Beware of emails from the bank

By RICHARD WOOD

The public can no longer trust emails claiming to be from banks or other secure services on the internet, following a fraud aimed at the Commonwealth Bank of Australia's NetBank last week.

Banking customers are being warned not to click on hyperlinks in emails that purport to point back to any secure internet service. They are advised to type the URL into the internet browser or use bookmarks.

A hyperlink contains two parts. The visible part is text and can appear legitimate, but the actual internet address (or uniform resource locator - URL) is hidden underneath. This could be an address misleadingly similar to the genuine address, or a numeric IP (internet protocol) address offering no clue as to the site it will take the user to.

The case in Australia used this second method to direct users to a fake bank site that collected the passwords. The fraudster had reportedly accessed a few accounts.

The CBA assured its customers their funds were intact and asked them to change their passwords.

E-crime New Zealand forensic analyst Chris Budge said an email pointing to a service could not now be regarded as normal business practice, and banks would have to take responsibility for providing a secure service.

Internet banking and customer services operations needed more advanced encryption and digital signature systems and to be open with their customers about fraud.

Budge said many users had hidden the URL in their browser to give them more screen space, but it was not then possible to see where the browser was going.

"Be aware of what is happening on your screen. Do not enter personal details unless you are 100 per cent sure. If you are not sure then phone the service."

Clayton Wakefield, general manager technology operations and property at local CBA subsidiary ASB Bank, said the public needed to understand the web was an open communication tool and a lack of security was inherent.

The ASB is introducing a secure email service. Its current policy is not to take instructions across the internet.

It is also building a tiered security system where bigger financial transactions will require higher security.

Wakefield said the public needed to be able to verify the URL was genuine, and watch for unusual behaviour. In the CBA case the email was sent to a person who was not a customer, who became suspicious.

Maarten Kleintjes, national manager of the police electronic crime unit, said that when people connected with secure sites the padlock in the browser should be closed. Clicking on the padlock or opening the security options would show the "certificate" sent by the bank, and who had signed that certificate.

Mike Spring, director of the Centre for Critical Infrastructure Protection (CCIP), run by the Government Communications Security Bureau said that if the fraud had occurred in New Zealand, the CCIP would have had the site closed.

New Zealand has a 24-hour service to deal with all suspicious online activity.

The public can lodge notifications at the CCIP website.

Fraud guard

* Don't use links in email to banking or similar services.

* Make sure your web address bar is visible in your browser.

* Note the exact spelling of web addresses.

* Learn what the "padlock" certificate should show.

* Avoid giving out personal information online.

* Report any suspicious net behaviour to CCIP