Online Banking Security

I nternet banking is increasingly popular both in Norway and elsewhere. Banks have actively encouraged this cost-saving trend by persuading customers to sign up. Customers, attracted by online banking’s convenience, seem largely unconcerned about identity theft and phishing email scams. In fact, most customers seem to believe that Internet banking is quite safe simply because their banks told them so. In reality, this sense of security might be false. We studied customer authentication methods in several Norwegian Internet banks from 2003 through 2004. Our investigation shows that authentication was often weak, offering simple—but powerful—attack possibilities. (Fortunately, none of the attacks were actually carried out.) Here, we discuss the authentication methods and the attacks they made possible. Our scenarios are based solely on publicly available Internet information. Upon concluding our study, we presented our findings to the Norwegian government agency overseeing the national banking industry. We also engaged in a sustained effort to directly inform the banks most vulnerable to attacks. Our main reason for making this account public is to contribute to the development of more secure Internet banking systems. To further that aim, we speculate on why banks have developed insecure Internet banking solutions in the first place. We also suggest how universities might teach students to design more secure alternatives.