Are Banks Short-Changing You on Security?
Dec 18, 2008 4:00 AM PT
Given the financial fallout we've all been treated to this year, online banking and investment transactions may face increasing risks from hackers and sub-par network security.
Buying and selling via the Internet is the most common form of trading stock -- and the most vulnerable. With so much money changing hands through the Internet, bank security risk is critically high.
The stock market is seeing record numbers with regard to gains, losses and volume. But these high volumes of transactions can put the security of customer transactions at financial institutions at risk if the proper precautions have not been put in place.
Can cash-strapped banks and other financial institutions continue to invest enough to maintain critical security systems? More international regulation is needed to prevent cybercrime from causing as much havoc as the credit crisis in the next few years, according to the Organization for Security and Cooperation in Europe (OSCE) in a security report issued in November.
The impact of cybercrime is estimated to cause US$100 billion in damages annually, according to the OSCE report, which also called Internet crime a threat to national security. Growing worry for online banking security led several countries, including the United States, to voice concern over Russia's and China's abilities to electronically spy on them and disrupt computer networks.
"We are seeing in the past year a doubling of phishing attacks targeting bank customers," Jeff Debrosse, research director at ESET, told the E-Commerce Times. "As things become more uncertain, we are seeing more ID thefts."
This increased security risk is contributing to a sense among banking officials that they have been blindsided. Few in the banking industry expected this downside, noted ESET's Debrosse. His company develops software protection against evolving computer security threats.
For customers, the industry's reaction amounts to the realization that users of online banking services have to be more vigilant. As the use of online banking services continues to grow, so will the risks.
"We are at the peek of that blindsiding," Debrosse suggested.
The concern over banking security in Europe expressed by the OSCE report is particularly significant to U.S. banking customers. Bank network security, especially regarding log-on procedures, falls short of consumer expectations. Log-on protocols elsewhere utilize strong authentication. U.S. banks generally fail to meet that standard.
"In North America, not many banks are implementing strong authentication. Most use passwords and security questions," Torsten George, head of global marketing for ActivIdentity, told the E-Commerce Times.
In Europe, more advanced technology is more often used, such as security questions coupled with password tokens, he said. ActivIdentity is a global provider of digital identity assurance including strong authentication, single sign-on, and smart cards.
U.S. consumers are just catching up to the rest of the world with banking security. Flimsy log-on procedures are one weak spot, agrees Doug Brunt, president and CEO of software security firm Authentium.
"The security situation is out of control. We need more storage... . [*correction] The rate is growing exponentially," Brunt told the E-Commerce Times.
The situation presents a nightmare to bank IT departments. As existing security measures spring holes, the race is on to tighten the protocols.
"Banks have protection but are looking for new ways to add better protection in the midst of feeling almost desperation with the circumstances. This is a dangerous combination," Debrosse said.
Changing the Same
A solid connection exists between the lack of strong authentication for logging onto financial networks and the rising rate of ID fraud. Authentication technology has been available to business since 1992. At the time, it was not a popular, or economical, solution.
"The threats morphed. The first 10 years the industry built databases of 100,000 signatures. The database size grew a second 100,000 in the next two years. Now it grows 100,000 signatures every two weeks," explained Brunt about the ineffectiveness of antivirus scanners typically used to secure banking networks.
As an example of the increasing virus threat, he mentioned the Sinowal Trojan. That particular bit of malware is like poison for banks.
"Sinowal compromised over 500,000 bank credentials. The infection is constantly morphing. It is an arms race," said Brunt.
Given the pressure brought by regulatory agencies and consumers themselves, bank officials in the U.S. are taking steps to bolster their lagging computer security.
Until now, U.S. Banks favored fraud insurance over tighter network security measures -- the cost was cheaper -- but times have changed that strategy.
"Now banks are having a hard cry from consumers for stronger security. Consumers are shifting their money around. This raises greater risk to fraud. We are seeing lots of password sniffing [attacks]," said George. "Banks now are starting to ask for stronger security options. There is a changing attitude."
The rise in breach disclosures should be a computer security wake-up call for bank patrons. Federal disclosure regulations give consumers a false sense of security.
"You cannot always trust the data breach information required by federal rules. Organizations and data breach disclosures are occurring with staggering frequency. Halfway through 2008, they surpassed all of the breaches of 2007," noted Debrosse.
240 million people were affected by breaches worldwide from January of 2005 to October of 2008, according to the Privacy Rights Clearing House.
Consumers cannot assume that if their banks did not report a breach, their personal data is still secure. Organizations are mostly on the honor system to disclose breaches. And if they do issue a public report, consumers have to assume that what is disclosed is fully accurate, he suggested.
"Banks need to focus on customer retention. It is tough to do. Customer retention is at stake," said Debrosse.
Getting banks to withdraw their weak security questions is a much needed change, according to George. The limited screening that security questions provide is better than no entrance barrier at all to an account, but tokens and more advanced methods are what are really needed.
Many of the answers can be easily cracked using information that a hacker has phished from an account holder. Most banks use a library of preset questions, said George.
"More ideal is a two-part authentication with a knowledge factor. A better approach is to let the end users define the questions themselves," he said.
Adoptive verification recognizes any change of computer log-on. This creates a higher security screen, George explained. It is based on IP address location.
These have behavioral basis, a tool that is less costly for banks and less visible for consumers. The consumer only knows if something goes wrong, he said.
Another method involves the bank customer picking when he will use the services with a one-time password sent to his mobile phone each time. A second option involving the cell phone is called a "soft token."
A piece of software is downloaded to a cell phone or computer. The software holds the credentials to create a one-time password. This replaces the hardware token.
Cell Phone Access
A new security method involving cell phones is called "near field technology." The phone owner waves the mobile device over a card reader. George sees this as replacing smart cards and credit cards in the next two years.
"With a cell phone, you can have real-time revocation. It's very tough to beat. You call the service provider to turn off the phone if you lose it. It's no longer usable to authenticate bank log-on access. That's the beauty of smartcard-based or chip-based authentication," George explained.
The cell phone will become the primary device for access credentialing in five years, he predicted.
*ECT News Network editor's note: The original published version of this article included the bracketed phrase "[of secure consumer data]," reflecting the author's understanding of the type of storage Authentium CEO Doug Brunt was referring to. We have removed the bracketed phrase, based on Brunt's communication following publication of this article that Authentium never stores any customer information or data.