Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » eft review  

Subscribe to Galexia news and announcements.
More information »

Galexia's specialist management consulting services: Galexia has expert consultants in privacy, authentication, electronic commerce and new technology. We leverage our legal, business and technical knowledge to deliver successful business strategies to a diverse range of clients. Find out more »

[2018 Global Cloud Computing Readiness Scorecard]

2018 Global Cloud Computing Readiness Scorecard
Find out more »

Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

[« previous] [next »] [up] [title page] [full contents]

Q4 – What do you see as the main challenges in relation to online fraud over the next few years? Are there trends or developments that the Review Working Group should particularly consider in reviewing the EFT Code?

There has been steady growth in the sophistication of fraud and this is matched by rising complexity in preventing fraud.

Fraud can take place through a variety of technical and social engineering techniques designed to compromise communication channels used to exchange sensitive data or to coax consumers into disclosing this data.

These techniques are constantly evolving. Some common forms include:

  • Phishing
    Phishing involves the use of socially engineered (‘spoofed’) websites that are designed to appear as if they belong to legitimate and reputable businesses and financial institutions.[1] Users are lured to these websites by congruently designed emails. Once at the spoofed website, the user is deceived into providing confidential data such as usernames and passwords.
  • Pharming
    Pharming occurs when a fraudulent party interferes with the domain name resolution process used to map a URL requested by an Internet user to its corresponding IP address. Pharming typically takes one of two forms:
    • Firstly, a DNS server can be hijacked and its data modified such that when a user enters the URL of a legitimate organisation’s website, the server maps the domain name to the IP address of a spoofed website which the user is then forwarded to.[2]
    • The second form of pharming relies on the fact that end-user computers typically store a hosts file containing the IP addresses of certain commonly accessed domains. The hosts file abrogates the need for a DNS server to be contacted when the user wishes to visit those domains. A fraudulent party can, in some circumstances, compromise the data in the hosts file so that it points to the IP address of a spoofed website.[3]
  • Man-in-the-middle (MITM)
    Man-in-the-middle attacks take place where a fraudulent party is able to intercept online communications between two innocent parties (such as a website and an end-user). Such attacks may be facilitated through the sending of deceptive emails which contain a link to a proxy server monitored by the fraudulent party. The proxy server undertakes the task of routing communications between the end-user and the actual website the user intends to deal with. Since all communications are routed via the proxy, the fraudulent party is able to covertly read and modify communications made between the website and end-user.
  • Replay Attacks
    A replay attack is an extension of the conventional MITM attack in which the fraudulent party uses data they have obtained by eavesdropping on the communications between the website and end-user to assume the identity of either at a later date.
  • Spyware
    Spyware refers to software covertly installed on an end-user’s machine that then proceeds to monitor and collect information about the user’s activities. More malignant versions may perform tasks such as redirecting users and stealing confidential information belonging to the user and distributing it to fraudulent parties. Common forms of spyware include keystroke loggers, screen loggers and pop-up window generators. Despite the availability of software utilities to detect and remove many types of spyware, it has become an extremely troublesome issue for Internet users. A 2004 survey of US Internet users revealed that 80% of respondents’ computers were infected with spyware, with close to 90% of those respondents being unaware of the spyware’s presence. Another study found that 85 million spyware programs were installed on the computers of a sample of Internet users, a clear indication of the magnitude of the problem.[4]

The increasing frequency with which these various attacks have begun to occur has precipitated a need for Internet users to be able to reliably verify the identity of websites they are visiting and the integrity of communications channels they use to communicate with web servers. In response to this need, a variety of authentication approaches have been proposed and/or developed. These are discussed further in the response to Question 30 (Potential Responses to Phishing Attacks and other forms of Online Fraud).

In reviewing the EFT Code, the Working Group should consider the fact that financial institutions are in the best position to implement many of these authentication technologies. This is a factor which largely undermines suggestions that the liability of account holders for losses resulting from online fraud should be increased compared with the current version of the Code.

[1] Black P, Catching a phish: protecting online identity, Internet Law Bulletin, Vol 8 No 10, 2006, page 133.

[2] Keizer G, Possible Domain Poisoning Underway, TechWeb, 4 March 2005, <http://www.techweb.com/wire/security/60405913>.

[3] de la Cuadra F, Pharming – a new technique for Internet fraud, eChannelLine Canada, 7 March 2005, <http://www.crime-research.org/news/07.03.2005/1015>.

[4] Commonwealth of Australia, Senate - Official Hansard, 12 May 2005, <http://www.aph.gov.au/hansard/senate/dailys/ds120505.pdf>, page 5.

[« previous] [next »] [up] [title page] [full contents]

[view all] [download PDF version]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]