Web banking risk down to human error

Mohammed AlZomai, of the Information Security Institute at the Queensland University of Technology, said that one-in-five online transactions is vulnerable despite added security methods such as SMS passwords.

AlZomai explained that the security threat had more to do with human error and the usability of advanced authentication systems than any technical security problem.

"In response to the growing threat to online banking security, most banks have implemented special methods for authenticating a transaction," he said.

"A typical method is sending a one-time password via SMS to the customer's mobile phone for each transaction. The customer must manually copy the password from their phone in order to confirm the online transaction."

But AlZomai maintained that customers were failing to notice when the bank account number in the SMS message was not the same as the intended account number, a clear sign that hackers had infiltrated the system.

As part of the study, the university developed a simulated online bank and asked participants to play the role of customers and undertake a number of financial transactions using an SMS authorisation code.

AlZomai then simulated two types of attack: an 'obvious attack' in which five or more digits in the account number were altered; and a 'stealthy attack' in which only one digit was changed.

"It is worrisome that obvious attacks were successful in 21 per cent of cases, and stealthy attacks in 61 per cent of cases," he said.

AlZomai claimed that the experiment showed that a "significant number" of users were unable to identify the attack.

"According to our study only 79 percent of users would be able to avoid realistic attacks, which represents an inadequate level of security for online banking," he concluded.