Crooks Move from Phishing to Pharming Financial Data

New scams redirect consumers trying to login to their online accounts

Indeed, the question is whether such threats will at some point deter people from conducting business on-line. "Consumers are losing confidence in the Internet," laments Jon Ramsey, CTO at on-line security firm SecureWorks. "If the security risk outweighs the convenience of on-line banking, then people will revert to other means." So far, the banking industry hasn't seen any mass defections. "The more important thing is to practice the vigilance so that doesn't happen," warns Doug Johnson, senior policy analyst at the American Bankers Association. He says the industry tries to strike a balance between convenience and security, even as online fraud threats proliferate. "We all see at the end of the rainbow this promise of electronic commerce," he says. "But we don't want to have a customer confidence issue."

Experts note that banks can take steps to put their customers (and themselves) more at ease. On the most basic level, banks are already educating customers about how to protect themselves from threats. "Educating our customers is the only thing we can do outside the bank to protect ourselves," says Mark Payne, director of technology at Scottsbluff, NB-based Platte Valley National Bank. "Our best defense is education."

Boston Private Bank & Trust, a subsidiary of the $2 billion Private Financial Holdings, recently hired two full-time staff members devoted to fraud detection and prevention, and formed a committee to coordinate consumer-education efforts. "We're trying to get the word out strongly that [consumers] need to watch their activity," says Maureen McCarthy, director of the bank's Financial Intelligence Unit. But she says the bank has shied away from providing anti-virus software or other computer advice to its customers. "I don't think any bank wants to be in the business of providing computer support to its clients," she says, noting liability issues that could arise.

Nonetheless, software vendors are urging banks to get more involved. "It's important for financial institutions to take a proactive step in getting their customers' PCs protected," says Legelis. Symantec works with several banks that allow customers to check their computers' protection level and even download a Symantec product at a discount-right through the on-line banking site. Users can also install browser plug-ins, such as the "Netcraft" plug-in for Internet Explorer or the "SpoofStick" plug-in for Mozilla's Firefox. Both can alert the user of spoof sites. "You have to attack this problem through the browser," says Andrew Stewart, security practice lead at Intellinet. "The client is the weakest link."

In addition, experts advise banks to adopt multi-factor authentication schemes, such as providing customers with a small device that displays a constantly changing password-to be used in conjunction with the another static password-or, on a smaller scale, simply providing a new password every month in bank statements. Biometric scanners are another option.

"Identity management is really the buzzword of 2005," says Robert Siciliano, a Boston-based personal security expert. "Two-tiered identification is really the way to go." Banks seem to be listening. "It's incredible," says Rami Habal, senior product manager at messaging security firm Proofpoint. "They're on it. [Bankers] understand what the issues are and what the threats are."