In an effort to combat the ongoing threat of phishing schemes, one of Canada’s top financial institutions has implemented a tool that its customers can download to help prevent online fraud when banking online.
TD Canada Trust on Monday announced it is offering Symantec Norton Confidence Online free to its EasyWeb customers. Confidence Online, which borrows technology from Symantec’s Norton Confidential, uses a combination of “black list” and heuristics models to detect phony URLs.
“The tool will interrogate those sites looking for things that look like a fraudulent site using (criteria) such as graphics and language,” said Jeff van Duynhoven, vice-president, electronic banking TD Canada Trust.
Graphics and language are among over 100 different components that the software is pre-programmed to look for to verify if the Web site matches that of an authentic TD Canada Trust Web site, said Bill Rosenkrantz, director of product management, consumer products and solutions, Symantec.
“In the case of heuristics, they are very effective against emerging phishing attacks,” said Rosenkrantz.
He added that black lists or block lists are only as effective as the last update. Confidence Online incorporates TD Canada Trust’s list of bad URLs and Symantec’s own list from its phish report network but relies heavily on heuristics to provide continuous updates.
The solution, which is hosted through Symantec, features an administrative console that operations and security employees at the bank can access to update the list.
While there are currently no other Canadian banks that are using this technology, Mary Kirwan, principal of Headfry, a Toronto-based IT security consulting firm, said this type of technology is something the U.S. banks have been looking at before.
“Where the customers are concerned is to what extent that guarantee has got real legs in it,” said Kirwan.
To that end, Rosenkrantz said the Federal Financial Institutions Examination Council in the U.S. has recommended that banks there implement two-factor authentication solutions to protect their customers who bank online. On this side of the border, TD Canada Trust’s van Duynhoven said while the major financial institutions hold forums to discuss how to prevent online banking fraud, there’s nothing consistent across the board.
“There’s not a cooperative effort in terms of one method to stop phishing or to stop fraud and protect customers,” he said.
TD Canada Trust and two other banks have introduced security guarantees recently to protect customers in the event of lost funds due to scams such as phishing. TD’s policy, for example, states that it will not hold the customer liable for electronic transactions in cases where they have been a victim of, “fraud, theft or have been coerced by trickery…” In that case, customers will receive 100 per cent reimbursement. They, however, will not be compensated in the event that they were careless with their personal banking information, said Duynhoven.
“The only stipulation is you haven’t told somebody what your ID and password are,” he said.
But Kirwan, who is also a lawyer, said the use of words like “careless” or “improper handling” can give the banks some room for leeway if the case ever went to court.
“They are leaving a little bit of room in terms of this voluntary disclosure of the password,” she said.
Comment: [email protected]