Safe in the knowledge

Financial institutions while keen to promote the advantages and develop the full potential of online banking are under ever present attack from the fraudsters. But in addition to taking stronger action to protect themselves, banks will have to improve their communication to customers if they are to prevent a loss of custom. And, as Senior Analyst for the TowerGroup Delivery Channel research service, George Tubin’s reports, they must strike a tricky balance between information and reassurance and alarmism.

As a Senior Analyst for the TowerGroup Delivery Channel research service, George Tubin’s areas of responsibility include internet banking and contact center strategies and technologies, as well as collaborative web technologies. With 15 years in the banking and high-technology industries, Tubin has experience in strategic planning, online financial services, back-office operations, business process re-engineering, and merger integration. Prior to joining TowerGroup, George was a Senior Consultant with ADS Financial Services Solutions, providing information technology strategy consulting and systems integration services to the financial services industry. He also held several positions at BayBank, BankBoston and Fleet, including Director of e-Commerce Planning and Development and Vice Pesident of Planning and Analysis for the consumer and small business banking divisions.

The need to tackle authentication challenges was something recognized by the Federal Financial Institutions Examinations Council (FFIEC), when they released updated guidelines later last year. Although it’s called ‘guidance’, I’ve been telling banks that they really need to look at it as a regulation. It’s not a recommendation, it’s not a suggestion, it’s a requirement, and banks have to implement stronger authentication for high-risk transactions (any transaction that moves money from someone’s account into a different account, or where sensitive information that could be used to commit fraud is delivered) by the end of the year.

When you think about online banking, it means that pretty much any online banking session needs to have stronger authentication associated with it. As a result, the banks here are scrambling to prepare for 2007 when the bank examiners come in to do their audits, as they’re going to expect to see something in place. The good news is that even before the FFIEC guidance came out, US banks were already evaluating different ways of doing this; in essence, the guidance was brought out to push the industry further down a direction they were already going in.

One of the reasons why the guidance came along is that when you look at the phishing and malware attacks that have occurred recently, the targets are usually the larger banks and smaller rural banks that aren’t that big but that still have an online presence don’tsee so much of it. However, if the bigger banks start to do a better job of protecting themselves the criminals will look towards the smaller banks that are much less able to protect themselves as they don’t have the technical expertise or the resources.They often therefore don’t see that a problem is coming and what to do about if it does. The regulation raises the awareness of this and forces others in the industry to do something about it.

However, in security, it’s a never-ending battle, so there’s always more that can be done. Over the next several years these approaches will be much more effective than simple username/password techniques, but the industry is going to have to continue to evolve and continue to get better over time. This isn’t the end-game, rather it’s the next step along the path.

Communication is key

There are obvious reasons for the industry not to communicate – irrational reactions on the part of the press and the public is one such example. The banking industry is very used to losses, whether this be through credit cards or check loss or whatever; it’s part of doing business, just as the retail industry accepts a certain amount of shrinkage. The problem is the consumer reaction to this, and so in terms of publicly stating numbers I don’t think we’re going to see the situation change, mainly because of the potential damage to both brands and the industry that this could cause.

However, banks do share information with each other in various ways, whether its through personal contacts or industry forums from which the rest of us are excluded. For the most part, I think banks are looking at security issues more collaboratively than competitively; I don’t think you’ll see banks denigrating competitors’ security, because this damages the industry as a whole by suggesting that banks are not secure.

Many banks, at least in the US, have been offering customers a reliability guarantee – saying upfront that they would like the customer to use online banking – it’s better for them and it’s better for the bank and that they are so confident that it’s the best way to go that if funds are stolen the banks will cover that customer 100 percent. It is similar to the case with credit cards, where much effort has gone into letting customers know that if their card is stolen that they will not be liable to whatever happens on that card. Banks need to communicate their own guarantee just as strongly and to offer support about when an incidence of identity theft could possibly occur. Most cases of identity fraud happen offline through the age-old methods of having your wallet or mail stolen or when a credit card is stolen. The banks therefore need to be communicative of the real risks and the importance of safeguards such as shredding your credit statements, etc.

It’s a question of the responsibility of banks on the one hand to implement the necessary technologies and solutions to authenticate user id and then on the other hand raising awareness among consumers to make them more aware of that actions they can take to reduce that chance of falling foul of identity theft. But it is walking a fine line. Because while we want to help the consumer to protect themselves we also need to avoid being alarmist. We don’t want to create a negative or overly alarmist image that there’s a huge need to protect yourself against such things or terrible things will happen, because that isn’t the case. Society tends to be a little reactive so banks must be careful about how they tread.

