Submission - Joint submission to the 2007 Review of the Electronic Funds Transfer (EFT) Code of Conduct to ASIC (May 2007)

Q4 – What do you see as the main challenges in relation to online fraud over the next few years? Are there trends or developments that the Review Working Group should particularly consider in reviewing the EFT Code?

There has been steady growth in the sophistication of fraud and this is matched by rising complexity in preventing fraud.

Fraud can take place through a variety of technical and social engineering techniques designed to compromise communication channels used to exchange sensitive data or to coax consumers into disclosing this data.

These techniques are constantly evolving. Some common forms include:

  • Phishing
    Phishing involves the use of socially engineered (‘spoofed’) websites that are designed to appear as if they belong to legitimate and reputable businesses and financial institutions.[1] Users are lured to these websites by congruently designed emails. Once at the spoofed website, the user is deceived into providing confidential data such as usernames and passwords.
  • Pharming
    Pharming occurs when a fraudulent party interferes with the domain name resolution process used to map a URL requested by an Internet user to its corresponding IP address. Pharming typically takes one of two forms:
    • Firstly, a DNS server can be hijacked and its data modified such that when a user enters the URL of a legitimate organisation’s website, the server maps the domain name to the IP address of a spoofed website which the user is then forwarded to.[2]
    • The second form of pharming relies on the fact that end-user computers typically store a hosts file containing the IP addresses of certain commonly accessed domains. The hosts file abrogates the need for a DNS server to be contacted when the user wishes to visit those domains. A fraudulent party can, in some circumstances, compromise the data in the hosts file so that it points to the IP address of a spoofed website.[3]
  • Man-in-the-middle (MITM)
    Man-in-the-middle attacks take place where a fraudulent party is able to intercept online communications between two innocent parties (such as a website and an end-user). Such attacks may be facilitated through the sending of deceptive emails which contain a link to a proxy server monitored by the fraudulent party. The proxy server undertakes the task of routing communications between the end-user and the actual website the user intends to deal with. Since all communications are routed via the proxy, the fraudulent party is able to covertly read and modify communications made between the website and end-user.
  • Replay Attacks
    A replay attack is an extension of the conventional MITM attack in which the fraudulent party uses data they have obtained by eavesdropping on the communications between the website and end-user to assume the identity of either at a later date.
  • Spyware
    Spyware refers to software covertly installed on an end-user’s machine that then proceeds to monitor and collect information about the user’s activities. More malignant versions may perform tasks such as redirecting users and stealing confidential information belonging to the user and distributing it to fraudulent parties. Common forms of spyware include keystroke loggers, screen loggers and pop-up window generators. Despite the availability of software utilities to detect and remove many types of spyware, it has become an extremely troublesome issue for Internet users. A 2004 survey of US Internet users revealed that 80% of respondents’ computers were infected with spyware, with close to 90% of those respondents being unaware of the spyware’s presence. Another study found that 85 million spyware programs were installed on the computers of a sample of Internet users, a clear indication of the magnitude of the problem.[4]

The increasing frequency with which these various attacks have begun to occur has precipitated a need for Internet users to be able to reliably verify the identity of websites they are visiting and the integrity of communications channels they use to communicate with web servers. In response to this need, a variety of authentication approaches have been proposed and/or developed. These are discussed further in the response to Question 30 (Potential Responses to Phishing Attacks and other forms of Online Fraud).

In reviewing the EFT Code, the Working Group should consider the fact that financial institutions are in the best position to implement many of these authentication technologies. This is a factor which largely undermines suggestions that the liability of account holders for losses resulting from online fraud should be increased compared with the current version of the Code.

[1] Black P, Catching a phish: protecting online identity, Internet Law Bulletin, Vol 8 No 10, 2006, page 133.

[2] Keizer G, Possible Domain Poisoning Underway, TechWeb, 4 March 2005, <>.

[3] de la Cuadra F, Pharming – a new technique for Internet fraud, eChannelLine Canada, 7 March 2005, <>.

[4] Commonwealth of Australia, Senate - Official Hansard, 12 May 2005, <>, page 5.