Online Banking: How to Avoid the Threat of Fraud
Better security is costing banks less while costing corporates more. This is the uncomfortable truth when it comes to security in online commerce. It’s also true that the new standards for two-factor authentication won’t improve e-commerce security because thieves’ strategies have already leapfrogged gains made in authenticating users.
Many banks, especially the largest ones, report that they are suffering smaller losses to fraud in actual dollar terms. But consumers are losing more. For instance, they received almost twice as many phishing emails in 2006 as they did in 2004, according to Gartner Group. Gartner’s results correlate to 109 million consumers experiencing an attack in 2006, compared to 79 million in 2005 and just 57 million in 2004. While the number of people who said they’d lost money to online fraud went down by 24%, the average loss skyrocketed from US$257 in 2005 to US$1,244 in 2006. Worse, the percentage of the lost money that was recovered or refunded to the consumer dropped precipitously.1
As a result of findings like these, customers are avoiding and abandoning online banking and online shopping in droves, thus costing all banks more to service those customers. Gartner estimates that in 2006 alone, over US$2bn dollars was lost in US e-commerce by customers abandoning or avoiding online banking, electronic shopping and e-payments. To add to this, a recent survey by Javelin showed that 41% of customers would change banks or reduce their online usage if their institution was compromised by a data breach.
Why are some banks resisting improvements to online security? It’s happening because banks are looking in isolation at the losses due to security breaches. They are not taking into account lost customer confidence that prompts the customer to change banks, the cost of servicing customers through branches, and loss of revenue by being unable to provide secure, high value services online. Because banks are inaccurately forecasting their total losses, too many believe that higher spending on security is not justified.
Banks are also being cautious because of concern that higher security measures will make it harder for their customers to use their online systems. According to Javelin Research, consumers are willing to take additional steps if better security is provided for free.
These are the fundamental reasons why banks have been slow to provide real security. Their resistance is underscored by the fact that the Federal Financial Institutions Examination Council (FFIEC) had to mandate banks provide two-factor authentication. Even now, a low security approach is adopted by many banks to technically comply with the requirement.
Why Are Customers More Vulnerable?
As larger banks implement better authentication measures to make sure the customer is who he says he is, and law enforcement improves recovery when they can find the perpetrator, criminals are adapting by:
Let’s take a step back and look at security measures that are most commonly used right now – whether for Internet commerce, for telephone transactions, or even for tellers at branches.
The ATM card is probably the most successful two-factor authentication device invented, because the ATM machine and the connection to the bank are controlled by the bank and trusted by the user. A similar concept will not work for online transactions, however, because the computer and the connection are not owned and controlled by the bank – thus they are less secure and users know it.
Most e-commerce sites use static user name and password authentication, and a PIN code works for telephone transactions. An easily stolen photo ID may (or may not) be required for transactions at teller stations. While employee theft is becoming more common, banks control the branch environment and transactions that occur over private lines, thus reducing risk associated with those channels. The highest vulnerability is with public communication – the Internet and phone transactions – and where the customer isn’t actually known to the bank or payment provider.
In this increasingly anonymous world, security experts are examining and testing five additional security measures to prevent fraud if they can:
Most products only use one of these methods. Whether you close one door or two makes no difference to a burglar unless you close all the doors.
But customers also present a huge risk as well. Customers often resist taking responsibility for increased security although they expect their providers to implement it and to be responsible if it fails. Customers don’t want to carry a device unless it fits in their wallet; customers don’t want to incur the expense of increasing their own security (or they haven’t until now, they expect the banks to pay); customers don’t want different security solutions or ‘token necklaces’ with a plethora of tokens or cards, each unique to a different site.
A recent study conducted by MIT and Harvard showed that despite warnings, 97% of users continued their transactions and ignored the security measures in place from image authentication systems. These systems present the end user with a previously chosen image typically at the same time password input is required. Study results with a 97% failure rate show that depending on user diligence clearly is not working as expected.
Security solutions that utilise the following principles while incorporating the most effective methods from prior solutions are essential requirements for next-generation security:
Beyond implementing the best security technology, every bank, payment processor, e-commerce site and investment firm must work carefully to help its customers and its organization to beat the criminals before they strike. In meetings with several global providers, we heard the following imperatives:
The industry has to improve security across all spectrums of risk. Because of the cost of previously available security solutions, the large banks implemented security first where the risk of loss was highest. Small business customers and consumers were last because the size of and number of transactions were smaller, balances were lower, and each incident represented a smaller loss.
However, let’s go back to our starting premise that by spending less on security in those sectors, it is actually costing more. We know that the cost of servicing consumers and small/medium-sized businesses is high compared to private banking and corporate clients. Every time one of those customers votes with his feet by not using online banking, by forgoing e-commerce transactions and electronic payments, the cost of servicing that customer has increased exponentially.
1According to an article in Bank Systems and Technology.