Online Banking: How to Avoid the Threat of Fraud

Better security is costing banks less while costing corporates more. This is the uncomfortable truth when it comes to security in online commerce. It’s also true that the new standards for two-factor authentication won’t improve e-commerce security because thieves’ strategies have already leapfrogged gains made in authenticating users.

Many banks, especially the largest ones, report that they are suffering smaller losses to fraud in actual dollar terms. But consumers are losing more. For instance, they received almost twice as many phishing emails in 2006 as they did in 2004, according to Gartner Group. Gartner’s results correlate to 109 million consumers experiencing an attack in 2006, compared to 79 million in 2005 and just 57 million in 2004. While the number of people who said they’d lost money to online fraud went down by 24%, the average loss skyrocketed from US$257 in 2005 to US$1,244 in 2006. Worse, the percentage of the lost money that was recovered or refunded to the consumer dropped precipitously.¹

As a result of findings like these, customers are avoiding and abandoning online banking and online shopping in droves, thus costing all banks more to service those customers. Gartner estimates that in 2006 alone, over US$2bn dollars was lost in US e-commerce by customers abandoning or avoiding online banking, electronic shopping and e-payments. To add to this, a recent survey by Javelin showed that 41% of customers would change banks or reduce their online usage if their institution was compromised by a data breach.

Resistance to Improvement?

Why are some banks resisting improvements to online security? It’s happening because banks are looking in isolation at the losses due to security breaches. They are not taking into account lost customer confidence that prompts the customer to change banks, the cost of servicing customers through branches, and loss of revenue by being unable to provide secure, high value services online. Because banks are inaccurately forecasting their total losses, too many believe that higher spending on security is not justified.

Banks are also being cautious because of concern that higher security measures will make it harder for their customers to use their online systems. According to Javelin Research, consumers are willing to take additional steps if better security is provided for free.

These are the fundamental reasons why banks have been slow to provide real security. Their resistance is underscored by the fact that the Federal Financial Institutions Examination Council (FFIEC) had to mandate banks provide two-factor authentication. Even now, a low security approach is adopted by many banks to technically comply with the requirement.

Why Are Customers More Vulnerable?

As larger banks implement better authentication measures to make sure the customer is who he says he is, and law enforcement improves recovery when they can find the perpetrator, criminals are adapting by:

• Corrupting transactions as they happen and after authentication of the user has been completed (e.g. man-in-the-middle, trojans and malware).
• Attacking smaller financial institutions that have been slower to implement improved security measures.
• Compromising customers through sites that aren’t insured against loss, and through payment methods or retail sites.
• Enlisting employees in information theft; studies are showing a 400% increase in theft of information by employees working with outsiders.
• Moving offshore where law enforcement can’t reach them. They are in China, and former Soviet bloc countries, and they are dispersed and mobile enough that they can’t be caught.

Let’s take a step back and look at security measures that are most commonly used right now – whether for Internet commerce, for telephone transactions, or even for tellers at branches.

The ATM card is probably the most successful two-factor authentication device invented, because the ATM machine and the connection to the bank are controlled by the bank and trusted by the user. A similar concept will not work for online transactions, however, because the computer and the connection are not owned and controlled by the bank – thus they are less secure and users know it.

Most e-commerce sites use static user name and password authentication, and a PIN code works for telephone transactions. An easily stolen photo ID may (or may not) be required for transactions at teller stations. While employee theft is becoming more common, banks control the branch environment and transactions that occur over private lines, thus reducing risk associated with those channels. The highest vulnerability is with public communication – the Internet and phone transactions – and where the customer isn’t actually known to the bank or payment provider.

In this increasingly anonymous world, security experts are examining and testing five additional security measures to prevent fraud if they can:

1. Out-of-band verification of identity via a separate channel or ‘session’, similar to the verification many websites use to confirm, via separate email, that you have actually enrolled in their service.
2. Risk analytics to spot atypical patterns in behavior that might signal a fraud in progress, much like credit cards monitor transactions with heavyweight modeling software.
3. One-time key passwords that change every minute or with each session; the second factor in ‘two-factor authentication’.
4. Mobile public key infrastructure (PKI) being implemented for mobile communications.
5. Biometrics such as the facial recognition methods in test to improve airport security.

Most products only use one of these methods. Whether you close one door or two makes no difference to a burglar unless you close all the doors.

The Biggest Vulnerabilities in 2007

• Compromised user’s computer – trojans and malware installed on the user’s computer that enables man in the middle (MTM) and phishing attacks.
• Intercepted communication that masks an interloper who communicates with the website and with the user to change a transaction undetected – a type of man in the middle attack
• Forged website where the user is diverted to another site, which then collects his user name, password and other critical data to be used fraudulently by the thieves – this is a phishing attack.

But customers also present a huge risk as well. Customers often resist taking responsibility for increased security although they expect their providers to implement it and to be responsible if it fails. Customers don’t want to carry a device unless it fits in their wallet; customers don’t want to incur the expense of increasing their own security (or they haven’t until now, they expect the banks to pay); customers don’t want different security solutions or ‘token necklaces’ with a plethora of tokens or cards, each unique to a different site.

A recent study conducted by MIT and Harvard showed that despite warnings, 97% of users continued their transactions and ignored the security measures in place from image authentication systems. These systems present the end user with a previously chosen image typically at the same time password input is required. Study results with a 97% failure rate show that depending on user diligence clearly is not working as expected.

Essential Requirements for Next Generation Security

Security solutions that utilise the following principles while incorporating the most effective methods from prior solutions are essential requirements for next-generation security:

• Mutual verification where the customer verifies the bank and the bank verifies the customer.
• Out of band authentication because relying on the primary channel to detect a ‘man-in-the-middle’ will not work.
• Two site validation where each location knows only part of the code.
• Two factor authentication, which uses a physical device like a smartcard to add the ‘something you have’ factor to the ‘something you know’ much like a password.
• End point and channel dependent authentication.
• Session dependent authentication.
• Transactional encryption prior to critical transactions.
• Proactive monitoring to detect trojans and malware.

Beyond implementing the best security technology, every bank, payment processor, e-commerce site and investment firm must work carefully to help its customers and its organization to beat the criminals before they strike. In meetings with several global providers, we heard the following imperatives:

• Minimise infrastructure or set-up costs for organisations.
• Decide that use of special hardware should be optional.
• Employ a graduated approach that facilitates easy transition to various security levels.
• Allow users to determine, for themselves, the desired balance between level of security and ease of use.
• Employ standards-based solutions that work across multiple applications and channels.

Conclusion

The industry has to improve security across all spectrums of risk. Because of the cost of previously available security solutions, the large banks implemented security first where the risk of loss was highest. Small business customers and consumers were last because the size of and number of transactions were smaller, balances were lower, and each incident represented a smaller loss.

However, let’s go back to our starting premise that by spending less on security in those sectors, it is actually costing more. We know that the cost of servicing consumers and small/medium-sized businesses is high compared to private banking and corporate clients. Every time one of those customers votes with his feet by not using online banking, by forgoing e-commerce transactions and electronic payments, the cost of servicing that customer has increased exponentially.

Comments are closed.