Online security - we must remain vigilant

A recent online theft case highlights the risks of internet banking - and reminds us that security means never letting down your guard. Fran Foo reports from Australia.

Miami businessman Joe Lopez could change the face of internet banking.

Lopez discovered his company bank account was $90,000 short and a quick check online revealed the amount had been transferred - without his knowledge - to a Latvian bank.

Bank of America was duly notified, with Lopez urging its officers to stop the transfer. Unfortunately, it was too late. About $20,000 was already withdrawn from the Latvian bank account, with the bank freezing the remainder.

After the US Secret Service combed through Lopez's computer, they realised the culprit was a Trojan horse called Coreflood. Seemingly harmless when first discovered in 2001, subsequent variants proved malicious; Backdoor.Coreflood was one example which could give control of infected machines to an attacker.

Not wanting to be left high and dry, Lopez filed suit against Bank of America, claiming it failed to protect him from online theft. The financial institution had allegedly neglected in its duty to warn him of the security threat. It was like the bank knew someone else had a key to the vault but didn't warn customers, claimed Lopez's lawyer.

As expected, Bank of America denied all charges, saying the onus lies on customers to install security software, including regularly updating patches.

Some banks in Australia practice a two-pronged security strategy for fund transfers: customers are required to re-enter their password before money can be wired and transactions bear a cap of between AU$1,000 and AU$5,000 per day.

These limits also act as an obstacle for clandestine activities. At the moment, bank tellers are to report suspicious transactions - such as repeat transfers - below AU$10,000 to anti-money laundering regulator Austrac (Australian Transaction Reports and Analysis Centre).

Other authentication methods or devices in the market such as smart cards, USB tokens, password generators and biometric readers are technologically sound but unwieldiness and cost barriers continue to hamper mass adoption. In terms of user friendliness, Citibank's dynamic PIN-pad login - in which you use the mouse (instead of keyboard) and click on random onscreen digits to form your password - is more likely to catch on with other financial institutions and users.

But history has shown that any system can be beaten. A Malaysian man nearly walked away with around $500,000 before his scam was busted by authorities. Ng Kok Meng used a skimming device, which captures data from a customer's ATM card, to gain illegal access into the account.

Meanwhile, the Lopez vs Bank of America court ruling is still pending. This case holds valuable lessons, primarily that internet banking, while extremely convenient, comes with its fair share of risks.

There's no silver bullet so don't expect internet scams, hackers, Trojan horses and the like to vanish overnight. The challenge for banks and customers to minimise their exposure to losses will continue.

Security is neither about the journey nor the destination. It's like an infinite loop which requires our constant attention.

Fran Foo writes for ZDNet Australia.