Looking forward
It will take a while for the industry to implement all the approaches we’ve talked about here, so while banks try put these types of approaches in place I think we’ll continue to see phishing attacks, we’ll continue to see a rise in malware attacks. It is still very early days right now so we can expect these kinds of attacks to continue to happen and a lot of banks won’t have the systems in place in time to be able to protect against them. Even when they are up and running, it’s important to remember that no system is 100 percent foolproof. We know this because to make it completely foolproof you have to make it very difficult to use. So it’s essential to maintain a balance between security and convenience when addressing this issue, Undoubtedly even after these measures are in place there will be some banks that have set their criteria about what they are watching that we will se some criminals get through the net and access funds. It unfortunately won’t simply shut the whole thing down. That’s the likely state of play in the short-term.

In the longer-term, criminals will eventually find some wholesale way around these techniques, and banks will have to step it up another level. By that time we could be looking at using an advanced smart card technology approach, but this really a societal shift as much as a technological one.

While the use or smartcard technology is further advanced in Europe, there is certainly a future for this in the US. It’s a question of when rather than if. People have been predicting the adoption of smart card technologies for many years now; Back in 1995 people were predicting that we’d be using smartcards by 1997, it now keeps shifting back, year after year with some people being more aggressively in their predictions while other of us believe that it will not happen quite so quickly. I think that realistically sometime over the next five years or so we’ll start to see a shift towards smart cards as more players enter the market and start to see the benefits, whether it’s combining financial and healthcare information with other providers, ISPs, the internet will want to get on it. Once enough people have an interest in it and more people start to see a financial gain in this we will start to see greater uptake.

FFIEC guidance

In October 2005, the Federal Financial Institutions Examination Council (FFIEC) released updated guidance on the risks and risk management controls necessary to authenticate the identity of customers accessing internet-based financial services. Authentication in an Internet Banking Environment was issued to reflect the many significant legal and technological changes with respect to the protection of customer information, increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies.

The guidance does not endorse any particular technology and specifically addresses the need for risk-based assessment, customer awareness and financial institutions’ implementation of appropriate risk mitigation strategies including security measures to reliably authenticate customers accessing their financial institutions’ internet-based services.

The main portion of the guidance provides financial institutions with guidance on authentication and discusses appropriate risk assessments, customer authentication, verification of new customers, and monitoring and reporting. An appendix provides more detail about various authentication technologies.

Can you tell the difference?
A new report has highlighted the gulf that exists between the perception and reality of consumers’ awareness of online scams and their actual online behavior. The study found that while 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail.
The Online Fraud Report was sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America.
The study also presented participants with images of sample websites, asking if they could identify whether or not it was secure. 67 percent of respondents failed the task, with six out of 10 relying on symbols such as padlocks and four in 10 consumers beleiving there was no way to tell if a site was secure.
“We are making progress, as consumers are more aware than ever of a range of online threats. However, it is clear that the sense of confidence many feel in their ability to identify online scams is misplaced and overstated,” said Ron Teixeira, executive director of the National Cyber Security Alliance. “As people continue to conduct more of their activities and transactions online, fraudsters will continue to present sophisticated scams. This study reinforces the necessity for consumers to educate themselves regularly about safe online practices in order to stay ahead of the next threat.”

Highlights of the report:

• Around eight in 10 internet users in the US conduct online financial transactions such as online banking, stock transactions or filing taxes.
• Two-thirds of consumers who conduct online financial transactions are extremely or very concerned about giving their personal or financial information to a fake website and having hackers steal financial information from their computer.
• 74 percent of Americans do not believe that using only an ID and password to log-in is extremely or very safe.
• More than 68 percent of respondents are extremely or very willing to try additional layers of login security, such as answering personal questions about themselves to confirm their identity.
• More than four out of five people polled believe that the responsibility of limiting and preventing online fraud is equally shared by the legitimate website, themselves and internet service providers.

Empowering the customer – steps to prevent fraud:

• Install protection such as firewalls, anti-virus software and anti-spyware software on your computer. Keep the protection and browsers updated. Don’t download materials from unknown senders. Use unique passwords that are hard to guess and change them often.
• Confirm the validity of all requests for sensitive personal, financial or account information. Open a request in a new browser window and type in the referenced web address rather than clicking on links provided within the e-mail.
• Monitor accounts, credit reports and credit scores. Notify banks and credit agencies immediately of any unauthorized transactions.
• Take advantage of free bank services, such as direct deposit. Stop receiving paper statements through the mail when they are available online.
• Do not share your IDs, passcodes or ATM passwords with anyone.

To view the full guide visit http://staysafeonline.org/news/onlinefraudreportfinal.pdf