Internet banking under scrutiny after hacker accesses accounts

The hacker did his (or her) illegal work at an internet cafe. Herald file picture

Police, a consumer-watchdog and two major banks are warning people to be extra cautious in using the internet for banking.

Police e-crime national manager Marten Kleintjes said yesterday internet banking was becoming increasingly risky and many banks needed to tighten security for such services.

The warning follows the discovery a hacker had installed software at a Wellington internet cafe, and thus gathered the usernames and passwords of people banking on-line at the premises.

It took the hacker three minutes to install the hidden software last month, and in the following weeks he gained access to accounts with balances totalling more than $500,000, the Sunday Star Times reported.

By using a widely available key-logging programme -- that recorded every key typed on a computer -- when a bank's web address, customer ID and password were entered, they were automatically saved and emailed to the hacker.

Mr Kleintjes warned : "If people lose confidence in on-line services at this stage it will be much harder to get them back. "

Consumers' Institute director David Russell said people needed to be vigilant at tracking internet banking transactions, and while some banks had improved security, others needed to do something fast.

BNZ spokesman Zaman Toleafoa told National Radio people needed to ensure the computer they were using was safe when they did internet banking, while Westpac spokesman Paul Gregory said in New Zealand it was hard for internet criminals to get any money out of the on-line banking system.

"We would agree it's very, very important for people to be aware of how important their security details are, but we would disagree that internet banking is unsafe," Mr Gregory said.

Mr Kleintjes said a solution would be for all banks to move to a "two-factor identification" system.

Under such a system, customers are given both an ordinary password and a new security password for each internet banking session.

Two-factor identification could involve customers being sent a text message with a password that was only valid for the transaction being carried out, Mr Kleintjes said.

ATM machines had been so successful for that reason because security was based on something people had -- their card -- and something they knew -- their password.

- NZPA