Given the financial fallout we’ve all been treated to this year, online banking and investment transactions may face increasing risks from hackers and sub-par networksecurity.
Buying and selling via the Internet is the most common form of trading stock — and the most vulnerable. With so much money changing handsthrough the Internet, bank security risk is critically high.
The stock market is seeing record numbers with regard to gains, lossesand volume. But these high volumes of transactions can put thesecurity of customer transactions at financial institutions at risk ifthe proper precautions have not been put in place.
Can cash-strapped banks and other financial institutions continue toinvest enough to maintain critical security systems? More international regulation is needed to prevent cybercrime from causing as much havoc as the creditcrisis in the next few years, according to theOrganization for Security and Cooperation in Europe (OSCE) in asecurity report issued in November.
The impact of cybercrime is estimated to cause US$100 billion in damagesannually, according to the OSCE report, which also called Internet crime athreat to national security. Growing worry foronline banking security led several countries, including the UnitedStates, to voice concern over Russia’s and China’s abilities toelectronically spy on them and disrupt computer networks.
“We are seeing in the past year a doubling of phishing attackstargeting bank customers,” Jeff Debrosse, research director at ESET, told the E-Commerce Times. “As things become more uncertain, we are seeing more ID thefts.”
This increased security risk is contributing to a sense among bankingofficials that they have been blindsided. Few in the banking industry expected this downside, noted ESET’s Debrosse. His company develops software protection against evolving computer security threats.
For customers, the industry’s reaction amounts to the realization thatusers of online banking services have to be more vigilant. As the useof online banking services continues to grow, so will the risks.
“We are at the peek of that blindsiding,” Debrosse suggested.
The concern over banking security in Europe expressed by the OSCEreport is particularly significant to U.S. banking customers. Banknetwork security, especially regarding log-on procedures, falls short ofconsumer expectations. Log-on protocols elsewhere utilize strongauthentication. U.S. banks generally fail to meet that standard.
“In North America, not many banks are implementing strongauthentication. Most use passwords and security questions,” TorstenGeorge, head of global marketing for ActivIdentity, told the E-Commerce Times.
In Europe, more advanced technology is more often used, such as security questionscoupled with password tokens, he said. ActivIdentity is a globalprovider of digital identity assurance including strongauthentication, single sign-on, and smart cards.
U.S. consumers are just catching up to the rest of the world withbanking security. Flimsy log-on procedures are one weak spot, agrees Doug Brunt, president and CEO of software securityfirm Authentium.
“The security situation is out of control. We need more storage… . [*correction] The rate is growing exponentially,” Brunt toldthe E-Commerce Times.
The situation presents a nightmare to bank IT departments. As existing security measures spring holes, the race ison to tighten the protocols.
“Banks have protection but are looking for new ways to add betterprotection in the midst of feeling almost desperation with thecircumstances. This is a dangerous combination,” Debrosse said.
Changing the Same
A solid connection exists between the lack of strong authenticationfor logging onto financial networks and the rising rate of ID fraud.Authentication technology has been available to business since 1992.At the time, it was not a popular, or economical, solution.
“The threats morphed. The first 10 years the industry built databasesof 100,000 signatures. The database size grew a second 100,000 in thenext two years. Now it grows 100,000 signatures every two weeks,”explained Brunt about the ineffectiveness of antivirus scannerstypically used to secure banking networks.
As an example of the increasing virus threat, he mentioned the SinowalTrojan. That particular bit of malware is like poison for banks.
“Sinowal compromised over 500,000 bank credentials. The infection isconstantly morphing. It is an arms race,” said Brunt.
Given the pressure brought by regulatory agencies and consumersthemselves, bank officials in the U.S. are taking steps to bolstertheir lagging computer security.
Until now, U.S. Banks favored fraud insurance over tighter networksecurity measures — the cost was cheaper — but times have changedthat strategy.
“Now banks are having a hard cry from consumers for stronger security.Consumers are shifting their money around. This raises greater risk tofraud. We are seeing lots of password sniffing [attacks],” saidGeorge. “Banks now are starting to ask for stronger security options.There is a changing attitude.”
The rise in breach disclosures should be a computer security wake-up call for bank patrons. Federal disclosure regulations give consumers a false sense of security.
“You cannot always trust the data breach information required byfederal rules. Organizations and data breach disclosures are occurringwith staggering frequency. Halfway through 2008, they surpassed all ofthe breaches of 2007,” noted Debrosse.
240 million peoplewere affected by breaches worldwide from January of 2005 to October of 2008, according to the Privacy Rights Clearing House.
Consumers cannot assume that if their banks did not report a breach,their personal data is still secure. Organizations are mostly on thehonor system to disclose breaches. And if they do issue a publicreport, consumers have to assume that what is disclosed is fullyaccurate, he suggested.
“Banks need to focus on customer retention. It is tough to do.Customer retention is at stake,” said Debrosse.
Getting banks to withdraw their weak security questions is a muchneeded change, according to George. The limited screening that securityquestions provide is better than no entrance barrier at all to an account, but tokens and more advanced methods are what are really needed.
Many of the answers can be easily cracked using information that a hacker has phished from an account holder. Most banks use a library of preset questions,said George.
“More ideal is a two-part authentication with a knowledge factor. Abetter approach is to let the end users define the questionsthemselves,” he said.
Adoptive verification recognizes any change of computer log-on. Thiscreates a higher security screen, George explained. It is based on IPaddress location.
These have behavioral basis, a tool that is less costly for banks andless visible for consumers. The consumer only knows if something goeswrong, he said.
Another method involves the bank customer picking when he will use theservices with a one-time password sent to his mobile phone each time.A second option involving the cell phone is called a “soft token.”
A piece of software is downloaded to a cell phone or computer. Thesoftware holds the credentials to create a one-time password. Thisreplaces the hardware token.
Cell Phone Access
A new security method involving cell phones is called “near fieldtechnology.” The phone owner waves the mobile device over a cardreader. George sees this as replacing smart cards and credit cards inthe next two years.
“With a cell phone, you can have real-time revocation. It’s very toughto beat. You call the service provider to turn off the phone if youlose it. It’s no longer usable to authenticate bank log-on access.That’s the beauty of smartcard-based or chip-based authentication,”George explained.
The cell phone will become the primary device for access credentialingin five years, he predicted.
*ECT News Network editor’s note: The original published version of this article included the bracketed phrase “[of secure consumer data],” reflecting the author’s understanding of the type of storage Authentium CEO Doug Brunt was referring to. We have removed the bracketed phrase, based on Brunt’s communication following publication of this article that Authentium never stores any customer information or data.