Germany's Postbank is hit by new phishing attack

IDG News Service - DUSSELDORF, Germany -- Germany's Postbank AG has been the target of another phishing attack, its third after two back-to-back assaults last year.
"The attack came around midnight, but as far we as know, none of our customers have revealed any confidential banking information," Postbank spokesman Hartmut Schlegel said today.
Customers of the large state-owned retail bank received an e-mail requesting them to enter two transaction authorization numbers (TAN) for security reasons. The e-mail address was: security@postbank.de.
The Web site was blocked "within a relatively short period of time," Schlegel said. He declined to provide details about who blocked the site and how.
Phishing attacks use spoofed e-mail and fraudulent Web sites to fool respondents into entering personal financial data such as credit card numbers and their account user names and passwords, which can then be used for financial theft or identity theft.
Postbank suffered two attacks last August, following a separate attack on Deutsche Bank AG (See story).
"So far, none of our customers have been affected by these attacks," Schlegel said.
All three of the phishing e-mail messages were written in poor German, according to Schlegel. "This raised a warning flag to most of our customers," he said.
Postbank has posted messages on its Web site and sent notices in the mail to warn customers of the rising risk of phishing attacks.
Most German online banking customers are required to provide a personal identification number and TAN for each Internet transaction.
Postbank, like most other German banks offering online banking services, sends customers a list of TANs by mail. However, for those who want a more secure way of receiving these numbers or who are traveling and prefer not to carry the list with them, the bank has launched a new mobile TAN service, the first of its kind in the country, according to Schlegel.
The service works like this: After customers have requested a TAN via the Internet, the number is automatically generated and sent to their mobile phone. The number is valid only for several minutes -- about the time required to make an online transaction.
The Fraunhofer Institute for Secure Information Technology recently published a study of German banks and their security measures against phishing attacks. Only Deutsche Bank received a "very good" rating, and no banks received a "good" rating. Postbank was one of five banks to receive a "satisfactory" rating. The remaining banks were evaluated as "sufficient," with the exception of one, Sparda-Bank Hamburg eG, which failed to make the grade altogether.