Phishing Liability Concerns Online Banks

Online banking firms now have a new worry -- liability for customer losses due to phishing scams.

For the last year or so, online financial institutions and their IT consultants -- as well as consumer interest groups -- have focused on fixing security, adding authentication and encryption and other technologies to forestall scammers. But the phishing plague continues. Now, experts tell The E-Commerce Times, banks may soon be on the hook for financial losses by customers if they cannot secure their online stores.

The Federal Deposit Insurance Corp. (FDIC) earlier this summer distributed guidelines to banks as to how to bolster online security. Some in the business community think that banks need to focus on preventing losses, rather than just finding hot new technologies.

Liability for Losses?

"Identity theft, phishing scams, instant messaging risks, spyware and account-hijacking present significant confidentiality, integrity, availability and liability exposure implications for both a bank and its customers," said Glenn Gearhart, chief executive officer of ACAP Security, based in Huntington Beach, Calif.

A recent survey of U.S. Internet users by the Ponemon Institute agrees with this premise, finding that over three-fifths of the survey respondents believed it "unacceptable" for a bank to not respond to phishing schemes that use the bank's identity as the means of gaining the victim's trust. Nearly 96 percent of the respondents said that banks need to use technology to provide protection to their banking customers.

In other words, customers blame the banks, not just the criminals.

Gearhart tells The E-Commerce Times that financial institutions should consider "new security strategies" for their enterprise information security programs and customer data management services, so as to prevent losses from customer accounts. This includes the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer's ID, password and account numbers.

"In light of this, and of the continued public reporting of the compromise of customer's private identity data and financial records," Gearhart said, "including the compromise of data on 40 million credit card holders and a number of additional customer account data security compromises at FDIC insured banks, it is becoming evident that if a bank is to continue to hold or gain market share in today's online banking environment, enhanced data security is a must."

New Authentication Technologies

Some financial institutions are deploying new authentication technologies -- like graphical watermarks -- to hamper hackers who can somehow slip past biometric and token technologies, experts tell The E-Commerce Times. These measures are being taken out of a concern that the institutions themselves will be on the hook, rather than the FDIC, if money is stolen from an online checking or savings account.

"We've seen evidence of new Trojans that bypass most two-factor authentication devices -- e.g. tokens and biometrics -- by waiting for the user to authenticate at log-in," said Naftali Bennett, chief executive officer of Cyota, a developer of authentication technologies, based in New York.

"Once authenticated, these Trojans come alive and drain the accounts behind the scenes," Bennett explained. "Unlike spyware or phishing, there is no need to capture the target's ID or password. Once they open the door, the thief walks in behind them."