Internet banking fraud in the Netherlands: three time more incidents, twice the damage

2011/11/15

The Dutch Banking Association (NVB) in the Netherlands provides numbers of internet banking fraud, I think twice a year (see also my last post on this). Yesterday the announced new numbers, together with a new awareness campaign for the public. The numbers they announced yesterday about the first half of 2011: amount of incidents is 2400 and the damage is €11.2M.

I extrapolated these numbers for the whole of 2011 by simply multiplying them by two (which is probably optimistic) and compared them to the 2009 and 2010 numbers.  The bottom-line is is that internet banking fraud still increases a lot with more than twice the damage in 2011 than in 2010. The relative increase is however less dramatic than from 2009 to 2010, when it increased with a factor of five. The amount of incidents increased with a factor of about 3.5, and thus there is also good news: the amount of damage per incident decreased (to an average of ~€4.500 per incident). I guess this is because the Dutch banks improved their detection of internet fraud, and are more effective in quickly stopping money mules.

Non-technical countermeasures such as continuing awareness campaigns and the Electronic Crimes Taskforce (which hunts cybercrimes) are needed, but really preventing internet banking fraud also depends on better authentication means and other more technical measures. What I found somewhat remarkable is that the NVB press release and also e.g. the article in the Volkskrant (a Dutch national newspaper) talked about ‘old fashioned’ phishing emails a being a big part of the problem, while I’m personally more worried about malware on the consumers devices (laptop, smartphone, tablet etc). An anecdote is a colleague of mine that was very recently the subject of an attack involving advanced malware that infected his PC irrespective of up-to-date patches and virus scanners. The malware then waited till my colleague made a transfer, and added a transfer to empty his acoount to a money mule in Portugal. Such malware is undetectable for ‘normal people’, including the browser indicating a valid website certificate. He however noticed this right after the transfer because the browser was acting strangely, and was able to stop the transfer by calling his bank. I’, however sure that for someone less ‘nerdy’ the browser’s strange behavior would have been too suble to notice.

The below graphs show the fraud numbers for 2009, 2010 and (extrapolated for) 2011.

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Internet banking fraud in Netherlands increases more than 4 fold

2010/10/15

The Dutch Banking Association (NVB) provided numbers on how much fraud there is in the Netherlands with internet banking (in Dutch). Since we’re doing a project called cidSafe for several companies in the financial sector in the Netherlands on consumer identity (see this recent presentation in English, or the website which is mostly in Dutch), I was very interested in these numbers.

The fraud with internet banking in NL is  €4.3M for the first 6 months. Although I agree with the NVB that this in itself is not a huge number, the increase is very big. In the whole of 2009 the fraud was €1.9M, thus an increase of about 450%! By the way, victims of internet banking fraud are usually reimbursed by their banks, and all Dutch banks use two-factor authentication. Compared to the numbers recently released in Germany, internet banking fraud seems a somewhat bigger problem in the Netherlands than in Germany (with an estimate of €17M in 2010 about twice as much fraud as NL, but with 5 times more inhabitants). Also in Germany there is a big increase in internet banking fraud compared to 2009.

The NVB press release mentions phishing as the main method of fraud. I couldn’t find more details on this, but simple phishing of username/password won’t work since all internet banking services in NL use some form of two-factor authentication (smartcard or SMS one-time-password based). Malware attacks are becoming more advanced, as e.g. the recent “Zeus In The MObile” malware showed that can even spread from desktop to mobile using social engineering. This article (sorry, again in Dutch) states that most attacks are a combination of relatively simple phishing or malware (keylogggers) with social engineering to get the second factor.

If the increase in internet banking fraud would continue for a couple of years  this will become a very serious financial problem (€39M in 2011?, €174M in 2012?). Add to this the emotional impact on victims and reputation loss for banks, and this increase in fraud is something to worry about. The weakest links appears to be 1) the home PC (and smart phone) and people’s ability to keep this malware free, and 2) people being subject to social engineering attacks. The question for me therefore what is more effective for banks to invest in:

  • educating their customers, on the importance and ways to keep their PC/smartphone malware free, and to make them less susceptible to social engineering attacks, which will no doubt help but is not a silver bullet, or
  • invest in technology, by providing more secure authentication means that are (not or) less sensitive to malware and social engineering attacks, which is very expensive and can be very annoying for users.

The alternative for banks is to wait and see if others (police, government, operation system vendors, anti-malware vendors etc) will be able to counter this increase in internet banking fraud, this is however not what I expect they will do, as is also shown by the new awareness campaign by NVB.

