The first bank to offer online banking to its customers was not one of the major banks in the USA. Online bankingwas launched in 1980 in the metropolitan area of Düsseldorf. The pilot project was initiated by the small bank Verbraucherbank GmbH, which has sunk into oblivion since it was taken over by Norisbank in 1984.
In the mid-1970s Verbraucherbank GmbH developed a customer self-service system with terminals in counter areas. This enabled customers to carry out banking transactions in the branches even outside of business hours. What is self-evident today was a sensation at the time. Working men and women could still withdraw money or carry out transactions even after the branch officially closed at 4 p.m. Given that the typical business hours at the time were less than favourable, the service started in Düsseldorf was tantamount to a revolution.
Verbraucherbank’s service required a customer card that was operated via a PIN TAN process. This way, the bank created a security mechanism that is still in use in online banking today. But Verbraucherbank was aiming to make it even easier for its customers to carry out banking transactions. When the Deutsche Post BTX service entered its test phase in 1980, Verbraucherbank offered a special service to participants in the Düsseldorf metropolitan area: bank transactions that could be carried out from home via BTX. Customers could carry out transactions using an access number and a key code – similar to today’s login and password. Each transaction had to be verified and confirmed with a single-use transaction number - today we use a TAN or mTAN. After the official launch of BTX in 1983, many other banks and savings banks introduced online banking.
In its initial years, online banking was astonishingly safe, not least because of the somewhat long- winded connection process. For BTX, special terminals were issued to consumers by Bundespost (later Telekom). They connected to the telephone network via an integrated modem or even an acoustic coupler. With this direct connection to the bank ￼ computer via a network statutorily operated by Telekom, it was almost impossible for intruders to carry out criminal activities. There are no recorded instances of customers‘ transactions being intercepted.
The spectacular case of the Chaos Computer Club (CCC) in 1984, during which the Hamburger Sparkasse was relieved of 134,000 DM (about € 67,000), was based on a different principle. In this case, value-added services were commissioned in the name of the Sparkasse rather than a customer account being specifically attacked. CCC intercepted the ID for the Sparkasse in the BTX data stream and used it to call a self-defined value-added number. In this way, with every call the bank credited a specific amount to the CCC account. This case demonstrated that criminals would have a clear opportunity of infiltrating the then revolutionary service of electronic banking.
Only when BTX was shut down in 1999 did the first online banking access spring up on the Internet. Because of the great success of BTX banking, the service was continued via computer as T-Online Classic until 2009, in parallel with Internet banking. In 2005, already 30 percent of all bank customers worldwide made use of online banking services. This led to the increased presence of online banks that did away with branches altogether and provided customers with access to bank transactions exclusively via the Internet. The data was and still is transferred between the banks‘ servers and the customers via the Internet, although it is very effectively protected via SSL encryption.
Criminals therefore prefer to use simpler methods to access customer data. So-called phishing sites are an easy way for online criminals to exploit human vulnerability. This involves setting up a fake bank site that looks uncannily like the original. Customers are then asked via email to enter as many transaction numbers as possible on this supposed bank site. This trick appears obvious at first glance, but because of the large number of online banking users the scam enjoys a certain level of success. According to Statista, in 2014 some 54 percent of the total of 20.5 million customers with current accounts in Germany carried out banking transactions online. A study by Google in cooperation with the University of San Diego in 2014 (source: http://www.slashgear.com/phishing-scams-45-successful-according-to-google-study-08354678) demonstrated that the most successful phishing sites achieved a hit rate of 45 percent. This means that 45 percent of individuals receiving an email with a phishing link clicked on it. Given this figure, it soon becomes clear that even in the early years of online banking this was the simplest and most lucrative way for criminals to get their hands on users‘ money relatively easily.
Not least because of these experiences, additional security mechanisms were introduced after 2005. As the success of phishing fraudsters was based on as many transaction numbers as possible being picked up and successively used, an expiry date was introduced for TANs. TAN numbers have a validity of only ten minutes after they have been requested in the online banking environment. ￼G DATA - Geschichte des online bankings This prevents quantities of TANs stolen via phishing from being used one after the other for criminal activities. mTANs that are sent directly to the user‘s mobile phone are based on the same idea.
Online banking has developed rapidly in recent years because of its wide acceptance among more than half of current account holders in Germany. In parallel with this, the criminals have refined their methods for cheating unsuspecting bank customers out of their money. Man-in-the-middle attacks are especially pernicious in this regard. This sort of attack involves the current data in a user‘s infected browser being diverted without them noticing. The only solution is similarly sophisticated protective software that detects these attacks and proactively stops them in real time.
So what does the future hold in store? Efforts are currently being made to interlock traditional online banking more closely with payment services such as PayPal, thus providing customers with greater convenience. In addition, protection for bank customers during transactions on the Internet is expected to be improved, making it more difficult for criminals to get their hands on unsuspecting users‘ money. Furthermore, personal finance management as a whole has come into the focus of online service providers, so all financial transactions can be carried out and monitored from a single interface. Exciting times still lie ahead!
- G DATA Whitepaper: THE RISKS WHEN BANKING AND SHOPPING ONLINE
- G DATA BankGuard is part of all G DATA security solutions for PC
- G DATA SecurityBlog: DRIDEX – THE COMEBACK KING. How a banking Trojan is making international waves again and again
- G DATA Press Center