Online Banking, What to do about Phishing?

There are three things that allowed me to be Phished.

  • My Stuipidity
  • The Bank/Client Email Link
  • Lack of decent behaviour analysis.

My Stupidity

Slap the cuffs on, guilty as charged. I'm a tech savvy tech professional who was chuckling at 419's before paypal and google were born. (419s are the "Nigerian doctor needs to move money to your country" scams, named after an item in Nigeria's legal code).

Me stupid, say no more.

The Bank/Client Email Link

The security of the internet is drastically less so than the real world, for the same reasons of ontology as makes preventing piracy impossible. Its all just data, no things.

For Phishing to work somebody needs to bring me to a web page. Its as simple as that. (I'm not talking key loggers and packet sniffers, I'm talking pure old school Phishing.)

If we take out the email from the relationship everything becomes much safer. There is no connection that can be exploited between the Phishers and Me and the Bank.

1. Banks can say emphatically to their customers: "We will never ever send you an email."

a. Rather than the more obtuse instructions to "Never enter details in a website from an email" kind of thing.

b. For Phishing to stop it need to b black and white.

2. Once this cultural idea is accepted and permutated people will be much less likely to be stupid.

3. How did the Phishers know my email address and that I had an account with that bank? Again, the fact they had my email address was exploited.

4. Email is the weak link, it’s the fulcrum between phishing and no-phishing.

5. SMS and Voice Phone is offers a different kind, not just degree, of security over email.

6. If we kill the email link, we (banks/clients) don’t really loose any function, we just loose the risk of Phishing and Fraud.

Behaviour Analysis

When i was in Sri Lanka recently I took out some cash and, in the same day, I took out another 20 dollars. My bank rang me on my phone to check that I hadn't been defrauded. Excellent.

When I was phished:

· More money left the account in one go that it ever had before.

· The money went to someone I had never paid before.

· It came from an IP address and cookie hash (I guess) that had never been used before.

Nothing happened.. No 30 second phone call. No SMS.

I know that banks use behaviour analyses and "anomaly spotting" methods, but by definition, these cant be working very well. The logic isn’t hard to program to find most Phishing fraud:

If value of transaction is greater than x and recipient is new to the account and IP is new to the account then pause transaction and investigate.

Its not complex.


By killing the email link between bank and client and using simple rules based anomaly spotting with associated follow up I think that significant Phising could be sent to the past…