Experts Suggest Alternatives to Banking E-mails

Banks and computer security experts are not agreeing on the issue whether banks can use e-mails to communicate with their customers. They feel it is unsafe because online criminals use this medium to hijack systems by duping online banking users into disclosing their login details.

Around October end this year, Citibank Australia sent an e-mail to inform its customers that since the bank was revamping its online security system, they should update their login particulars on the bank's website. At the time Citibank was distributing this legitimate e-mail, there were some ongoing phishing attacks also.

In some recent statements, security firm Sophos emphasized on banks to be cautious. They should halt sending e-mails to its customers to disable any temptation for phishers. However, banks can send useful e-mail communications but with proper security measures and ensure that the messaging pattern is consistent. This will help customers to distinguish between legitimate e-mails from their banks and phishing e-mails.

Sophos' 'senior security analyst' Ron O'Brien said that financial institutions needs to maintain proper network security and consistent messaging so that customers are not doubtful about the authenticity of the message.
The easiest way for online banking users to differentiate between phishing e-mail and a genuine e-mail from their bank is to search for misspellings and wrong grammar.

Unfortunately, fraudsters can use the Citibank's flawless e-mail as the best template for future phishing attacks.

The Australian bank's e-mail provided customers with even more security by applying on a new sign-on procedure. It asked them to go to Citibank's website and update their logins by entering their ATM number, pin and account numbers - all of which are popular signs of a phishing attack. Citibank wrote a warning at the bottom of the message saying that the bank would never ask customers such information via e-mail. This appeared contradictory to the bank's request.

In the opinion of Neil Campbell, a 'national security practice manager', banks should refrain from communicating with their customers via e-mail. Rather, they could post the message on their Internet banking site. The online banking users should be able to read them before or after they logon, preferably after.

Related article: Experts Find Two Vulnerabilities in Firefox

» SPAMfighter News - 11/22/2006