| Banking industry needs to tackle
account hijacking |
|
|
|
It seems clear that just about
every bank is making an effort to educate customers about online
fraud. What's tougher to gauge is how well banks are guarding the
online vault. How many institutions are using the latest firewalls
to protect their own computers against hacking and viruses? Are
all banks being as vigilant as they should to ensure that vendors
and third parties who have access to sensitive customer information
are being held to a "best practices" standard?
Of course, many online fraud attacks are aimed
at consumers' computers, so they, too, need to invest in appropriate
firewalls or anti-virus software and practice good habits such as
not opening and clicking links in unsolicited e-mail, going directly
to the bank's Web site rather than clicking on an e-mail link, and
keeping account numbers, user names and passwords someplace secure
where strangers can't access them.
"We're taking a proactive approach and strategizing around
issues such as this," says Wachovia e-commerce risk consultant
Alecia Kontzen. "It's an ongoing part of what we do every day.
We monitor trends and do customer surveys. We determine where we
need to be next. With the evolving nature of phishing, it's a challenge
for everyone."
Gartner research director Avivah Litan has noted
how much further ahead the credit card industry is in detecting
fraud. She says banks need to strengthen back-end detection of fraudulent
checking account transactions and their front-end controls that
give access to online accounts.
"The rules of the banking world have to change. It's up to
the regulators. The FDIC is one small step. The customer can't be
held accountable. It has to be like the credit card world where
consumers have no liability. People wouldn't use their credit cards
if they didn't have those rules. The same thing has to happen with
online banking. People will get ripped off, they won't be reimbursed
and they'll stop trusting the online channels."
Banks are looking at a variety of ways of letting customers know
they're logging onto the bank's site and not a look-alike, and to
ensure that the person logging on is the account holder, not a crook.
No method is fail-safe, but most would be an improvement over the
current system where the account holder enters a single password
to gain access to the account, says Steve Klebe of PassMark Security.
"The real problem is weak one-way authentication. Phishing
and keystroke logging are symptoms of that weak one-way, single-factor
authentication. The only thing that's secret is the password.
"We developed a two-factor plus two-way authentication scheme.
It's specifically designed for the typical consumer and doesn't
require the consumer to download any new software or for the bank
to deploy any physical hardware to the consumer."
With PassMark Security's system, you enter your
user name on the bank's log-in page. At that point you'll see a
particular phrase or image, called the PassMark, that you had set
up in advance just as you set up a password. When you see the appropriate
PassMark, you enter your password.
"(The PassMark is) a shared secret, a digital image or a short
text phrase. When you log on we show you the shared secret -- a
digital image of the Eiffel Tower or your dog. It gives the customer
confidence that it's their bank's Web site," Klebe says. "The
beauty is that the consumer will remember the unique shared secret
and they'll come to expect seeing it. And we'll only show it if
we're confident they're the legitimate user."
|
