10/07/2008
BNP PARIBAS is a regular phishing victim with less security than Fortis
If you look at their esecurity blog than you will see that the last weeks they had every week a phishing attempts.
Some things are rather curious
* as a client that has been so stupid to do so, you can call a callcenter, which is fine, but it is not really a service if you have to pay for that.
* it is rather obvious that they didn't secure their secured logonpage so that the code, graphics and structure can't be copied
* they are being phished by french speaking phishers, so they are a more or less local branch
* they only use a logon and password, which is known to be the least secure format of ebanking. Will Fortis have to degrade its homebanking also to this level or will BNP learn from our experience ?
14:19 | Permalink | Comments (2) | Email this
| 
| 
del.icio.us
|
| 
Digg | 
Facebook
Comments
the facts are the facts ... ok Len, I know your motivation and I can only applaud the effort you put in trying to inform everyone on security risks and the general state of information security in Belgium.
I'll take the points you mention one by one.
If the client has been so stupid to step into the phishing trap, you deserve to be paying to contact the callcenter :p
There are of course steps one can take to secure images and code from a page, but if phishers decide that the cost of 'copying' a page is justified, they will do it anyway. I'd be spending my security budget on real security efforts instead of thwarting every single attempt to copy my webpage.
I am not a phisher, and I can't see inside their minds, but I don't think a phisher wakes up in the morning and says to himself "hey, let's send japanese/dutch/english mails to customers of that French bank". I assume they gauge their targets and try everything to make as much as possible from every phishing attempt.
Yes, it does strike me that bigger banks (also in the US) choose simple authentication schemes for user authentication. I can imagine that the cost of token distribution increases if you are covering a big geographic area. But, it also tells me that there is no significant transaction signing going on, and that is exactly what I like with the Fortis system. Mentioning that Paribas only uses logon and password is a little unfair and it tears the value of your post down. If you check out the login page, it is not just a password, it is a security code that the user controls (issued upon registration but to be changed at fill). They also choose not to rely on the keyboard by providing a grid where the numbers are randomly placed (excluding keyloggers and screenscrapers, the latter to some extent).
Their system is not inherently insecure, but it can be improved and with Fortis I think they just aquired one of the front-runners in e-banking security.
Posted by: domdingelom | 10/07/2008
Respond to this commentthat is exactly what I am saying I hope they will use the Fortis system and not vice versa
Posted by: len | 10/07/2008
Respond to this commentPost a comment