Nearly a month of many bank Internet banking customers had experienced "cry 300 seconds," the account fund instantly be fishing website looted. Chinese Internet information report center monitoring data shows, Internet banking theft recently invaded cases report very much, especially the fake China bank sites increases substantially, the number has nearly as many as 70. For Bank of China net intelligent fraud was high momentum, and with surprising speed to spread throughout the country.

    For a time, everyone. Bank of China public opinion into the eye of the storm, had to face the question and test of safety.

　　Counterfeit bank Internet banking fraud cases blowout

    In January 13, 2011, Nanjing Wang Yan (a pseudonym), suddenly received a mobile phone short message: "Dear silver-colored user of E, you will in the expired, please as soon as possible to upgrade, to bring you the inconvenience please understand, in detail 95566 (China bank)."

    But Mr. Wang is Chinese bank online banking users, Mr. Wang told reporters: "the bank's customer manager they often send text messages to prompt the user for the business", so Mr. Wang although discovery is from an unfamiliar mobile phone, but it is no doubt, then use the computer, according to the content of the message log the message within the "China bank" web site, not unusual, according to the Webpage prompt, enter their username, password and randomly generated in E (dynamic password) and other information, the upgrade was successful in the page display. Mr. Wang in the exit pages after suddenly found wrong, log in again, found their 1000000 Yuan account has been transferred.

    Coincidentally, Mr. Huang from Shenzhen had the same experience. The account deposit is divided four times out, only a fraction. A businessman in Shaoxing is also the means to cheat money nearly 2000000 yuan.

    The victim told the weekly financial reporters, the recent Jiangsu Zhejiang area of such cases in almost rampant. The nationwide situation, the amount of money involved should have been close to 1 hundred million, a conservative estimate is at least more than 40000000 yuan. More than million cases are not uncommon.

    What in the past one month, erosion of client assets were fake China bank fishing website, difficult to obtain accurate data. But the seriousness of the situation has been confirmed from the public information, according to incomplete statistics, only in January 10th -20 day, Jiangsu province had hundreds of such cases, Zhejiang province has nearly 50, involving a total amount of. According to golden hill network security center statistics show, there have been more than 50000 users visited Chinese bank phishing.

    It is understood, the criminals in the cases above mentioned modus operandi run in the same groove. The victim received new mobile phone number of text messages sent, suggesting that the bank will be in the dynamic password expired, so as soon as possible to Chinese bank website upgrade. Once the login message left inside the website user name, password, e-banking, such as dynamic password will enter the "fishing" programs to steal, the net silver-colored account money in a few minutes was quickly turn away.

　　The design of E suspected of hidden security flaws

    Fraud related fishing website that has already heard, many banks will also face such problems, but why so focused on China bank, a lot of people are in doubt.

    China Internet information report center assistant director Hao Zhichao has said in an interview: "some say - system bank or a problem, dynamic E it has been using the criminals. China Internet information report center has urged Chinese banks to further improve the banking business process, do not give criminals the opportunity."

E makes exactly how the existence of the problem?

    Relevant responsible person told the reporter China Financial Certification Center, at present the user end network security tools include: digital certificate, dynamic password verification, mobile phone three. Widely used and a higher degree of security is a digital certificate, usually stored in USBKey (commonly known as the "U shield"). User transactions in the log on bank site, insert the Ukey in the computer, is equivalent to the bank to show "network id".

    The UKey hardware itself is a PIN code, the equivalent of our bank card password, when users insert UKey in the computer, only to enter the PIN code to use. At the same time, not only contains the identity of the user information in the UKey certificate, also contains a special data information by the user's unique, technically known as "private key", the only unique by user, and each user holds are not the same. Each time the user transactions in online banking, key information will be sent to the USBKey transaction, electronic signature in USBKey. In simple terms, as long as the USBKey in the hands of users, hackers will be very difficult to intercept the password, even if it is difficult to complete the transfer. China Merchants Bank, ICBC currently adopted is based on USBKey security tool.

    And Chinese bank selection is safe to use the dynamic password protection of user. Dynamic password is only used once the password, is the principle of the dynamic password: produces a random variation in the user password by calculation of specific, while banks also can produce the same password, users use this password to log on Internet banking, two password comparison, if the matching is said has been verified, the user can carry out the next step operation.

    In "E", is actually the "electronic dynamic password generator", is a hardware dynamic password card launched by Chinese bank. It consists of a built-in power supply, password generation chip and display components, according to the rules of calculation of special, every 60 seconds will automatically update a dynamic password, asks the user to input in 60 seconds, in order to ensure the operation safety. However, this round of online banking fraud, most of the cases are in the "Bank of China E to" as a pretext, many users questioned the so-called dynamic security "China E" already exist in name only.

    The bank staff responded that, the bank personal banking account of security is the relevant state departments to obtain approval of safe and reliable. Fraud occurs, is the main user login false website, password and dynamic password by cheating, not what to design network itself.

    May not be the case.

