By Jonathan Yarden
In the past decade, the Internet has evolved from a specific resource for IT pros and computer geeks to a daily destination for people all over the world. Recent years have also seen an explosive growth in the online retail arena. These days, many people are just as willing to order a book from Amazon.com as they are to stop by their local bookstore.
Those same people have embraced the Internet as an easy, effective method for paying bills and other banking. However, it's important to remember that there's a vast difference between making technology available and making it secure and reliable.
In an age when people regularly use corporate networks to access Internet banking and payment systems from work, visiting a fraudulent Web site or running a hostile e-mail attachment can result in a compromise of a corporate network behind a firewall system.
In the early days of online retailing, more than a few significant security breaches with early online retailers occurred, most of which were credit-card-related. Frankly, I'm still reluctant to do my banking or buy anything online.
It's less than comforting to consider how few users really understand how easy it is to forge an e-mail message, much less an official-looking Web site. Many online vendors require users to register their credit card and banking information, which is really the only way they can operate to prevent massive fraud. Users may assume that this information will remain secure, but history has proven that assumption wrong several times.
If your organization's employees use any online services that require them to register banking or credit card information, they're exposing themselves—and the company—to risk. In addition to just losing account information, falling victim to a worm, virus, or keystroke logger may cost someone his or her job at many companies.
Hackers can often easily dupe users accessing online payment systems and banking systems into revealing their account information after receiving official-looking e-mails. But again, e-mail is pretty easy to forge. And even an intelligent user may have difficulty discerning an official e-mail from a forgery.
In addition, hackers can alter URLs thanks to a bug in Microsoft's Internet Explorer. And this isn't taking into account attachments that go undetected as hostile because of failure to update antivirus systems.
A number of e-mail-based online banking frauds are currently circulating the Internet. PayPal, MBNA, eBay, Citibank, and a number of British banks are popular targets.
Don't assume your company's employees are immune to these fraudulent campaigns—they can be quite convincing to a lot of people. Short of implementing a corporate policy that forbids accessing online banking services at work, education is the best solution.
Inform your users about the risks of disclosing account information. In addition, encourage them to investigate the policies of a corporation before using its online financial services.
Online fraud efforts will likely continue to increase, and it wouldn't surprise me to see many corporations begin to establish policies prohibiting any type of online banking from the corporate network. Given the current scams, it's not going out on a limb to say that this is probably the best policy for the near future.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.