When it comes to safeguarding your money, you would think that banks, lenders and mortgage brokers have their act together. With about 95% of all financial services being done over the internet, there are a significant amount of interactions that may be susceptible to modifications by malicious parties, which could result in losses of large sums of money. The gateway to your money at financial institutions should be improved.

There are really thousands of examples that show how ordinary Australians are scammed out of their money via various tricks these criminals use. In 9 out of 10, these start with a phising email or SMS notifying the victim of a perceived fraudulent transaction that has happened on their account. In order to revoke that transaction, the victim would need to immediately contact the phone number on the bottom.

The main reason people fall for this is because of the sense of urgency that is being pushed onto them. The amounts that are mentioned are most often relatively non-conspicuous, but large enough to impose some sort of stress onto the victim. If you receive an email showing a PayPal transaction of $75000, you would most likely not be triggered as common sense would indicate that you would not have a spending limit near that amount. If, however, the email shows an amount that may seem reasonably in line with what you have in financial assets in your bank account, you may become wary of what’s going on. The easiest step is, then, to, indeed, call that number in the email.

Take a step back and log into your PayPal account and check if there is actually a transaction seen that resembles the one mentioned in that email. If there isn’t than you can safely assume the email is a phishing attempt. If you’re not confident, forward the email you received as an attachment to the provider that is targetted. (I used PayPal as an example but this can be any organisation that shows up in the phishing attempt.)
I mentioned “as an attachment“. The reason for that is, that it would then contain the full email details including all the original headers and technical information, the security people of PayPal or your provider need to see what it is and where it originated from. These technical details can then also be used to inform email providers to adjust their systems and prevent further spread of these attempts.

As an example (be aware, the below is a legitimate email), you would see something like this in your inbox:

The main reason scammers go after people, instead of the institutions themselves, is in direct line to the position these scammers see themselves in the security triangle. (See here for that.) The risk vs reward vs effort puts them significantly towards the top end of that triangle, and therefore they can reap the benefits without doing much or putting themselves at risk.

So what about the state of security you mentioned.

All the above more or less indicates how people get tricked into handing over their details by first being phished and then fall victim of elaborate social engineering schemes. Unfortunately, the banks and lenders do not take enough measures to prevent this from happening. In many cases their security measures are haphazard and outdated methods, that have proven to be susceptible to other scams and technical deficiencies.

As an example below, the online lender indicates that the transactions that are executed need to be validated by entering a code that gets sent to your phone via SMS.

It is well known that SMS verification is the least secure form of MFA (Multi Factor Authentication) (See here for more details on US government current and new guidelines). Many organisations have already warned against using SMS or phone calls as a form of MFA. (See here what Okta has to say and these are some technical articles the security people of Microsoft put out 1 and 2). A small search on the internet will hand you plenty of clues and anyone with enough incentive can easily follow the instructions like shows over here. The second issue in my example above is that there is no MFA option to actually prevent access to the account in the first place. Every scammer, who has a way of social engineering his way into your online account, has already a full overview of your personal and account details, balances, transactions etc. If he has been able to obtain access to your account, it’s a relatively simple task to do the same with your SMS codes to change limits and put in transactions.

This particular financial institution has an even bigger issue, in the fact that it only allows passwords between 8 and 14 characters, WHICH CAN ONLY BE NUMERICAL !!!!

Little test of entering 14 numerical characters in a password checker would show you something along the line of the below.

Responsibility

Even though the PR people and marketing organisations that work for these banks and lenders, tend to convince you they are taking the security of their customers serious, when it comes to funding and technical solutions you’ll see that this would lean to the other side of the spectrum. There are enough examples that show financial institutions do not take security serious. Transaction verification is only done on BSB and account number and the name of the account holder is not taken into consideration. Unusual transactions are often only checked if they are over a certain amount, and transaction history verification is most often not even considered.

When things go wrong and customers are being scammed, most institutions only take partial responsibility or no responsibility at all. You can easily follow the news and see how the various institutions respond. Mostly a small “inconvenience” compensation is reimbursed to the victim as “he/she is the one who was wrangled in a situation where criminals were able to obtain the required information to suck dry their customers’ bank account”.

I think every bank or any other financial institution should 100% bear the responsibility of any customer that has fallen victim of criminal activity as a result of negligence by the institution’s policies. This should also include a lack of significant operational and technical precautions they could have done.

My example above already shows how poor the overall state is at many companies that reap billions of dollars in profits but leave customers to hang out to dry when their accounts get raided.

So how can they change that?

Be aware that these companies have large IT infrastructures and have entire departments that take care of this. In most cases there is however a clear distinction in what the various teams do and what they are responsible for. The responsibility of their security teams is primarily to ensure that malicious actors are not able to hack into their systems and start disrupting their day-to-day operations, as that would severely impact the brand and therefore shareholder value. The secondary responsibility is to ensure that policies and transactions are done within the legal framework for that particular service. These are most aligned to prevention of criminal behaviour such as money laundering and other movements that may fall outside the norm. Incidents, like the one happened with WestPac in 2020 (see here) and CommBank in 2019 (see here), are a real problem for these institutions. Not really money-wise as a $1.3 billion fine is merely a one-year nuisance compared to the +-$10 billion in net profit they make.

You can rest assure that funding to increase the security exposure defence, will go to the teams that would need to prevent this from happening again. These funds are therefore withheld from teams that need to look into the security exposure on your digital entrance to the company.

Any financial institution should increase their efforts to secure their portals to the latest standards that are currently available and abandon methodologies that have been proven to no longer be secure. Sending SMS messages is one of them.

Opting-in for hardware keys

As I mentioned in a few of my previous articles, when customers, especially in the consumer, small- and medium business arena, as especially susceptible to phishing, social engineering and other criminal activities by malicious actors. It would be eradicating nearly all of these when the financial institutions would provide their customers hardware keys that work with their portals, preferably by open standards like FIDO2 and WebAuth. It would stop hacking attempts by any 3rd party who has, at some point in time, obtained the username/password combinations from customers and try to wiggle their way into accounts via any of the forms of social engineering.

The benefits here are bigger than Mount Everest. For any financial institution, issuing hardware tokens to current and existing customers should be a no-brainer. The removal of social engineering factors, username/password vulnerabilities and dependencies on non-secure MFA technologies, not only near eliminates the risk for their customers but also reduces the need for other, most often very expensive, monitoring resources and validation verification cycles.

A third benefit is market perception, when you have policies in place that resemble the ones I mentioned above, you more or less acknowledge that you don’t take customer security serious. When I asked the customer support team if I could speak with the security department of their web portal because of flaws in their method of operation, the only response I receive was that message. I immediately transferred all my business to another institution.

Act now

Most financial institutions are really lacking in customer support when it comes to security. They really need to step up their game and keep up with new threats that emerge every day. Allowing outdated authentication, authorisation and verification methods is like walking a tight-rope with money that does not belong to you.

Fix this and create a solution that ensures your customers their data and assets are safe.

Kind regards,
Erwin