Appeared on FT.com on September 26, 2008
Friday, September 26, 2008
One year ago, the thought of a total loss of customer confidence in the stability of a major UK retail financial institution would have seemed laughable. Today, the thought of a similar collapse in trust caused by a systematic attack on a bank by highly skilled online fraudsters might seem equally risible. Yet as we have seen with Northern Rock, the unexpected can become real and to protect customer confidence, an intelligent, multi-layered approach to online security is essential.
As consumers conduct more financial transactions online, such as shopping or banking, financial institutions are in the front line to prevent attacks from organised crime rings trying to steal customers’ money or identities. Banks have to protect their customers, and they also have to protect themselves. If a coordinated attack is successful, banks can suffer a lot of damage, in a very short space of time.
The security threat from online transactions can materialise in a number of ways. One is through online shopping where consumers submit their credit or debit card details to make a purchase. For the genuine customer, they want to be confident that the merchant they are dealing with is trustworthy and that their information is kept secure. From the merchant and the bank’s perspective the priority is to ensure that both the customer and the transaction are genuine – that the person who is going to receive the goods is the legitimate owner of the card.
This is done through a comprehensive security and authorisation process that checks the customer is who they say they are; ensures there is available balance; looks at the customer’s transaction history; and identifies any recent activity that might lead the bank to suspect this request is fraudulent. These checks can be run in real time, which enables the bank to stop suspicious transactions before they take place.
In addition to shopping on the Internet, many consumers now also access their bank accounts online. According to APACS, in the UK the number of people banking online has increased by more than 500 percent in the past seven years to over 21 million in 2007. This creates a large number of targets for the fraudsters. If they can successfully obtain access to someone’s bank account they can potentially steal a lot of money in a short space of time.
Various means are used to illegally obtain bank details, including phishing and malware attacks through unsolicited emails campaigns. APACS identified more than 20,000 reported phishing incidents in the first six months of 2008, each one involving thousands or even millions of emails sent to members of the public trying to convince them to enter their bank account details onto a fraudulent site. If only half a percent of all those people believe that these emails are genuine, the risk to the bank is significant. However, perhaps consumer willingness to part with this information too readily can be attributed to their expectation that the bank will protect their money, and they certainly expect the bank to be liable for any losses resulting from takeover of their account.
While consumers are arguably not doing so, financial institutions themselves take online banking security very seriously. They know the risks they face if their security isn’t adequate. It is more than the financial impact – although that can be large – they need to be trusted. No CEO of a bank wants to wake up to the headlines that his or her bank has been the weakest link in the security chain – and the shareholders certainly feel the same way.
In line with the fraud threat, online banking security is constantly evolving, from relying on traditional usernames and passwords, to incorporate tools such as SMS or other forms of multi-factor authentication. One of the latest techniques financial institutions are rolling out is IP intelligence, where the bank identifies the IP address someone is using to log on to a bank account and compares it against known fraudulent addresses, and also against that individual’s usual activity. This can help identify and prevent fraudulent attempts to access a bank account online.
IT security such as IP intelligence must be used in conjunction with other detection methods, as part of an enterprise approach to fraud detection, for it to be maximised. Enterprise risk management looks at all the activity on account, whether it is online banking transactions, ATM use, shopping using credit or debit cards, or even something as seemingly innocent as a change of address. By having this bigger picture of its customers, a bank is able to quickly and accurately identify cards or accounts that have been compromised. This strategy is currently being adopted by the majority of the main UK clearing banks as well as several of the world’s largest financial institutions. The approach moves banks away from traditional silo-based fraud defences to intelligent enterprise-wide solutions where regardless of the means of payment, protecting the customer’s available balance is key.
This multi-layer approach to security provides a strong level of protection for the bank but the more stringent the security, the harder it can be for the consumer. For example, if your bank contacted you to check that each transaction was genuine before they authorised it, the fraud would be non-existent – but it is very inconvenient. One of the biggest challenges for banks is to find the line between ensuring transaction security and ease of use for the customer.
This is the future of online security for banks – achieving the balance of systems that deliver convenience to the users and at the same time ask enough information to accurately identify fraudulent transactions.
By Jim Woodworth, head of business solutions, ACI Worldwide (EMEA) Ltd