Beware! Prevent the person behind you from seeing your password.

Beware of swindlers disguised as tourists to deceive you and get your password!

Bank customers who use automatic teller machines may have seen these cautionary messages on ATMs.

A personal password for banking business is a crucial code allowing you to enter your account via an electronic machine. Increasingly, however, passwords are becoming a weak link in a vital chain.

As payment technology has become much more advanced, financial fraud - and particularly that involving online banking services - has kept pace.

At present, password theft is not very common as it affects ATM use, but banks report an increasing incidence of what is known as "phishing", where their customers are deceived by swindlers into revealing passwords and their accounts are accessed via Internet banking services.

Phishing is a technique to deceive consumers into revealing personal information for purposes of identity theft. The wrongdoers use fraudulent e-mail or instant messages and send them to consumers, making them believe that the fake messages are genuine.

They use e-mail messages that look like official correspondence from banks, organisations that provide online business, online retailers and insurance agencies. The messages may look quite authentic, featuring corporate logos and formats similar to legitimate messages. Typically, they ask for verification of certain information such as account numbers and passwords, saying they are needed for auditing purposes.

Because the e-mails look official, many unsuspecting recipients respond to them, particularly if they are travelling overseas. This can result in financial loss, identity theft and other fraudulent acts against them.

As a base for their phishing activities, some swindlers create websites that imitate those of the bank. In Thailand, Kasikornbank has experienced this problem. The fraudulent websites use names close to the name of the bank's real website, such as www.kosikornbank.com, www.kasikorning.com, www.kasikornbanking.org and www.kasikornbanking.info. The bank's correct website name is www.kasikornbank.com.

Customers who contact the fraudulent sites are made to believe that they are in touch with the bank itself. Money transferred to the sites is simply channelled into the swindlers' accounts. Sometimes, the swindlers also cheat by using customers' banking passbooks in the fraud process.

As a result, Kasikornbank's homepage warns customers to be careful and avoid entering fraudulent websites or responding to unexpected e-mail.

Moreover, the bank is in the process of upgrading its security system for online banking services by changing its two-factor authentication into a one-time password (OTP) system. It believes the additional security is needed these days for important financial transactions such as cash transfers or payments.

With the existing two-factor authentication system, customers must supply two passwords - PIN 1 and PIN 2 - to access personal Internet banking services. Under the new OTP system, customers' passwords will be renewed for each transaction. On request, the bank will transmit new passwords by SMS messages that will appear on customers' mobile-phone screens.

"The OTP system provides more security to customers than the double PIN system. Therefore it's better if they change to use the new system, although the bank will still allow them to use the existing system for the time being. All important banking transactions via the K-Cyber Banking service will change to the new system soon," said Kasikornbank senior vice president Prayootd Tansrisuwarn.

Although the bank's customers have been cheated by phishing, the loss was not large compared to the total value of its Internet banking service. The incidents have provided case studies of hi-tech fraud for other local banks, and many are attempting to educate their customers about phishing on their websites as well as warning them via other channels.

Krung Thai Bank (KTB) has informed its customers about financial fraud by letter, e-mail and SMS messages. The country's largest state-owned bank also cautions its clients to use the Internet with more prudence, saying that they should take care to ensure that they access the correct websites.

"Customers should beware of using fraudulent websites created for phishing. This is the best way to protect us from the problem. KTB's website name has only three letters: www.ktb.co.th. Therefore it's quite easy to check," said KTB senior vice president Dumrong Kaewprasith.

To transfer cash to a third party via the Internet is quite a complicated procedure at KTB, in order to maintain high security. Customers must first apply to become an Internet banking customer. When they want to use the money transfer service, they must identify themselves at the bank's counter or do it via an ATM, so they must first have a savings account and hold an ATM card.

For example, if A wants to transfer money to B, A must give the bank his or her mobile-phone number in order to get an OTP by SMS message from the bank, so he or she can access the money transfer service. This is a double-check system to ensure that the person is the bank's real customer.

Then, if A wants to transfer money to C, A must register again via an ATM or at a KTB branch to inform the bank of the new transaction and to receive a new OTP. However, if A wants to transfer money to B again, there is no need to re-register as the first transaction is still on record.

Each OTP is auto-deleted within five minutes.

Siam Commercial Bank's (SCB) security system requires that customers wanting to transfer cash to a third person via the Internet must first identify themselves at a branch of the bank.

"The bank's Internet banking service does not allow customers to transfer money to third persons who are not on a list initially provided to the bank by the client. It just says that we do not allow customers to transfer money to strange people," said SCB executive vice president Charamporn Jotikasathira. If they want to add more people to their transfer list, they can do it at any branch of the bank.

He said phishing or creation of fraudulent websites was similar to making fraudulent banknotes, and is an uncontrollable problem for banks. The best way to prevent the problem is to educate customers about it and warn them to use correct websites.

Bank of Ayudhya has also warned its staff and customers about fraud problems. It informs customers on its website that it has no policy to ask customers for personal financial information such as savings account or PIN numbers.

The bank monitors its security system carefully and outsources the job of rechecking the system every month.

Executive vice president Apirom Noi-Am said the bank had been alerted to the problem of phishing by Bank of Thailand warnings for more than a year.

Somruedi Banchongduang

The Nation