74
IT SECURITY
to admit to what, right? For the most part, the majority of banks know where their weak points are, but what sometimes works against them, particularly for the larger fi nancial institutions, is the fact that they are extremely siloed.” A large siloed bank will struggle with cross-channel communication; a structural defect that can have a negative impact on the security of its customers. “It becomes very difficult to investigate fraud and security issues if a bank’s cross-channel capabilities are impeded,” reveals Potterton. “It becomes really difficult for a bank to identify the patterns that are held and then be able to work cross channel to pinpoint where there might be fraudulent activities. So you might have someone fraudulently fi lling out a credit card application while at the same time opening a bank account while at the same time maybe applying for a mortgage. And this is where it gets difficult, which is why I think real-time monitoring across channels is the key to successfully combating fraud. While I think that people understand this, the capabilities that banks have to combat that in real-time are still at the early stages of development.” To expect even the most un-siloed bank to be able to combat and repel every security attempt it faces is, believes Potterton, optimistic. “I would like to think that we will get to a state of complete privacy, but I sit in on some session at banking tech conferences and you hear the sta-
THE SAFEST WAYS TO BANK Trust them or not, banks are still the safest place for your money, and while electronic banking increases your chances of becoming a victim of fraud, nearly all financial institutions have put in place a layer of security designed to protect the customer.
Most banks now have zeroliability policies for debit cards, designed to limit the direct risk to users in much the same way a credit card does.
IT SECURITY.indd 74
Figures from Javelin Strategy show that the average cost of fraud to victims using debit cards has fallen from $739 in 2007 to just $243 in 2009. With credit cards, those figures are $696 and $314 respectively, which highlights just how much the situation has been improved for debit card users.
If using your card online to make purchases, be aware of the site’s url – protected web sites should show ‘https’ to denote SSL encryption, rather than the non-encrypted ‘http’ prefix.
Setting up email or text alerts to signal when a purchase on your card has been made is a good way to keep track of your purchases, and a swift way of identifying fraud.
tistics and you think to yourself: ‘oh my god, I’m going to close all my online accounts and go back to walking into a branch. I’m going to get rid of my computer and everything,’ because it can really scare your socks off.” Potterton also believes that the increasingly sophisticated band of cyber criminals will not only be able to keep pace with security soft ware development, but might even stay one step ahead. “I think we can get to a level of security that is reasonable but, in all honesty, I think that the threats, the malware, the bots and all the other nasty things out there are just going to continue to be one step ahead. Because it’s the old adage – banks are where the money is, so scammers will forever be fi nding creative ways of coming in through the back door, or fi nding other way to get at the money.”
Reactive in recession The recent economic turmoil experienced by millions in the western world has damaged many people’s previously unshakeable trust in large fi nancial institutions. The banking industry has had to work doubly hard in order to recover that trust and acceptance, but craft y and unscrupulous cyber criminals looking to exploit the fi nancial woes of millions in order to make a fast buck are hindering it in its objectives. “Such an economic environment is fertile breeding ground for people to justify going after things in an illegal way,” admits Potterton. Faced with such perpetual threats, fi nancial institutions are being encouraged to shift their attitudes towards security from reactive to proactive; by aggressively implementing strategies that protect their perimeter before, and not after, the hackers, phishers and fraudsters identify a weak spot. “We did some research on this,” concludes Potterton. “The banks actually asked us to go out to see what would people’s attitudes be if banks were more proactive with providing soft ware tokens out to the end devices. What we found was, as you might suspect, people were in favor of that, but there were others who were not. So I think again that it is the banks that would love to do it, although there is an element of support and risk that goes with that. Some people just will not feel ready for it. That is, until they get hit themselves, and then they are more likely to want to get on board.” The last two years have been tremendously trying for the fi nancial institutions. The banking industry has taken a number of hits on many fronts, from being forced to close their doors, to bailouts and a sharp decline in consumer trust. “They are just getting to the point where they are seriously able to begin rebuilding that trust,” says Potterton. “They are really thinking about ways to communicate their efforts at increasing security without damaging the relationships they have with their clients. Some banks will take the risk of acting upon their security concerns without consulting or engaging with their customers, and that’s fi ne. But I think for banks to effectively rebuild trust and build a stronger security perimeter, they have got to engage with their clients if they wish to achieve that.”
12/11/2010 16:21