Banks have more technology and more incentive than ever to combat fraud in electronic banking services. But whether they have enough technology and incentive to protect consumers from the headaches of a compromised account, payment card or identity is doubtful.
“Threats are escalating more quickly than what banks, or even just other businesses in general, can deploy in terms of defenses against those threats,” says David Albertazzi, a senior analyst with Aite Group, a Boston-based financial sector research and analysis firm.
Part of the challenge is that the types of financial fraud and characteristics of fraudsters have changed in recent years.
Find the best checking accounts at Bankrate.com.
For instance, check fraud is in decline while electronic fraud is on the rise, and the latter tends to be perpetrated by more sophisticated criminals, says Doug Johnson, vice president of risk management policy at the American Bankers Association, a Washington, D.C.-based banking industry group.
Multiple locks to stymie hackers
Today’s perpetrators aren’t amateur hackers hanging out in someone’s garage. Nor are they concerned about justifying their technology expenses to senior management with a return on that investment the way bank security experts must do.
To fight back, the Federal Financial Institutions Examination Council, a joint effort of multiple government banking regulatory agencies, has instructed banks to adopt a “layered” approach to security, especially in the area of customer authentication, says Cary Whaley, vice president of payment and technology policy at Independent Community Bankers of America, a banking industry group based in Washington, D.C.
Authentication refers to the process by which a website, mobile app or other electronic banking service identifies the individual who wants to access it.
Banks have to rely to some extent on customers’ cooperation in the authentication process. That means using robust passwords and virus-protection software, not only on desktop computers but on mobile devices as well, Whaley says.
A broken bank security system
Yet, Aite Group’s Albertazzi describes the current system of usernames and passwords with which consumers are familiar as “basically broken.”
Consequently, banks also have begun to deploy an array of other technologies, some of which are so exotic and sophisticated they might seem like science fiction.
Here, courtesy of Albertazzi, is a summary of some of the technology that’s on tap:
- Device fingerprinting tracks a series of identifiable hardware and software attributes to recognize a user’s (or fraudster’s) device.
- Behavioral analytics monitor navigation techniques and other aspects of a user’s online behavior to search for anomalies or suspicious activity.
- Malware detection searches for potentially fraudulent changes to a user’s Web browser to assess whether it’s been compromised.
- Knowledge-based authentication presents a series of static or dynamic and supposedly secret questions to establish a user’s identity.
- Password tokens give a user a one-time-only password that must be entered before it expires.
- Out-of-band authentication challenges a user to access a one-time-only password or code that’s sent to another device, such as a mobile phone or land line.
- Transaction signing requires a user to digitally sign each transaction.
- Endpoint protection requires a user to download a one-time-only, secure browser to access a website.
- Voice printing records attributes of a caller’s speech over time, then matches those attributes against subsequent calls. Voice printing is an example of biometrics, which use unique physical traits or characteristics to identify individuals.
“If all my bank activity comes from Silver Spring, Maryland, and suddenly something is coming from St. Petersburg, Russia, a bank security system should pick that up,” Whaley says.
More fraud or less service
Banks recently scored a significant win in their fight against fraud when an appeals court ruled that the Federal Reserve can include the cost of fraud prevention in its government-mandated caps on the interchange, or swipe fees, that retailers pay when consumers use debit cards to purchase goods or services.
If those swipe fees and other bank revenues aren’t adequate to offset the cost of fraud prevention, detection and remediation, the alternative could be changes in the services that banks offer consumers, says Wayne Abernathy, ABA executive vice president of financial institutions policy and regulatory affairs.
“If banks aren’t able to have the revenue to cover fraud, either fraud will go up or banks will have to reduce their vulnerability,” Abernathy says.
No silver bullet for fraud protection
Albertazzi says there’s no “one silver bullet” to stop all fraud forever. Rather, the pace of new threats “is not going to slow down” and “nobody” — no bank, no retailer, no consumer — “is ever 100 percent secure,” he says.
What’s needed instead is a combination of checks from a layered approach that banks will have to adopt and consumers will have to accept if they want to utilize electronic banking services.
That suggests consumers should expect to see — and might want to welcome — an ongoing stream of new solutions that banks will employ to stay a step ahead of electronic banking fraudsters.