By Andrew K. Burger E-Commerce Times
02/22/07 4:00 AM PT
"Online banking transaction fraud is growing rapidly due to the huge amount of identity theft," said Peter Relan, chief strategist at Entrust. "It is estimated by the Cyber Security Industry Alliance that over 100 million identities of Americans have been compromised to date -- and a significant portion of this further leads to online monetary fraud."
eMarketer Whitepaper: Optimizing the E-Commerce Experience
From the Web to the Contact Center, are you prepared to proactively engage and keep your savvy customers? Read how e-commerce leaders are optimizing their sites with ratings, reviews, live help, Web analytics, mobile and more.
Cybercriminals are as gung-ho about perpetrating online fraud as financial institutions and governments are dedicated to preventing it. As long as people send private, sensitive information and transactions over computer networks, the prospect of identity (ID) theft and subsequent online fraud will loom large.
It's not so much the number of people who have fallen victim to ID theft, but the potential for serious loss and the possibility that you or I will become the next victim.
However, if the business of protecting you and I continues apace, ID theft may become increasingly difficult for cybercriminals, even if they are armed with user names and passwords.
100 Million Identities
Taking advantage of the latest in PKI (public key infrastructure) cryptography, banking and financial services companies and security providers are taking a multifactor approach to authenticating users.
Authentication methods that depend on more than one factor can be more reliable and stronger fraud deterrents. For example, using a login ID and password is single-factor authentication. An ATM transaction, on the other hand, requires multifactor authentication: the user's ATM card combined with a secret personal identification number.
"Online banking transaction fraud is growing rapidly due to the huge amount of identity theft that has occurred in the last couple of years," Peter Relan, chief strategist at Entrust, told the E-Commerce Times.
"It is estimated by the Cyber Security Industry Alliance that over 100 million identities of Americans have been compromised to date -- and a significant portion of this further leads to online monetary fraud," Relan added.
According to the Privacy Rights Clearinghouse, more than 100 million notifications have been sent to individuals in the U.S. as per state disclosure notification laws, informing them that their personal information has been lost or stolen.
That's 100 million people who can be considered prime targets for ID theft and online fraud.
Bankers, brokers and the technology providers devote extensive amounts of time and money to detect and prevent such crimes, but the cybercriminals leapfrog over their efforts. With each leap, the good guys must stay ahead of the hacker -- technologically.
Financial institutions and security providers are employing evermore sophisticated tools to prevent cybercriminals from stealing confidential information and breaking into online banking and brokerage accounts.
These tools and methods include a combination of cryptographic network access keys, shifting passwords, unique personal identifiers and sophisticated behavioral algorithms.
Pumps and Dumps
A January Gartner (NYSE: IT) research report links fraud losses and phishing threats directly to an erosion of consumer confidence in financial institutions and online transactions in general, noted Kerry Loftus, director of product management and authentication at Verisign.
Unauthorized access to user accounts is "a big threat to banks and financial institutions, and the best data that bears this out is Avivah Littan's January report published by Gartner ... I think this on top of last year's regulatory guidance from the FFIEC (Federal Financial Institutions Examination Council) has the banks' attention.
"Methods include e-mail scams -- such as 'pump and dump' attacks on brokerages -- as well as general phishing attacks designed to pull consumers' identity information. The proliferation of botnets has just given the bad guys an even larger channel to consumers to execute these attacks," Loftus told the E-Commerce Times.
In response to the growing problem, Entrust has introduced TransactionGuard, a product that offers organizations the ability to monitor all online activity and to obtain a complete picture of the behavior of all online users -- both legitimate and potential attackers.
Studies Disagree
In counterpoint to the regular and rightfully alarmist statistics about the growing absolute number of ID thefts and online fraud, similarly strong evidence suggests that such cybercrimes are actually decreasing.
In the latter case, the main cause of online fraud doesn't occur online but offline, through a combination of user complacency, carelessness and the activities of opportunistic, organized and tech-savvy criminals.
