Internet banks should combat phishing attacks by using technology to authenticate their websites to their customers, rather than relying solely on customers authenticating themselves to the bank.
Mikko Hypponen, chief research officer at anti-virus company F.Secure, told the WebSec Conference in London last week that this would be the most effective way to cut down on online banking fraud.
"The problem is that the banks do not authenticate themselves to the user. Customers should be allowed to challenge the bank and ask for something only the bank should know," he said.
Phishing attacks and other online fraud cost banks £23.2m in 2005, up from £12.2m in the same period in 2004, according to figures from the Association of Payment Clearing Services.
Two-factor authentication, a technique which uses smart tokens or other kinds of security to generate one-time passwords, can make phishing more difficult, but in isolation it does not solve the problem, said Hypponen.
Banking websites will still be vulnerable to man-in-the-middle attacks. In these, hackers create spoof banking websites to collect the one-time passwords, before using them on the real banking site to steal funds, he said.
Research by F.Secure revealed that hackers have registered large numbers of websites with similar names to banks and other organisations, with a view to launching attacks.
In the latest variant of the attack, known as pharming, hackers are able to surreptitiously redirect users to a fake banking website when they type in the real web address of their bank. The fake site often downloads graphics directly from the real site.
Banks could detect pharming by monitoring their log files to check for examples of websites downloading their graphics files, said Hypponen.
Banks are already waging a war against phishing e-mails by having spoof sites closed down as soon as they are discovered. However, new forms of phishing attack are designed to circumvent these countermeasures.
A customised Trojan discovered this month on the networks of a Japanese bank installed fake web pages directly on the cache of the desktop PC, making it unnecessary to host fake sites remotely, security specialist Andy McKewen of Panda Software said.
Read article: Limits of token gestures