Recognizing that defenses are only as strong as the weakest link, Bank of America has moved to shore up an area that largely is beyond its control: customers' desktops. In a move experts say is a step in the right direction toward improving online banking security, the Charlotte, N.C.-based bank announced a partnership with Symantec (Cupertino, Calif.) in which the bank will offer the security solutions provider's software to online banking customers.
According to Bruce Cundiff, a senior analyst with Pleasanton, Calif.-based Javelin Strategy & Research, the deal represents a banking best practice whose day has come. "Deputizing the customer -- bringing them into the security process ... adds layers of security," he says. No matter how strong a bank's security measures may be, end users' PCs end up being the weak links in the security chain, Cundiff explains. So it's in the banks' best interest to engage consumers.
The question remains, will the simple use of a tool like Norton mitigate the risk to the institution? Not likely. Tools alone will not stem the risks they seek to avoid, reduce or eliminate. However, the customer loyalty, reputation management and defensible standard of care will get an up-tick from this kind of behavior from the institution.
These and other measures Bank of America has offered to consumers such as "Safepass" and a down loadable "Earthlink" powered plug-in for the IE Explorer tool bar are again the tools that give consumers a false sense of security, because the bank has asked them to use these and endorsed them. Whenever you give people the feeling that they are completely protected, that is the point in time when they become complacent. They stop learning and stop paying attention to the cues and clues that they are in the midst of a fraud scheme or their identity has been stolen.
So what is the answer for the banks who have mounting operational risks that extend into the homes of their consumers who are banking online? More tools?Hackers no longer need to be technical wizards to set up an operation to steal people’s banking information and then rob their accounts.
The number of hackers attacking banks worldwide jumped 81 percent from last year, and the number of hackers targeting credit unions increased 62 percent, according to SecureWorks. The figures are based on attacks on the Atlanta-based managed information security services provider's financial institution customers.
So why are there so many more hackers today? Joe Stewart, a senior security researcher at SecureWorks, says that hackers no longer need to be technical wizards to steal people's banking information. Hacking tool kits and malware are for sale in the online underground, he explains, noting that all hackers need are basic technical skills and the knowledge of where to go to buy what they can't build themselves.
"You go to a Web site and pay $100 to several hundred dollars, and you can buy a turnkey exploit package," says Stewart. "You can buy the malware, too, and then you're in business. ... All you really need to know how to do at this point is set up a Web site."
Whether the answer is more education, mandatory downloads of new software prior to logging into the SSL banking site or increased fraud detection systems the problem will not be solved anytime soon. So what can you do to mitigate the risk as a consumer?
First off, don't do any online banking with a firm who has not implemented multi-factor authentication. Many are still dragging their customers into the false thinking that a plain old user name and password alone will do the trick.
Second, as a consumer you have to lock down your identity. Go beyond the monitoring services such as those found from Equifax or Fair Isaac and use the services offered by Lifelock.
Finally, as a bank or financial institution providing investment services you must invest in the awareness building of your employees, partners, customers and your clients. The education of the consumer is still one of the most effective means for defeating the organized criminal, face to face or online. Think about the new ad campaigns you may have seen about fake checks and I think you will see what we mean.
operational risk