Phishing education for banking customers useless

Training like nailing jelly to a wall

User education for online banking customers on how to avoid phishing scams has been likened to nailing jelly to a wall as this form of commonsense defense has failed to work time and time again.

The failure of customers to secure their own monies for an Internet transaction, either by not using correct or up-to-date software, could potentially lead banks to pass off the responsibility of financial losses back to the customer.

Paul Henry, senior vice president of Secure Computing, said lots of financial organizations have done a great deal of customer education in response to phishing attacks.

But it has done very little, Henry said, because commonsense isn't applicable when dealing with phishers.

"Even if you manually enter a URL security is obsolete as phishers have created Trojan code that modifies the host file on Windows to automatically redirect," he said.

"Phishers can also attack a router and redirect information to a different server - user commonsense is no longer valid.

"It is amazing how many banks have servers compromised to host phishing sites.

"It is now more common to attack a network in a bank because it is the last place someone would look. Phishers need to eliminate the number of e-mails sent out to reduce the noise and just focus on, say, 100 e-mails directed towards employees of a bank.

"I think banks will be passing the costs of losses to phishing scams onto the customer in the next two years."

Henry said banks are reluctant to refund losses if an account is hijacked.

For example, he said a Bank of America customer had a PC compromised with a Trojan losing $US90,000 from the account.

The funds were sent to a bank in an Eastern block country - with $US20,000 taken out immediately.

Although the theft is currently before US courts, Henry said the Bank of America has adopted the attitude that a Trojan on your PC is "your problem".

"The defendant claims he was told to move to Internet banking by the bank and from the bank's perspective, Internet banking reduces the cost of transactions enhancing profits; if the court rules in the bank's favour then that is a bad precedent," Henry said.

David Bell, chief executive of the Australian Bankers' Association (ABA) said systems are in place to constantly monitor online transactions.

As a result fewer customers are actually reporting incidents of online fraud, particularly when it involves phishing.

"Banks tell us that customers are reporting fewer incidents of online fraud due to the industry's efforts in fraud prevention such as employee training, strict privacy policies, rigorous security and encryption systems," Bell said.

"This is in addition to communicating with customers and educating them on how to avoid becoming a phishing victim.

"These combined efforts have resulted in a comparatively low level of fraud in Australia compared to the UK and other countries."

Bell said the credit card fraud rate for signature-based transactions globally is currently around 7 cents for every $100 transacted compared to 4 cents for every dollar in Australia.

"The Australian PIN-based debit card system does even better at less than 1 cent for every $100 transacted," Bell added.