"According to numerous industry studies -- for example Javelin Strategy & Research's Identity Fraud Survey Report -- ID fraud has declined over the past four years, and only 8 percent of identity fraud has resulted from online information breaches, said Scott Mackelprang, vice-president of security and compliance at Digital Insight.
"The majority of fraudulent activity results from offline sources such as lost wallets or purses, stolen U.S. mail or friends and family. These are threats that can be directly prevented by users and are obviously not technological in nature. Nevertheless, given online banking's rapid growth and popularity, security is an important issue to deal with for the industry as a whole," Mackelprang noted.
Legislating Security
Given the regular occurrence of highly publicized data breaches, losses and laptop theft at federal government agencies and departments, the U.S. government last year became more proactive about IT security.
Last June, the Office of Management and Budget (OMB) issued White House OMB M-06-16, an order giving all government agency heads up to 45 days to assess mobile data and remote access network systems security provisions and ensure that they are in full compliance with National Institute of Standards (NIS) security measures.
Other previous efforts, Congress's Sarbanes-Oxley legislation in particular, have had far-reaching ramifications for financial institutions with respect to the security, business processes and reporting systems they are now required to enforce.
"In 2006, the FFIEC required that banks and credit unions strengthen customer authentication measures for Internet banking transactions by year-end, said Digital Insight's Mackelprang.
"The guidelines for how this increased authentication was to be implemented were not method-specific, so there isn't a 'standard' method, but 'strong' or multifactor authentication (MFA), in some form or another, is now the norm," he added.
Substantial effort needs to be done on the consumer level to help unsuspecting individuals from ...
Next Article in ID Security
Why Do Retailers Need Our Data? February 21, 2007
If retailers took a community-based approach to customer data gathering, the headlines would quite possibly be different when there's a break-in. Rather than being worried about liability, the retailer would have a true sense of loss knowing that information that it had uniquely gathered might have fallen into the hands of others.
Related Stories
Identity Scoring: New Defense Against Data Breaches February 15, 2007
Unlike typical credit monitoring, identity scoring utilizes all of the available data on an individual to make its judgment; everything from law enforcement records to property deeds to Internet chat logs can be used to generate an identity score. The end results are much more specific and capable of accurately judging a person's information as being authentic.
The New Front Line in Defending Against Online Threats February 12, 2007
For identity authentication to really provide the trusted environment that both corporate and retail customers require for doing business, the legal framework must be acceptable and enforceable both domestically and across borders. Otherwise, a corporation or its financial institution could face the prospect of adjudicating disputes in jurisdictions around the world.
Higgins, Bandit and Microsoft: Open Source for Tight Privacy January 30, 2007
At next week's RSA Conference in San Francisco, the open source Bandit and Eclipse Higgins projects will demonstrate their latest development: a reference application that showcases open source identity services that interoperate with the Microsoft Windows CardSpace identity management system, which ships with the Vista operating system.
Related News Alerts
More by Andrew K. Burger
Mobile Enterprise Apps: The Next Security Frontier September 19, 2008
More enterprises are embracing mobility, and as a result, there are more devices out there, each one a potential vulnerability waiting to be exploited. Security experts warn that enterprise IT departments must be aware of the threats looming on the horizon.
HP Targets SMBs With Infrastructure in a Box September 16, 2008
HP's new Adaptive Infrastructure in a Box targets midsize businesses, which it defines as 100 to 999 employees. The lineup, introduced Tuesday, includes server and storage functions with integrated power and temperature management all in one blade enclosure.
In the Wireless World, 3 Things Matter: Location, Location, Location September 11, 2008
As more devices come embedded with GPS chipsets, wireless providers are trying to differentiate themselves through the location-based services they offer. Want to find the cheapest gas nearby? No problem. Hungry? Find a good restaurant and some of your friends to enjoy it with you.
Headline Feeds
Talkback: 
