Phishing Liability Concerns Online Banks

Online banking firms now have a new worry — liability for customer losses due to phishing scams.

For the last year or so, online financial institutions and their IT consultants — as well as consumer interest groups — have focused on fixing security, adding authentication and encryption and other technologies to forestall scammers. But the phishing plague continues. Now, experts tell The E-Commerce Times, banks may soon be on the hook for financial losses by customers if they cannot secure their online stores.

The Federal Deposit Insurance Corp. (FDIC) earlier this summer distributed guidelines to banks as to how to bolster online security. Some in the business community think that banks need to focus on preventing losses, rather than just finding hot new technologies.

Liability for Losses?

“Identity theft, phishing scams, instant messaging risks, spyware and account-hijacking present significant confidentiality, integrity, availability and liability exposure implications for both a bank and its customers,” said Glenn Gearhart, chief executive officer of ACAP Security, based in Huntington Beach, Calif.

A recent survey of U.S. Internet users by the Ponemon Institute agrees with this premise, finding that over three-fifths of the survey respondents believed it “unacceptable” for a bank to not respond to phishing schemes that use the bank’s identity as the means of gaining the victim’s trust. Nearly 96 percent of the respondents said that banks need to use technology to provide protection to their banking customers.

In other words, customers blame the banks, not just the criminals.

Gearhart tells The E-Commerce Times that financial institutions should consider “new security strategies” for their enterprise information security programs and customer data management services, so as to prevent losses from customer accounts. This includes the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer’s ID, password and account numbers.

“In light of this, and of the continued public reporting of the compromise of customer’s private identity data and financial records,” Gearhart said, “including the compromise of data on 40 million credit card holders and a number of additional customer account data security compromises at FDIC insured banks, it is becoming evident that if a bank is to continue to hold or gain market share in today’s online banking environment, enhanced data security is a must.”

New Authentication Technologies

Some financial institutions are deploying new authentication technologies — like graphical watermarks — to hamper hackers who can somehow slip past biometric and token technologies, experts tell The E-Commerce Times. These measures are being taken out of a concern that the institutions themselves will be on the hook, rather than the FDIC, if money is stolen from an online checking or savings account.

“We’ve seen evidence of new Trojans that bypass most two-factor authentication devices — e.g. tokens and biometrics — by waiting for the user to authenticate at log-in,” said Naftali Bennett, chief executive officer of Cyota, a developer of authentication technologies, based in New York.

“Once authenticated, these Trojans come alive and drain the accounts behind the scenes,” Bennett explained. “Unlike spyware or phishing, there is no need to capture the target’s ID or password. Once they open the door, the thief walks in behind them.”

1 Comment

  • It is definitely up to the banks to secure customers online accounts. But that is not the whole story. It is also up to the customer to be aware and to take proactive measure to secure there identity when doing financial transactions online. One step is to subscribe to a service like Anonymizer to prevent these ghastly mistakes. Organized crime has created a business model around hacking. Services like Anonymizer help protect me from malicious phishing and pharming attacks as well as other malware tools. Anonymizer is a neat little program that hides my IP address when I’m surfing the Internet. This means nobody can tell what IP address my Web connection originates from. It also creates an encrypted link to the Internet using 128-bit SSL technology. Of course not foolishly giving out your personal information blindly is the first major step in self protection. Until a hacker creates an attack with artificial intelligence, I think this is the best way I can protect myself . . . barring abstinence from the Internet? It’s also up to the banking industry to beef up there security. The whole point of online banking is not only for customer convenience but also to lower overhead costs. If the banking industry is losing millions of customers, don’t you think it would benefit them to invest in technology like Anonymizer to protect there customers in the first place?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Gene J. Koprowski
More in E-Commerce

E-Commerce Times Channels