Threats made last week by a hacker to access Commonwealth Bank accounts has raised fresh concerns about the risks ofe-commerce.
Known as Mr Williams, the hacker claimed to have access to a CBA customer's PC and could access 50,000 customeraccounts through the bank's QuickLine system.
CBA's head of group security and investigation, John Geurts, told Computerworld he actually spoke to Williams, whosaid there was a flaw in the QuickLine system, which provides access to a user's PC to view payment details byanalysing downloaded code.
Geurts admitted there are "some security issues our customers may face, which PricewaterhouseCoopers isinvestigating".
"Bank and personal details sit on a user's PC as encrypted data and there may be some issues to address but this willnot be determined until PwC completes its review." Geurts dubbed the security issue "low risk" but said the bank wouldstill look at it "seriously".
The claim by Williams that he had access to 50,000 accounts was incorrect, Geurts added.
Commenting on the well-publicised threat, a Westpac spokesperson said strong encryption is used on all data traffic soa user's password is not even viewed within the organisation.
The spokesperson would not comment on the possibility of a hacker accessing a user's own PC, but said that Westpac hadnever been successful penetrated.
On the question of attempted breaches, the spokesperson was not forthcoming. "Without releasing any details, Westpachas strict levels of security on internet banking. Logs into firewall are checked every day."
Dean Kingsley, a security practice leader at Deloitte, said most hackers attempt to breach the system through thenetwork layer, which is easier to identify. Kingsley said the CBA threat does raise concerns about Internet fraudsince up to 20 per cent of hackers try to steal or forge a real user's identity.
"An automated system to deal with this is difficult and a manual one is impossible but the emergence of moreintelligent monitoring tools at the application level can address the problem," he said. "Application monitoring toolscan tell if user X has accessed his or her account for an unusual amount of time. The problem is that monitoring toolsgenerate so many false alerts that people just ignore them.
"Another concern in the area of fraud is the issue of authenticating identity, where a hacker rings a help desk andpretends to be the user with enough personal data to reset the password and access the account. This is a proceduralissue that involves appropriate staff training."
Kingley said that most security breaches are the result of procedural failure or human error, rather than technology.
"Once the technology has been implemented, however, the system bugs are amplified every day, which is why regularpenetration testing is important. Hackers exploit all known bugs."