4 Comments | Uncategorized | Tagged: , , , | Permalink
Posted by Maarten Wegdam

Impressions from ISSE 2010

2010/10/06

I’m at the ISSE 2010 this week, which takes places in Berlin this year. I’ll share my impressions on two subjects that were hot (in the first two days, since I write this with one more day to go).

German eID

The ‘hottest’ item is the new German eID card (nPA), which will be issued starting 1 November. This is a ‘normal’ ID card, with an eID contactless chip. Technically the eID function seems to be better than what I’ve seen before, but more interesting for me was the business model behind it, and how they handle privacy.

With respect to the business model, it is interesting that it can be used for consumer-2-business authentication, thus increasing usage beyond citizen-2-government services.  This is for free from the perspective of the relying party (aka service provider). Of course, running a so-called eID server to ‘talk’ to the eID card is not trivial, and much more complicated than becoming e.g. an OpenID relying party. There are companies ready to take care of this on behalf of the relying party, this will of course costs money. Citizen have to pay for the card, but since it is (I think) mandatory to have one …

With respect to the digital signature function, this is not present by default. A citizen has to go to a commercial party for this, i.e., a different business model for the signature function as for the authentication function. Reason seems to be that this is not considered a government responsibility (contrary to authentication/identification), and companies are already offering this as a service (I expect not a lot to consumers though). This probably also means that there will be only very few people that go to this trouble (and costs), and thus little coverage for consumers/citizens.

With respect to privacy: what is interesting is the ability to be a pseudonym-only authentication device, that relying parties need to register and motivate which attributes they want to read, user consent and proof-of-age function that does not reveals ones age. Also interesting is that kids below 16 are not allowed to use it to identify themselves, for privacy reasons I assume (can’t trust those kids to know what they’re doing J).

The Germans life up to their reputation of being privacy-conscious with this new eID card, good for them. When looking at some of the details, they also life up to another reputation of being very sensitive to academic grades: Doktorgrad is a data field for the card… Not sure how important this is for security purposes though, but at least the border control or webshop can properly address “Herr Doktor” J

The big question is now if this takes off with both public and relying parties, and how long this takes. There are examples in other countries that were earlier, where this went very slowly of not at all (e.g., Belgium).

Phishing/malware

There were some, mostly German, talks on phishing and malware. Quite scary actually how this is progressing. Cybercrime seems to become more professional, and is scaling up. I’m a strong believer in “good enough” security, especially when it concerns damage that is ‘only’ money/fraud, contrary to privacy loss. To quote a number, the German government (Bundeskriminalamt) estimates a €17 million fraud for phishing/malware in Germany for online banking for 2010 (with €3500 average damage). This in itself is not a number that surprises me, it is even lower than I expected, but if the growing trend (71% up from last year!) continues the coming years this number will increase quickly. Of course, costs to properly counter these threats, and the userunfriendlyness that often comes with it, are also huge.

Leave a Comment » | Uncategorized | Tagged: , , , , | Permalink
Posted by Maarten Wegdam

Overlay banking or phishing/man-in-the-middle attack?

2009/11/18

Today I learned that there is such a thing as overlay banking, which provides a way to pay in webshops through your online banking system. Contrary to how in the Netherlands popular iDeal system works, with overlay banking you provide your credentials (including a one-time-password/TAN code)  to a hopefully trusted third party. Technically, you could say this third party is very similar to someone doing a man-in-the-middle attack. The Dutch National Bank and others expressed their concerns about this, and I completely agree. Although I can imagine that the specific party providing this overlay banking service (the German Payment Networking) may very well be trustworthy, one should of course never give ones credentials to a third party. There are many technical solutions to avoid this (e.g., OAuth), and let someone act on your behalf without having to give them your credentials. What worries me most is that this may educate people to be more susceptible to phishing and man-in-the-middle attacks!  Apparently Payment Networking disagrees (article in Dutch), and considers their system secure because they adhere to high security standards. This does not however take my ‘educating people to do the wrong thing’ concern away.
Of course, one may also argue that in addition to raising concerns about overlay banking, the European banks should speed up the process of standardizing interfaces that allow competing international online payment systems. I can imagine that overlay banking is simple a way to provide cheap online payment, and with proper standards and fair competition, this should be possible without the above described security risks.

Leave a Comment » | Uncategorized | Tagged: , | Permalink
Posted by Maarten Wegdam

Follow

Get every new post delivered to your Inbox.