Canadian banking industry invests in infrastructure to keep clients’ information secure on the Web
Jeff Buckstein
Sun
Online banking clients are a potential target as increasingly sophisticated Internet attacks aim to grab critical financial information.
Today’s attacks are taking place more frequently and faster than ever before. Banks and other protectors of sensitive online information now face threats from so-called “zero-day” attacks, says George Kerns, president and chief executive officer of Fusepoint Managed Services Inc., a managed IT solutions provider headquartered in Mississauga, Ont.
“The whole point of a zero-day [attack] means that within 24 hours of most things being known, they’re exploited. [Consequently], there’s very little time to be able to fix it before there’s some kind of impact.”
The banking industry in Canada devotes substantial time, effort and money to combat such threats, stresses Maura Drew-Lytle, director of media relations and communications with the Canadian Bankers Association (CBA) in Toronto.
According to the CBA, clients of the six largest Canadian banks alone — RBC Royal Bank, BMO Bank of Montreal, TD Bank, Scotiabank, CIBC and National Bank of Canada — went online to record nearly 394 million financial transactions in 2007. In 2006, those same banks spent a total of $4.4 billion on their technology infrastructure; between 1996 and 2006, inclusive, they invested $37.6 billion.
“The banks have a lot of personal financial information on their customers, so they understand that protecting that is certainly one of their most important jobs,” says Drew-Lytle. “The banks are always implementing new security procedures” to ensure customer safety, she adds.
BMO Bank of Montreal, for instance, offers clients a number of protective measures. These include enhanced sign-in security to help prevent unauthorized account access, multiple levels of firewalls, and 128-bit encryption to ensure the safety of data passing between parties, among other features.
Lee Dunn, vice-president and chief information security officer at BMO, says the enhanced sign-in features include a personalized graphic and customized phrase users select to appear after they enter their card number. This graphic and phrase combination helps identify the website’s authenticity, after which the user can sign in with their personal identification number. This works two ways: “It gives the customer a confident feeling they are at a legitimate website” and also provides the bank with assurance the customer is who they purport to be, she notes.
BMO also monitors sign-in patterns. If, for instance, a person signs on to their account away from the computer site they normally transact from, the bank will prompt them with a series of supplementary, pre-selected personalized questions to make sure that it is indeed the client who is attempting to sign on, explains Dunn.
But firewalls alone don’t provide enough security. While a firewall can act as an infrastructure layer to try to prevent unauthorized access for certain services, “most hackers today break into the web applications,” which in an online, worldwide banking environment allows them to more easily bypass firewalls, says Stewart Wolfe, KPMG LLP’s leader of security services for the Greater Toronto area.
“Although application layer firewalls provide a level of protection, the secure coding of applications from initial development to production release is key to providing Internet banking web applications that are more resistant to malicious penetration attempts,” Wolfe adds.
This is one reason why additional protection, such as a secure sockets layer (SSL) certificate issued by an authorized third party to certify that a web server belongs to the company it purports to be is essential. Such certificates include 128-bit encryption.
Customers can also arm themselves by becoming aware of the threats they may face and what to do about them.
Phishing attacks, for instance, are a prime example of a malicious attempt to exploit banks and their customers. The idea of a phishing e-mail is to get users on to a so-called “spoof site” that mimics the appearance of an authentic site, says Darrell MacMullin, country manager for PayPal Canada, an online payment solutions provider in Toronto.
Often such correspondence involves urgent requests for banking clients to validate their credentials or register for a type of service when they log onto a false site with their user name and password, so perpetrators can capture the sensitive personal information needed to commit further crimes, adds Wolfe.
“A bank will never send you an e-mail asking you to verify your personal information,” says Drew-Lytle. “They already have it.”
Consequently, it’s essential for users to authenticate that the website they enter is genuine, and never give out sensitive financial information unless they are certain it is. The best way to do this, Wolfe says, is to verify the SSL certificate by clicking on the lock displayed by the Internet Explorer browser. A lock icon will appear when the address prefix in the browser bar changes from http to https.
If clients are contacted by somebody phishing for information illegally, they need to contact their bank immediately, the experts say.
TIPS FOR ONLINE BANKING CLIENTS
Here are some tips from the experts on how online banking clients can protect themselves against phishing attacks — phoney e-mails that attempt to extract valuable personal financial information.
– Be aware that authentic banks will never request that their clients divulge personal information, such as account numbers and passwords, in an e-mail.
– Authenticate the website you are going to is genuine by verifying that it has a secure sockets layer (SSL) certificate.
– Never click on a link in a suspicious e-mail. Instead search out an official bank URL site via your browser bar.
– Never download an attachment from a suspicious e-mail. It may consist of a virus or spyware.
– Contact your bank immediately if you suspect somebody has tried to emulate them online.
© The Vancouver Sun 2008
