Written by Liz Morrell
A recent report from the Treasury Select Committee criticised UK banks for not doing enough to protect against online fraud. The claim has been met by the industry with mixed views, with some in agreement and others blaming the Government for not taking data security seriously enough and calling for a regulatory body to set regulations to protect bank customers. Liz Morrell reports
Jim Fulton, vice president at DigitalPersona, believes some of the criticism has been unfair. “To declare that banks are unprepared to deal with online fraud is to tar them all with the same brush, including those who have taken proactive steps to protect their customers,” he says. However, Catalin Cosoi, head of the BitDefender Online Threats Lab, says the report accurately depicts the current situation. It has certainly reopened the debate about who exactly is responsible for weaknesses in the system. She says that banks face a challenge. “Although certain banks seem to be giving their security policies a greater level of focus and have added in extra layers of security the overall picture is that no radical or large scale transformation is taking place.”
Kevin Bocek, product director at IronKey, says a joint effort is needed to combat the new wave of online crime. “The responsibility now is for UK banks and Government to overtake these new attacks.”
“Stricter regulation is obviously required but is proving hard to do,” comments Luke Degan of Siemens IT Solutions. “The regulatory teeth are getting stronger but there is still an attitude that the banks will take the fines on the chin.” But Alessandro Morretti, a volunteer member from Switzerland’s ISC Board of Directors and a senior risk and security executive in financial services, says it needs to be clearer who the financial sector can turn to for help. “It is still confusing who the financial sector should turn to in the Government to deal with this persistent threat.”
James Panton, general manager of brand protection services at Melbourne IT, says sometimes the weaknesses in systems can be simply down to the structure of banks. “Even though it is one vertical every bank is structured in a different way - for example our client Royal Bank of Scotland has an e-crime fraud department and a separate department looking after intellectual properties. That’s a very neat structure but other organisations have multiple silos and don’t know everything about the other silos and it’s those institutions that are more susceptible to attack.”
But the risk is also coming from increasingly sophisticated attacks - such as a phishing email which downloads a keylogger or other malware when opened. Because of this many lie the blame with consumers but Garry Sidaway, director of security strategy at Integralis, says sometimes customers just don’t know how big a risk they face. “Currently there is no clear liablity - the consumer is protected as long as they do the right things and the banks do not have to disclose each incidence of fraud - protecting their brand and allowing them to be self-policing.”
This means that customers can do the bare minimum because they simply don’t realise the knock on effect their actions can have otherwise. And for other customers it’s simply a lack of knowledge. “The banks need to do a better job of educating consumers about the role they play in protecting their transactions from fraud,” says Michael Gabriel, director of data protection practice at Integralis.
Without that customers will circumvent security measures they see as being inconvenient. “They don’t really understand the risks and see stronger authentication methods as the complete opposite of why they do online banking in the first place - it’s quick and easy. The typical reaction to stronger security is for the user to take less care about the site they are on or the process they follow,” he says.
Fulton believes the lack of a common standard for online authentication is also to blame. “The level of protection given to online customers varies widely. Different banks provide very different levels of protection but in this day and age it’s unforgivable for a retail bank to rely on simple, static and user chosen passwords which are easily hacked, forced or stolen,” he says.
Malcolm Marshall, head of information security at KPMG, says financial institutions need to get better at knowing their customers. “The main control behind the scenes is ‘Transaction Risk Scoring’ or reviewing various characteristics of a transaction to determine whether it should be allowed, referred or denied and which may include customer behaviour, transaction patterns and the time of day. We are seeing banks leveraging this data to make an accurate risk call that doesn’t significantly raise false positives and block legitimate transactions. Banks are also increasing their focus on Cross Channel Transaction Monitoring - pooling data and intelligence about behaviour and account activity across multiple channels,”says Marshall.
But behaviour around social media is posing one of the biggest threats to data security in the financial world. “Social media is providing a wealth of information that can be harvested fairly easily by those with malicious intent,” says Gabriel.
“As the consumer advertises his or her ‘wealth’ on Facebook - such as through the number of holidays and security details such as birthdays and pets, then targeting social engineering will continue,” says Morretti.
Ted Egan, CEO and co-founder of TrustDefender, believes the mobile world poses the biggest risk of all. “With more information moving to the cloud, growth of mobile computing devices, and growth in social networking and app stores where you can download almost anything - which may or may not be a secure app - the dynamics to the security and trust issue for all stake holders are different.”
Egan argues that banks need to educate users directly. “It needs to be real-time education based on the security health of the device the user is using. This information must be delivered in real-time and be relevant to the user, not generic guides within a website no-one ever reads or visits,” he says. “Trust in the virtual world will become essential and bio and secure operating systems will start to take hold. Strong authentication to the local device combined with trusted OS maybe through a cloud or virtual desktop and two-way SSL are a minimum in this virtual world,” says Sidaway.
So what other options are there? Sidaway suggests one solution could be the banking world looking again at the tokens in use with regards personal information. “It is easy to find out where I live and my mother’s maiden name - perhaps these could be used for relatively low transactions with increasingly more obscure tokens being used for high value transactions such as how many chairs do I have in my conservatory.”
Some believe that two factor authentication is good enough - others that more needs to be done. “This is where education comes into play. If consumers don’t understand their responsibility to keep their tokens separate from their PIN numbers, for instance, it defeats most of the benefits of 2FA,” says Gabriel.
Bocek points to a recent Gartner report which highlighted the new Layer 1 technologies aimed at preventing fraud from customers computers - including secure browsers run from read only USB devices to prevent the fact that criminals are circumventing authentication controls by hijacking already authenticated banking sessions. “They are aimed directly at providing a safe environment that’s separate from the likely infected computer, so instead of trying to detect different variants of criminal attacks banks can instead take online banking out of the reach of criminals,” says Bocek.
Further down the line biometrics may play an increasing role but again opinon is divided. “I don’t see them as a replacement for educating the consumer. If customers offer up their fingerprints to other services for convenience sake, then fingerprint biometics become less useful,” says Gabriel.
Fulton believes it is a viable option. “Biometrics technology has come on in leaps and bounds over the last few years and is now a reliable and affordable option for retail banks that want to protect their customers,” he says.
However, others disagree: “Implementing biometrics in authentication systems would certainly help but doing this on a large scale takes considerable time and a sizeable budget,” says Cosoi. But according to Datapoint one leading financial services organisation it is working with is already trialling voice biometrics in its call centres - the first in Europe to do so. It says it is more accurate than iris recognition and finger print authentication. “Biometric voice verification
provides financial establishments with an enhanced system for effective risk management, compliance with industry regulations and helps to combat against fraud and identity theft,” says David Marshall, head of business development for Datapoint’s Voice self-service practice.
But as threats continue to evolve so the data security challenge will continue. “Ultimately the banks are the ones that will get hit so it’s in the bank’s interests to detect and continually educate their customers,” says Panton.
“Fraudsters’ success is dependent on their creativity and agility,” says Cosoi. “They can devise new techniques and systems at a much faster pace than banks are able to modify or improve their security measures,” she says.
It seems the game of cat and mouse is set to continue for some time yet.