My employer, a commercial bank, has recently started online banking for our customers. I have observed a number of phishing attacks in the recent weeks impacting our competitors. Since I am slated to audit the online banking application very soon, I wish to hear from you the list of possible controls that I ought to check to make sure that our customers do not become victims of any such frauds. Apart from creating awareness and training customers, can we really do anything? Please let me know your thoughts.

Billions of dollars are lost across the world due to phishing-related frauds. Identity theft remains one of the top issues among various security-related concerns. While phishing frauds primarily commence outside and can be deemed external, there are a number of internal controls that a banking institution can put in place.

The first key control is to have a properly defined e-mail communication policy for both sending and receiving e-mails to and from customers. There are some countries in which the industry regulator demands the availability of e-mail communications to customers with their banks.

The tenets of such policies are:

• Do not have any business process that requires exchange of personal information such as name, date of birth and/or password via e-mail. If a genuine process requiring such information exchange were in place, consumers would not be able to distinguish between a genuine e-mail and a bogus one. Entities’ web sites must clearly convey to customers that they must never send e-mails containing personally identifiable information (PII), and must never use e-mail for banking transaction purposes.
• Use the customer’s full name in the communication. Given the degree of difficulty in creating spamming routines with the user’s full name instead of the user’s screen name or logon name, the use of full names will really help.
• Banks should never use hot links. For example, e-mail from PayPal directs the customers to the links that should be clicked.
• Banks should not use HTML in e-mail. Certainly HTML e-mail is more appealing than plaintext e-mail. HTML e-mail can have embedded in it items such as web site links, sound, music and animation. Such e-mails are a boon to mass marketing campaigns. However, HTML e-mail has more inherent security threats than plaintext e-mail. A bank’s e-mail policy must clearly state that any communication with customers will be via plaintext e-mail only.
• Unless there are compelling reasons, e-mail from banks should not include attachments.

In addition to these tenets, e-mail authentication systems can help to avoid Internet Protocol (IP) and e-mail spoofing. A bank should have such authentication systems in place for e-mail exchange.

For the end user to be confident that the e-mail received is from a legitimate source, it is essential that controls on authentication, verification and traceability are in place. In the absence of such controls, users may not be able to distinguish a genuine e-mail from a forged one.

There are multiple methods for authentications such as domain keys, sender ID and a sender policy framework (SPF). It is generally believed that the use of dual or two-step authentication standards will help minimize, if not eliminate, phishing attacks.

The authentication methods can be summarized as follows:

• Domain keys: Check the header fields containing the digital signature of the message. The system also verifies the domain of each e-mail sender, in addition to checking the integrity of the message.
• Sender ID: Once the message is transmitted, checks are done to examine several sender-related fields in the header of the message to identify the ‘purported responsible address’.
• SPF: Here, the domain name of the initiating SMTP server—or, in other words, the ‘envelope sender’—of an e-mail message is checked. The SPF, previously known as sender permitted from, is a simple extension of SMTP.

Also worth consideration is the widely used Cisco Identified Internet Mail method of authentication, in which two headers are added to the RFC2822 message format to confirm the authenticity of the sender’s e-mail address.

The next consideration is to have web site development-related controls that make it harder for phishers to replicate. Unless it is absolutely necessary to deliver some key functionality, advance scripting should not be used on a banking site. This rule applies in particular to that component of the site used for authentication and executing transactions. Likewise, the use of Java scripting comes with its own advantages and disadvantages. A prudent programming approach is to ensure the optimal usage of such scripting features.

Given that two important areas have been addressed, namely the secure e-mail communication policy and controls on web site development, the next area to concentrate on is controls relating to the user identification and authentication. Identification is the means by which the user professes an identity to a system or an application. Authentication is the means by which he/she verifies that the claimed identity is valid.

Different methods are used in different countries. Two-factor authentication is the most commonly used. However, there are many other methods widely used, such as the following:

• Mobile Telephony SMS Messaging
• Challenge/response secret questions
• Passmark system
• Chip- and pin-based authentication
• Transactional access numbers (TAN)
• Home Banking Computer Interface (HBCI), a German method
• Financial Transaction Services (another German method)
• Biometrics
• SecurID

Add-in to browser toolbars is another control that can be considered for implementation, though not many users find it acceptable. There are also some commercial products/ services that offer solutions relating to the spotting of phishing sites and alert notification of the same to the original site owners.

As always, this list is indicative only. The bank should also have systems and controls in place to handle any scams that surface.

Author’s Note

Additionally, there are two books that may be helpful: Liniger, Rachael; Russell Dean Vines; Phishing: Cutting the Identity Theft Line, John Wiley and Sons, 2005, and Anderson, Ross; Security Engineering: A Guide to Building Dependable Distributed Systems, John Wiley and Sons, 2008.

Gan Subramaniam, CISA, CIA, CISSP, SSCP, CCNA, CCSA, BS 7799 LA
is the global IT security lead for a global management consulting, technology services and outsourcing company’s global delivery network. Previously, he served as head of IT security group compliance and monitoring at a Big 4 professional services firm. With more than 16 years of experience in IT development, IS audit and information security, Subramaniam’s previous work includes heading the information security and risk functions at a top UK based business process owner (BPO). His previous employers include Ernst & Young, UK; Thomas Cook (India); and Hindustan Petroleum Corp., India. As an international conference speaker, he has chaired and spoken at a number of conferences around the world.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors, employers or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.

Subscription Rates:
US: one year (6 issues) $75.00
All international orders: one year (6 issues) $90.00
Remittance must be made in US funds.