How to reduce Internet Banking Fraud

Two days ago, I did a blog post titled “Woes of a Nigerian Internet Banking Customer” with a promise to do a follow-up post, offering suggestions. Well, this is it.

First, it is defeatist for a bank to cancel online funds transfer when it is possible to minimize the effect of fraud. I would start with the simple methods.

1. Customer awareness: This is a simple thing to implement. Educate your customer about potential fraud right when they pick-up the form to apply for Internet Banking facilities. In addition to verbal communication, customers should be presented with a flyer  informing them about scams emails and how to detect fake email messages and fake websites. Aside the day of sign-up, the financial institution should always include a warning at the bottom of every email they send out, educating their customers about scams and how to avoid being scammed. Banks should educate every customer to look-out for the security padlock on their web browser before entering their login details.

2. Install a security toolbar: Aside recent Firefox and Internet Explorer 7 features that help in detecting fake financial institution websites, some toolbars come handy too. My preference is Netcraft Toolbar. Netcraft Toolbar protect you [your money 🙂 ] from Phishing attacks, displays the hosting location and Risk Rating of every site you visit and generally allows you to help defend the Internet community from fraudsters.

Whats more? The Netcraft Toolbar also:

• Traps suspicious URLs containing characters which have no common purpose other than to deceive.
• Enforces display of browser navigational controls (toolbar & address bar) in all windows, to defend against pop up windows which attempt to hide the navigational controls.
• Clearly displays sites’ hosting location, including country, helping you to evaluate fraudulent urls (e.g. the real citibank.com or barclays.co.uk sites are unlikely to be hosted in the former Soviet Union).

3. Report phishing emails and websites: Whenever you recieve any such fake email, do not click on any of the links in it and do not reply. Simply forward the message including its Full Headers to:

1. Your financial institution. Ceteris paribus, they would take all the necessary action against the scammers. Example, if you are a Paypal user and the email is about Paypal, forward the fake email to spoof[at]paypal.com (replace [at] with @)
2. The abuse department of the company/organization running the server where the email originated from. Example: if the mail originated from a Yahoo mailbox, forward it to abuse[at]yahoo.com (replace [at] with @)
   If the mail was not sent from a free email service like Yahoo or Hotmail, go to the WHOIS record of the domain name used in sending the fake email.
3. Your local law enforcement agency: the Police or financial crime unit in your country. They should take necessary action especially if the mail originated from within your country.

4. Regularly update your web browser: These days, leading web browsers come with security features that help in detecting fake websites. They usually consult a database of reported fake websites and then warn you with a message when you visit any of such reportedly scammy websites.

5. Be safe. Use Internet security suites on your computer: There are a excellent Internet Security suites out there that help protect you from viruses, worms, trojan horses, keyloggers etc that the scammers might download to your computer if you clicked on the links in their fake email. Your Internet Security suite should detect such dangerous software and prevent them from working on your PC.  The suites come at an annual fee, but its worth it.

6. Security keys: There is a new device that offers an extra layer of protection against unauthorized access to your financial account, from the Internet. It is called a Security Key. Typically, it’s a device that generates a temporary 6-digit security code every 30 seconds. You need to have this device with you physically, and enter the correct code on its screen along with your account username and password, before you can gain access to your account via the Internet. Even if some got access to your username/password combo, they cannot access the account since you would be in possession of the device. Paypal is already using such and I know of a financial institution in the United States that uses them as well.

7. Accsent: This is a smart one by e-gold.

e-gold’s Account Sentinel^TM(also referred to as AccSent^TM) enhances the security of your e-gold account by enabling you to direct the circumstances under which your e-gold account may be accessed.

AccSent empowers you to restrict browser access to your account to a single IP address (or range of IP addresses) and/or to a single web browser based on settings you can configure to best meet your needs – simply log in to your account, click Account Info, and scroll down to AccSent’s browser access settings.

AccSent’s browser access enhancements were deployed to provide you an additional level of protection in the event your passphrase is compromised due to poor security practices on your part (we hope this does not describe you!). However, these enhancements should not be regarded as diminishing the importance of good security practices. We urge you to read and practice e-gold’s security recommendations.

Other financial institutions can implement things like e-gold’s AccSent.

My bank would agree with me that preventing their Internet Banking customers from sending money online to third parties is a very bad move. If they don’t fix their mistakes asap, they’re loose customers to other banks.

Do you know of any other safe practice that I left out? Any corrections or additions? Your ideas are always welcome on my blog. Post your comment now.