There are no 'stick-em-up' dramatics in today's million-dollar bank heists, it simply involves the use of SSL-evading Trojans and refined phishing techniques.
While banks are reluctant to quantify financial losses, Australia's Computer Emergency Response Team (AusCert) admits its own research proves attacks are on the rise.
AusCert general manager Graham Ingram said a false sense of security surrounds SSL encryption, a technology in use right across the financial services industry.
This reliance on Internet browser encryption means banking sessions can be hijacked by Trojans and key-logging programs especially if users engage in lax security protocols and don't use current anti-virus signatures.
The bottom line is that social engineering tricks are circumventing Internet banking encryption.
Ingram said there is a belief that customers are safe and privacy is protected through the use of SSL but "this is not the truth".
His statement was backed up by AusCert's analysis and assessment manager Kathryn Kerr, who said it is a serious issue for any organization offering Internet banking as well as anyone using VPNs or remote work.
Neal Wise, director of security firm Assurance Pty Ltd., said SSL does serve a good purpose but leaves users prone to a "man in the middle"-type attack.
"Unfortunately the only controls a bank can rely on for users to transport data is SSL encryption; it leaves them in an interesting situation having to cover related security issues they have not created," Wise said.
"We will see financial institutions, as part of shoring up their own risks, providing cut-price antivirus and content checking tools for their clients, because right now if someone manages to put a keystroke logger on a client computer, and a banking session gets recorded, banks have to cover that risk and it is not their fault."
While security experts claim Internet banking fraud drains as much as two to five percent of revenue, the financial services industry isn't as forthcoming when it comes discussing online threats, and the Australian Bankers Association (ABA) refuses to comment.
A spokesperson for the Commonwealth Bank of Australia Pty Ltd. said SSL encryption has served them, and their customers well and it is confident it will continue to do so.
The spokesperson pointed out that SSL encryption is a global industry standard.
"We are constantly reviewing and assessing our Internet security measures so that our customers can have the utmost confidence and trust in our service," he said.
Paul Jennings, head of channels and systems management for Westpac Banking Corp., said the latest threats - like phishing - doesn't defeat SSL encryption, only tricks the customer into revealing their identity. He said this occurs before the SSL encryption begins.
"SSL is still required for a secure session, but one cannot rely on it as a panacea to all fraud and security or privacy issues," Jennings said. "We have fraud detection tools, screen high-risk payments, run education campaigns and recommend our customers use antivirus tools so we are quite comfortable with Internet banking security, but SSL encryption is just a cornerstone.'
The National Australia Bank Ltd. (NAB) has taken a more holistic approach to online security. A NAB spokesperson said there is a need for multiple layers of protection between customer and bank transactions - a primary driver behind the move to two-factor SMS authentication - adding there is also a need for consumers to be aware of their own responsibilities when it comes to protecting data and their own PC.
Peter Dowley, Australia and New Zealand Banking Group Ltd. Bank IT security architect, said using SSL encryption for online banking ensures that bulk attacks cannot be conducted by compromising either the Internet backbone or Internet service providers.
"The next vulnerable point is the customer's computer and so attackers have to concentrate their efforts at this point."
Claiming SSL encryption will stand the test of time, Matthew Warren, Deakin University head of the School of Information, said social engineering techniques are shaking customer confidence.
"It does not matter if someone cracks an encrypted SSL key, because it would take so long and by the time it was cracked the data would be worthless," he said.
"While encryption protects the data in transport, spyware can record passwords and e-mail them to another party. The banks need to look at three-tier authentication that includes a swipe card because you cannot rely on a user name and password."