th Malaysia Internet Survey conducted by ACNielsen, Internet banking is one of the most popular services utilised by Malaysian surfers. The survey found that 51% out of the total respondent base of 8,000 used the Internet for online banking once a month.

However, 2003 and 2004 saw the emergence of fraudulent activities pertaining to Internet banking or better known as “phishing.” A total of 92 phishing cases were reported to the Malaysian Computer Emergency Response Team (MyCERT, www.mycert.org.my) in 2004. The modus operandi of this activity is to use spoofing techniques to gain names and passwords of account holders.

The victims reported being deceived into going to a fake website where perpetrators stole their usernames and passwords and later used the information for the perpetrators’ own advantage. Phishing is an attempt to commit fraud via social engineering. The impact is the breach of information security through the compromise of confidential data.
The Association of Banks Malaysia (ABM) has urged banks and their customers to be extra vigilant following reports of fraudulent e-mail purportedly sent by banks to online customers.

The fraudulent actitivities mentioned above are not limited to the Malaysian banking industry. It is a worldwide problem, particularly in the United States. There, 2,560 new and unique phishing sites were reported to the Anti Phishing Working Group (APWG) in January this year (see antiphishing.org/APWG_Phishing_Activity_Report_Feb05.pdf).

It was an increase of 47% over the December 2004 figure. APWG is an industry association focused on eliminating identity theft and fraud that result from the growing problem of phishing and e-mail spoofing. This voluntary organisation provides a forum for users to discuss phishing issues, trials and evaluations of potential technology solutions, and access to a centralised repository of reports on phishing attacks.

Nowadays, the nature of attacks is more active rather than passive. Previously, the threats were all passive, such as password guessing, dumpster diving and shoulder surfing. Here are some of the techniques used by attackers today:

Trojan attack The attacker installs a trojan, such as a keylogger program, on a user’s computer. This happens when users visit certain websites and download programs. As they are doing this, the keylogger program is also installed on their computer without their knowledge.  

When users log on to their bank’s website, the information keyed in during that session will be captured and sent to the attacker.  

Here, the attacker uses the trojan as an agent to piggyback information from the user’s computer to his backyard and make fraudulent transactions whenever he wants. 

Man-in-the-middle attack Here, the attacker creates a fake website and catches the attention of users to that website. Normally, the attacker is able to trick the user by disguising his identity to make it appear that the message came from a trusted source. Once successful, instead of going to the designated website, users do not realise that they actually go to the fraudster's website. The information keyed in during that session will be captured and the fraudsters can make their own transactions at the same time. 

Presently, Internet banking customers only need a computer with access to the Internet to use Internet banking services. Customers can access their banking accounts from anywhere in the world. Each customer is provided a login ID and a password to access the service. It is indeed easy and convenient for customers. 

However, the use of a password does not provide adequate protection against Internet fraud such as phishing. The problem with the use of passwords is that when it has been compromised, fraudsters can easily take full control of online transactions. In such cases, the password no longer works as an authentication token because we cannot be sure who is behind the keyboard typing that password in.  

However, easy access and convenience should not be at the expense and mercy of the security of information. This is important in order to ensure the confidentiality of information and that it is not being manipulated or compromised by fraudsters.  

1) Minimum requirement: 

Two-factor authentication

Based on the above method, the security measures in place are not adequate to prevent fraud. The current method of using only one factor of authentication definitely has its weaknesses. The security aspects of Internet banking need to be strengthened. At minimum, a two-factor authentication should be implemented in order to verify the authenticity of the user before he is allowed to use Internet banking services.  

The first authentication factor can be the use of passwords and the second authentication factor can be the use of tokens such as a smartcard. MyKAD is a good avenue to introduce the second factor authentication.  

The above security measures will greatly minimise incidents of Internet banking fraud. The smartcard here provides a second layer of authentication. This will stop a perpetrator even if he manages to obtain the user's password. 

Intercepted passwords cannot be used if fraudsters do not have the smartcard. Besides addressing fraudulent activities, this can instil customers' confidence in Internet banking.  

2) Additional requirement: Three-factor authentication

However, for better security, a three-factor authentication process should be considered. The third authentication factor is the use of biometrics such as iris or thumbprint recognition. This ascertains who one is, biologically. This method of authentication has been introduced by the Employee Provident Fund (EPF) for its members, but is limited to getting the latest statements of a member. 

With a three-factor authentication, a more secure method can be implemented – a password to ascertain what one knows, a token (smartcard) to ascertain what one has, and biometric recognition (for example fingerprint or thumbprint) to ascertain who one is.  

As such, if passwords have been compromised, fraudsters need to get through the other two levels of authentication to access a customer's account. This would be difficult, if not totally impossible. 

The providers of Internet banking services must be more responsive to security requirements. While there is no doubt that Internet banking transactions should have layered protection against security threats, the providers should approach security considerations as part of their service offerings.  

Currently, there are no formal processes being put in place to determine the level of security provided by these service providers and what the minimum standards should be.  

Local financial institutions should consider the above-mentioned recommendations to ensure confidentiality of customer information. However, there is the cost implication to these recommendations. Part of the cost is already taken care of by MyKAD – a multipurpose digital application card for all citizens over the age of 12.  /p>

The additional costs are the hardware and software needed for the card reader and biometric recognition.  

However, this is indeed a serious matter that needs to be looked into by the relevant authorities in this country. In the long run, the cost involved to implement better security will be worth it and beneficial to the customers and the banking industry. 

The National ICT Security & Emergency Response Centre (Niser) was set up by the National Information and Communication Technology Council (NITC). It works with government and private bodies to address security-related issues in the country.  

Zahri Yunos (above) and Ahmad Nasir Mohd Zin are the manager and executive respectively at the Strategic Planning Unit of Niser.