Phishing mongers and posers have taken the world by a storm1 and it is estimated that the annual financial loss due to phishing scams is at least US $320 million.7 Hong Kong has been a hotspot of phishing attacks and since majority of phishing incidences occurring in the world are related to the financial services industry, banks in Hong Kong have been frequent targets. We conducted a study of Hong Kong banks in 2005 and 2007 to assess their phishing readiness and to understand the driving forces that shaped their adoption of anti-phishing measures (AM) over time. We searched the security related information available on the Web sites of the Hong Kong banks to determine AM adopted by them. We scored the banks based on the adoption of AM and related it to characteristics of banks and other plausible external factors.
Phishing consists of multiple phases.4 Bose and Leung have identified four phases in the phishing life cycle, namely, preparation, mass broadcast, mature, and account hijack.2 Table 1 lists AM adopted by 29 Hong Kong banks that offered online banking services, categorized according to the phases of phishing. The mature phase of phishing is the top concern for banks and 89.7% of them adopted digital server certificate as the AM in both assessment periods. The mass broadcast phase of phishing is the least important. Only one bank launched bank email in 2007 that allowed customers to access legitimate emails sent by the bank. AM related to the account hijack phase showed the greatest improvement over time with adoption of tools for two-factor authentication such as hardware device, one-time password, and challenge and response.
Size of banks. We scored each bank according to the number of AM adopted by them. Figure 1 represents the scores obtained in 2005 as bar charts and the incremental scores obtained in 2007 as additional bars on top of the base. Figure 1a shows the scores for large banks (average asset size greater than HKD 2908.7 billion) and Figure 1b represents the same for small banks. The difference in the AM score for all banks between 2005 and 2007 is found to be statistically significant (p-value < 0.01). Also, the difference between average scores obtained by large and small banks for 2005 and 2007 were statistically significant. Large banks obtained average scores of 4.6 and 5.0 whereas 'small' banks obtained average scores of 6.4 and 6.7 in 2005 and 2007 respectively. The scores indicated that small banks were better prepared against phishing than large banks. Among the new AM adopted by eight banks in 2007, most were related to the account hijack phase.
Credit rating. Table 2 shows the AM scores for all banks (except bank IDs 22 and 24), grouped according to their Moody's ratings for July 2007. Moody's rating provides investors information about the overall quality of a bank and the safety and soundness of its financial products.6 The higher the rating, the lower is the credit risk, and better is the bank for investment purposes. In this research, banks with a medium Moody's rating tended to have a higher AM score. However, the change in the AM score between the two assessment periods was more significant for banks with a high Moody's rating.
Government advocacy. The Hong Kong Monetary Authority urged all banks that provided online banking to implement two-factor authentication (2FA) by mid-2005.5 In 2005, 19 out of 29 banks (65.5%) implemented two-factor authentication, followed by 3 more banks in 2007. The high response rate showed that government advocacy is a significant factor in influencing the adoption of AM by banks. Nevertheless the effectiveness of 2FA in deterring phishing incidences is debatable. For the 19 banks that adopted 2FA by 2005, the number of phishing incidences occurring between 2003 to 2005 was 21 and between 2006 to 2007 was 20. This represented a decrease of 4.8% in occurrence of phishing incidences. For the 3 banks that adopted 2FA between 2006 and 2007, the number of phishing incidences that occurred prior to adoption was 8, whereas the number of incidences that occurred after adoption was 5, representing a decrease of 37.5%. Although the number of occurrences of phishing incidences did decrease over time, it cannot be conclusively stated that 2FA was effective in deterring phishing incidences.
Frequency of phishing attacks. Figure 2 gives an overview of phishing incidences reported to the Hong Kong Monetary Authority between May 23, 2003 and May 5, 2007. Bogus Web sites was the most common form of phishing attack whereas fraudulent emails came in second. Among eight banks that adopted new AM in 2007, six experienced more than one phishing incidence between 2003 and 2007. To ascertain if there is any association between AM score of banks and number of phishing incidences targeted to them in a given time frame, the correlation coefficient between these two data items was calculated. It was found that the correlation coefficient increased from 0.17 in 2005 to 0.40 in 2007. This showed that a positive relationship existed between AM score and number of phishing incidences and the relationship was getting stronger over time.
Proliferation of online banking. Online banking is becoming popular in Hong Kong. Bank IDs 3, 5, 6, 15, 16, and 19 reported a double digit percentage growth in the number of online banking customers in their annual reports for 2006. The average AM score in 2007 for these banks was 6.5, which was higher than the average score of 6.2 for all banks indicating that they were more responsive to anti-phishing than their peers. Coincidentally, in a survey conducted in Singapore, some banks revealed that the volume of online transactions increased with the adoption of better AM.3
We found that changes in scores of AM for Hong Kong banks between 2005 and 2007 were statistically significant. Banks that had smaller assets, higher number of online customers, or frequent phishing attacks tended to be better prepared against phishing. It was observed that in Hong Kong government advocacy influenced the adoption of two-factor authentication by banks. Banks with high Moody's rating showed marked increase in AM score from 2005 to 2007 indicating their concern for the security of their customers. Our study focused on Hong Kong banks, but the research findings are likely to be applicable to banks in other parts of the world as well.
1. Berghel, H. Phishing mongers and posers. Comm. ACM 49, 4 (Apr. 2006), 2125.
2. Bose, I. and Leung, ACM. Unveiling the mask of phishing: Threats, preventive measures, and responsibilities. Comm. AIS 19, 24 (Apr. 2007), 544566.
3. Chan, I. Better authentication allays online banking fears. ZDNet Asia (2007); www.zdnetasia.com/insight/specialreports/0,39044853,62020506,00.htm.
4. Financial Services Technology Consortium. Understanding and countering the phishing threat: A financial services industry perspective (2005); www.fstc.org/projects/docs/FSTC_Counter_Phishing_Project_Whitepaper.pdf.
5. Hong Kong Monetary Authority. Fraudulent bank websites and e-mails (2004); www.info.gov.hk/hkma/eng/press/2004/20041007e4.htm.
6. Liu, P., Seyyed, F.J. and Smith, S.D. The independent impact of credit rating changes - The case of Moody's rating refinement on yield premiums. Journal of Business Finance & Accounting 26, 3-4 (1999), 337363.
7. Moore, T. and Clayton, R. Examining the impact of website take-down on phishing. In Proceedings of the Anti-phishing Working Groups 2nd Annual eCrime Researchers Summit (Pittsburgh, PA, 2007), ACM Press, 113.
Figure 1. AM scores obtained by (a) large and (b) small banks
Figure 2. Phishing incidences reported in Hong Kong from 2003 to 2007
Table 1. Phases of phishing attack and anti-phishing measures
Table 2. AM scores for banks corresponding to their Moody's ratings
©2009 ACM 0001-0782/09/0800 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
No entries found