IT SECURITY 73
widespread support, but some banks are rightly concerned that by inhibiting their account holders’ freedom and convenience, they might be trampling all over the fragile green shoots of trust that have only just begun to re-emerge this side of the credit crunch. “It’s potentially tricky,” admits Potterton, “but I think that most people will understand that tighter security is part and parcel of the current environment. They should understand that every person must be aware of their own account activity and not be fully reliant on their fi nancial institutions to simply guide them through. So it comes back to that idea of collaboration, and it doesn’t have to be painful for the customer – simple forced changes in passwords and multi-factor authentication procedures are painless trade-offs. But ultimately, customer convenience is going to have to suffer.” Financial institutions’ reluctance to engage with their customers on issues of security care may be borne out of a reticence to not only admit potential weakness, but also be faced with charges of admitting to walking before they can run. Why, some may argue, have banks bent over backwards to offer such flexibility and convenience from a service perspective if their back-end security processes have been unable to keep up with the pace of their user-friendly interfaces? “I think most customers know what’s going on. They know how it works. The issue in the USA has always been around convenience, convenience, convenience,” says Potterton. “And now we are at a stage where it is increasingly up to the fi nancial institutions to do a better job of educating their customers about why things like tokens and single-use passwords are important.” But convenience counts for little if fraud remains an ever-present, and very real, threat. “To some degree,” continues Potterton, “the banking industry almost doesn’t want to bring up security as a big issue because they don’t want people to become unduly concerned about the battles they are fighting behind the scenes. However, they do have a duty to make their customers aware of what is going on, what the potential threats are, to make not just their accounts safer, but also their own lives a lot easier. A customer who understands why they have to follow stricter security measures is not going to think ‘why are they making my life more difficult?’ They will understand.”
Catch-22 Not all customers are born equal. For every hyperconnected early adopter, dripping with the latest technology and forever on the move, there is your more traditional bank customer who waits patiently for their monthly statement through the post, visits their local branch to make deposits and, if they are feeling adventurous, might pick up the phone to make a one-off transaction. The banking world is well aware that these opposite ends of the service spectrum are both incumbent and permanent – some people will always want a local branch, that human touch and actual safety deposit boxes as much as some people will forever be hankering after the next great technological hope for the banking industry. Balancing service and security between these two stools will continue to present
IT SECURITY.indd 73
the fi nancial world with its biggest challenge as the 21st century plods onwards. “Banks’ client bases range from the incredibly sophisticated to those who might never even bank online,” says Potterton. “Then there are those in the gray area who might not be the most technically sophisticated, but they will bank online. Th is group are more likely to be at risk from phishers and scammers because they are less likely to have installed the latest anti-virus soft ware on their computer; they are less likely to know what they are doing and more prone to scams and simple errors.” Statistics from the UK bear this out. Since 2008, online fraud in the banking industry there has increased by almost a third, with more than 100,000 victims of ID fraud reported in 2009, and 24,000 instances of account takeover. The majority of these victims fell prey to simple email phishing and social engineering scams: a worrying indicator that thousands of account holders are still quite naïve when it comes to simply conducting the most menial of online activities. “I have had many conversations with fi nancial institutions that are struggling to get the message across to their clients that they must take some responsibility for their actions; that banks cannot be depended on solely. But many banks realise that they have to walk their clients through this process. They have to give them the soft ware and keep it updated for them, really just to make sure that they are not exposing themselves or the institution to threats and unwanted risk,” says Potterton. But it is the tech-savvy customers who are steering the fi nancial industry towards its catch-22 situation. Banks that rein in their services in too much of a draconian manner run the risk of losing a fair chunk of custom. Equally, banks that allow unchecked connectivity on all manner of platforms are faced with potentially exposing their customers to a greater range of threats, fraudsters and malware practices, thus running the risk of losing custom, too. “It really is a catch-22 situation,” explains Potterton. “Banks are trying to expand their access points and it’s all going mobile, so handheld devices are really going to become the way that people interact. These devices could then become the testing ground for security procedures, so you could soon start seeing more limited access on balance checking, perhaps with second or third-level authentication required, or perhaps the reintroduction of tokens, or even something as drastic as an additional chip in these devices, things like that. There are so many different ways that this could play out.”
Cultural or structural? Admitting to a weakness is not the same as identifying potential weak points and working hard to eradicate them. Potterton is of the opinion that banks’ predilection for collective macho posturing can often work against their efforts to collaborate with their customers. It would be far easier, he believes, if banks admitted that they could better balance their service if they received improved feedback and help from their clients. “Who’s going
12/11/2010 16:21