Quebec financial institution Desjardins Monday said it is offering a 100 per cent Guaranteed Secure program to reimburse customers that are fooled by phishing schemes.
The bank has also launched a portal designed to offer customers tips on how to spot and avoid phishing schemes along with a questionnaire so users can gauge for themselves how safe they and their systems are.
Phishing refers to the practice of sending out e-mails to unsuspecting users in order to direct them to fake banking Web sites in order to collect their financial details. These Web sites are doctored to look like legitimate banking sites and are often so close in appearance to the real thing that they are practically indistinguishable to the untrained eye.
Desjardins is one of several Canadian banks that has found itself the victim of organized phishing schemes.
Educating users and coaching them on how to avoid phishing is one of the most effective ways to combat the problem. “The idea (behind the portal) was to offer users a way to protect themselves against phishing attacks,” said Sebastien Breton, senior advisor of information security at Desjardins. “The problem related to phishing is not one of technology, it’s what we call a social engineering problem. The target is not our systems but the users.”
Desjardins has had a broad reimbursement policy for some time concerning debit and credit card fraud. “We have been doing that for years. We felt it was time to brand (it). It’s a part of a user’s education to know they are protected,” said Breton.
The bank wouldn’t reveal the amounts it has turned over to customers who have been duped or simply had their information stolen, but the number of incidents is in hundreds. Before reimbursing a customer, the bank conducts an investigation to determine that the claim is legitimate. Customers must also follow the bank’s online user policies, such as not sharing a password or PIN, and co-operate fully with the investigation, providing information as necessary. André Chapleau, a Desjardins spokesman, said the bank’s investigation team can quickly sniff out any bogus claims. Legitimate claims are dealt with quickly and customers are typically reimbursed for their losses within a few days.
Numerous North American banks have similar policies, according to Peter Cassidy, secretary general of the Anti-Phishing Working Group, a U.S.-based organization with members including the American Bankers Association and the Brazilian Chamber of e-Commerce.
“Our experience in the States has been that the banks will make people whole when they’re subject to phishing attacks. The costs (to the banks) are usually so marginal that it’s usually not worth squabbling over,” he said.
Neil Schwartzman, chairman of CAUCE Canada (Coalition Against Unsolicited Commercial E-mail) agreed that its in the banks’ own interest to reimburse clients that have been stung by phishers.
“It would get very expensive for the banks to hire back all the tellers they laid off in the ’80s when they brought in ATMs and in the ’90s when they brought in Internet banking. Clearly it’s much cheaper to try to put a Band-Aid on the cancer that is phishing,” he said.
But banks may have to re-evaluate their policies as phishers develop new techniques. In the future, they may be able direct their attacks towards ISPs, fooling their servers directing a legitimate Web address to an illegal site. The practice is called DNS poisoning. It isn’t here yet, but “it will happen. There’s no question that it will happen,” said Schwartzman.
“When we’re talking a few hundred bucks, it’s no problem. When you’re talking about the customers of a major ISP, we could be talking about hundreds of thousands, perhaps million of dollars.”
Breton acknowledged that this is a battle that must be waged on all fronts. Desjardins co-operates with international investigations conducted by La Sûreté du Québec and the Royal Canadian Mounted Police (RCMP) since phishing schemes targeted at Canadians often originate in the U.S or even overseas.
“We provide all the information we have, such as times, logs, fraudulent pages we captured. We give them forensic information (and) they take action where they can,” said Breton.
“This is a never-ending problem. We address it every day.”