Password security for online banking queried

By RICHARD WOOD

Online banking is vulnerable to hackers, says the police national e-crime lab manager.

Wellington-based Maartin Kleintjes said he had asked banks to shift from keyboard password entry to a mouse-based system to help avoid surreptitious keyboard logging programs.

Ironically, the BNZ took a mouse-based feature off its website as part of a revamp in May.

Kleintjes, who heads an expanded police unit with 15 staff, said "pay anyone" features were also a concern.

He foresaw armed robbers turning up with notebook computers and demanding money transfers.

"Pay anyone" allows money to be transferred to any bank account. Banks have previously discounted risks in the feature, and most have a daily limit on amounts.

Kleintjes said the need for a change in how passwords were entered was highlighted by a case in Wellington where a hacker got into hundreds of Machines and downloaded passwords across the internet.

Passwords entered through mouse clicks were much harder to intercept, he said.

Banks might offer differing levels of security in future as people at home had different needs to businesses, said Kleintjes.

"If you are a small business and dealing with large amounts of money then security is more important than to you or me, and anything through the keyboard is no longer sufficiently secure because of the way it can be captured by hackers."

Another security tactic might be the use of a unique certificate token that plugged into the USB port to identify the authorised user.

Kleintjes was not too worried about an online security break-in reported from Sweden last week.

The Reuters story said an unnamed "Swedish hacking expert" had demonstrated breaking into three major Swedish banking systems and concealing his tracks afterwards.

The hacker exploited a widely known vulnerability in Microsoft's implementation of the Secure Socket Layer standard (SSL), which is used to send credit card numbers and account passwords.

Kleintjes was not aware of anyone using an SSL vulnerability to break into a bank in New Zealand.

"Technically it's possible but so remotely likely you could write it off."

He said people should be more worried about the way they looked after their passwords, and about Trojan keyboard logging programs that spied on passwords via the internet.

"The weak link is your personal computer at home, not the bank's computer."

Kleintjes said banks were monitoring the SSL situation and waiting for Microsoft to come up with a solution.

In the meantime they had other layers of security, including behaviour analysis systems that detect variations in people's normal online banking.

Other New Zealand experts agreed, saying they found it hard to believe the Swedish story's claims of gaining access to the bank site's root directory, and therefore to customer accounts.

Peter Benson, security group manager for IT firm EMS Global, which has a number of clients in the financial industry, said it was "nonsensical" and wondered about the credentials of the hacker.

Breaking the SSL session was quite trivial and worrying, he said, but "the ability to break open the bank's web servers and do unauthorised transfers of millions of dollars and access everybody's accounts, that just doesn't happen."

Other weaknesses would have to be used, which banks already took seriously.

New Zealand banks were "reasonably tight", said Mr Benson.

Mark Peterson, the National Bank's head of online banking, said it was checking the Swedish story and there was no cause for concern.

"From what we understand it's still a very hard thing to create."