Types of countermeasures to bank crimes over the world

In the U.S., because of upward trending online crimes, e-commerce and online banking industries have implemented multiple security tools as countermeasures. Particularly for online banking, security countermeasures have strengthened due to the stipulation by Federal Financial Institutions Examination Council (FFIEC) that alternative authentication (two-factor authentication) methods in addition to the traditional ID and password must be implemented by the end of 2006. One technology that has spread rapidly as a two-factor authentication is IP Geolocation. Quova is a top American IP Geolocation provider - its clients has increased to include four of the top five banks and 91 of the top 100 banks in the U.S. Furthermore, 300 of the top 500 banks in the U.S. have implemented authentication solution using Quova’s IP Geolocation. In 2006, the penetration rate of IP Geolocation amounted to 35% of the overall online service market, and 60% of the online service market segment that had annual sales over $25 million.

According to a British news site The Register, financial losses relate to online banking fraud increased over the years from 12.2 million pound (approximately 3 billion yen) in 2004, to 23.2 million pound (approximately 5.6 billion yen) in 2005, and 33.5 million pound (8.1 billion yen) in 2006. The increase in loss from

2005 to 2006 was thought mainly to be a result of the rapid increase in the number of phishing fraud from 1,713 to 14,156 in 2006.

However, during the first half of 2007, fraud related loss decreased by approximately 70% compared to the same period in 2006. According to a report issued by APACS, fraud related loss during the first half of 2007 was 7.5 million pound (approximately 1.8 billion yen), much lower compared with 22.4 million pound (5.4 billion yen) during the first half of 2006. The decline was due to the implementation of new fraud detection and prevention mechanisms and the high baseline number during the first half of 2006.

U.K. is proceeding with the implementation of Chip-and-PIN. Chip-and-PIN works this way: an IC chip is embedded in the credit card to prevent someone other than the cardholder to use the card as PIN number is needed when settling a transaction instead of signing signatures. Forgery of IC card is more difficult than the traditional magnetic tape. Since unauthorized credit card use trended down since the use of Chip-and-PIN, it has since been implemented as a countermeasure to online fraud. Beginning in the summer of 2007, three of the top four banks in U.K. implemented portable Chip-and-PIN devices, and cardholder authentication has become more robust.

On the other hand, France has been lagging behind in terms of implementation of fraud countermeasures. According to France’s central bank – Bank of France, strengthening authentication through one-time password is not moving forward because of unpopularity with customers due to high cost and low usability. However, despite also implementing the Chip-and-PIN device, information stolen through phishing are used in e commerce transactions, hence the percentage of CNP (Card Not Present) crimes has been on the rise. Although much of the damage is being covered by insurance due to the expansion of e commerce, strengthening of the security system is urgently needed.

According to Asia, two-factor authentication is starting to be implemented in Asia. Asian government agencies such as Monetary Authority of Singapore, Hong Kong Monetary Authority, and Malaysian Central bank – Bank Negar Malaysia have recommended the implementation of two-factor authentication for strengthened security. Authentication implemented in this fashion mostly comprises of token or one time password by SMS. Implementation of the two-factor authentication had the unexpected effect of increasing customer confidence in online banking. At the same time, transaction price also seems to have increased.

In Japan, online crimes have also been spreading along with the expansion of online banking. According to a report by Financial Services Agency in September 2007, among all kinds of online fraud, online banking fraud amounted to 49 events and 105 million yen of loss in 2005 and 102 events and 110 million yen of loss in 2006. Between April and June in 2007, there were 68 online banking fraud events amounting to 86 million yen. Annualize that equals an estimated 272 events and 300 million yen in loss for the entire year, increasing at an even faster rate compared with the previous year. In addition, there is also much under-the-surface online banking related loss.

In addition, according to a report by the Anti-Phishing Working Group, as of July 2007, in terms of the number of phishing sites hosted, Japan ranked No. 3 just below China and the U.S. Japan climbed from ranking No. 7 in the previous year. The total number of phishing sites in the world more than doubled from 14,191 in 2006 to 30,999 in July, 2007. As loss related to online fraud is increasing in Japan, are countermeasures also progressing? According to Bank of Japan Review issued in July 2006, despite not being a public stance, Bank of Japan recommended strengthening authentication. According to a report issued by Financial Services Agency in March 2007, among the 1,543 financial institutions that provided online banking services, 99.7% of the banks implemented multiple authentication. Specifically, 236 institutions (15%) implemented one-time password, 6 institutions utilized password generator, and 230 institutions implemented random number table or mail-based security measures. Other institutions implemented systems that generated password through mobile phones and software keyboard. In addition, various anti-phishing software services such as Securebrain and VeriSign became popular. 3D Secure was implemented as countermeasures involving fraudulent online credit card transactions. However, compared with the U.S. and other governments which mandated to strengthen authentication, it cannot be denied that Japan lags behind in security countermeasures toward online transactions.

Although major banks in Japan have implemented one time password, this alone is not safe enough. In April 2007, Dutch bank ABN Amro suffered man-in-the-middle attack even though the bank had implemented one-time password token as two-factor authentication. Opening an email containing virus, the user was led to input information into a forged bank website. The information was immediately used at the real website for fraud transactions. In July 2006, one-time password token of Citi Bank’s account also suffered man-in-the-middle attack. It is said that token cannot prevent man-in-the-middle attacks.

Sources:

• 1.     https://www.dhs.gov/topic/combating-cyber-crime

• 2.     http://www.bankinfosecurity.com/cybersecurity-c-223

• 3.     http://www.occupy.com/article/bank-crimes-pay-under-thumb-global-financial-mafiocracy