    Have a look first to the security system China Bank net, most banks to adopt multi factor, multi channel authentication, the security level is set too high. But Chinese Bank net in large-scale "fishing case" occurred, can only choose this a dynamic password security tools, safety protection measures are relatively simple, just before the improvement, increased the SMS authentication of this link, has been questioned by many customers.

    Come have a look of security tools in the main push of the dynamic password. Chinese Financial Certification Center experts think, dynamic password although a change, but the change is still a certain period of time, usually a dynamic password in 1 minutes will be effective. But this is just a minute, let the criminals have the opportunity. The above - mentioned several victims also expressed on the dynamic password dissatisfaction: "one minute enough skilled people to complete the whole operation process of this crime, dynamic password security tool itself to have a problem."

    But the domestic mainstream banks only use dynamic password again with Bank of China Everbright Bank, has won good reputation in the user experience, similar to phishing attacks are rare.

    One of the industry who declined to be named, experts say, is not in the dynamic password, but that there is an obvious loophole design China bank dynamic password.

    He said, the dynamic password generator Everbright Bank named sun token, the user must enter a random password when logging in, transfer also need to re input password set up in advance of the transfer, two line of defense to protect the safety of. But before Chinese Bank net only need to enter the password to complete the transfer, once encountered a phishing site intercept or password card is lost, the account will be difficult to guarantee safety.

Emergency action of re exposure risks

    Emerge in an endless stream of fraud cases also attracted the attention China bank. Now, they have been increased in line, online banking transfer business on January 21st, greatly reduce the user the amount of a single transfer; automatic password is sent to the user transaction confirmation code, only the user confirmation, to transfer, this approach does to a certain extent, curbed the spread of such cases, especially large fraud cases.

    But the smaller amount of counterfeit bank online banking cases still emerge in an endless stream. The above said Mr. Huang, if not fundamentally improved design of the net, just take the method of reducing the amount of a single transfer, is still not cure.

    Undeniable, increase the message authentication link transfer process does play a large role in. But it is followed by the retrofit of criminal means, another vulnerability of net surface.

    Mr. Zhang from Fuzhou in February 14th experienced a similar fraud cases, but different is, in the bank has reduced the net transfer of single pen cap to 500 yuan and an increase of a fire hydrant, his account of the 2 yuan still through a one-time mobile phone bank stolen.

    Mr. Zhang is very puzzled, he never opened a mobile phone bank, why criminals can by means of the channel transfer, bank staff said in response, China mobile phone banking can be opened directly in the online banking login page, criminals to steal online banking directly after the open mobile phone banks, in the absence of mobile phone verification code under the condition of success.

    Mr. Zhang questioned why the mobile phone bank may not need any documents they opened, in the near future. The case of so rampant, banks are still so thoughtless. The bank staff responded that this is indeed a loophole, Bank of China mobile phone bank has stopped opened directly through the Internet banking.

    However, before a reporter to call the bank customer service hotline, staff said that the opening way can still handle.

　　Bank of China in the eye of the storm and that difficult

    In the series of cases concentrated outbreak, BOC online banking stood in the opinion of the eye of the storm. The user when, a lot of people will not dare to use bank online banking, and even the human security fund has been the bank account all out.

    Other major banks also jittery, have focused on the use of safety risk warning net.

    Now call the bank's customer service telephone, wait for the overwhelming all net silver-colored safety publicity, the official website also increases the corresponding edition piece, but it still did not quell doubts As one falls,

    The same as victims phishing fraud, from Beijing, Miss Li said, the bank online banking problems actually existed for a long time, there are a lot of 315 complaints last year. In 2010 December around such cases are very common, but did not lead to the bank's attention, until January 20th was improved, the response speed of such a really disappointing.

    The victims of the Shenzhen Mr Wong is also presented, the developments have been quite serious, the bank should establish emergency response system, in coordination with the police investigation should be more timely and actively, protect the rights and interests of the users.

    However, more intense still behind.

    Weekly financial reporter learned, part of customers by phishing fraud, claims to China banks already, reason and dereliction of duty in the protection of client fund safety work of BOC online banking system vulnerabilities, but sustained no fruit. Many of them brewing Baotuan heating, to obtain compensation.

    The bank relevant responsible person responded, net users were criminal fraud, mainly awareness is not strong, and the online operation caused by non-standard, banks have the duty to cooperate with the police investigation, but shall not be liable for compensation.

    Relevant responsible person Chinese financial certification center also said, through the mobile phone short message, the bank user deceived into fishing website transactions, this subject is not a bank fraud, nor the bank website, banks should do is to remind the warning, responsibility, avoid the user to be deceived.

    A law firm in Beijing staff also said frankly that his views: "although the modus operandi in these cases of view, bank online banking system should do exist some loopholes, because of the existence of security problems causing consumer account information from being stolen and lost property bank transaction system, then the bank fails to secure transaction security agreement protocol obligations according to their degree of fault, it shall bear corresponding civil liability. However, in actual operation, the decision is the client or the banking system reason, high barriers due to technical problems, the user obviously at a disadvantage in the burden of proof, negotiated compensation methods may be better.