In the face of growing Internet-based fraud, money is rapidly becoming no object for the banking community. After all, we are protecting plenty more than dollars and cents. We’re protecting identities because, if we don’t, our customers will surely leave us.
Yet for all the money that banks have and will spend to guard against Internet fraud, the banks undoubtedly will be sabotaged by the very people they are trying to protect. Recent history is littered with evidence.
A few years ago, the promise of single-use passwords in Europe unraveled when the criminals, posing as bank technicians, simply called their intended victims. “We’re just checking the passwords,” the phony technicians said. “Please give us the next five passwords on your one-time password list.”
Nine times out of 10, the criminals got the passwords.
More recently, Bank of America rolled out its much-acclaimed site key program, which is based on a graphic and a word that the customer associates with the visual. Following the well-publicized launch, Harvard and Massachusetts Institute of Technology researchers tested 67 Bank of America customers for use of their graphic/word association by presenting no graphic at all. The great majority of customers – 58 – ignored the missing graphic and entered their personal key word.
Recently a story broke about Internet thieves who persuaded supermarket employees to transfer $10 million into bogus bank accounts. How did the criminals do it? They posed as vendors who informed the supermarket that their bank account numbers had been changed. The supermarket employees substituted the bogus account numbers for the good ones, and the criminals had a feast.
Curse of Convenience
Almost faded from memory are the days when a traveler could arrive at an airport a few minutes before departure. Back then, O.J. Simpson advertised Hertz rental cars by dashing from the rental car to the departing airplane’s gate. How times have changed.
Today’s air travelers may groan at the long lines leading to airport security, but they all file through, produce their IDs and take off their shoes. Why are we so impatient with the Internet?
Online bank customers don’t keep their computer systems up to date and have a tendency to believe that phishing happens to other people – never them. If bankers can promote a little more care among their customers, we could have an enormous effect on Internet-based fraud. Here are two potent ideas:
Customer Account Numbers: Banks never send e-mails that request a customer’s full account number, credit card number or debit card number. A legitimate bank e-mail will display the final four digits of an account number and direct customers to a site that contains additional information known only to the bank and its customer, such as the current balance of a bill.
Every bank customer should recognize an e-mail request for full account numbers as a red flag and pass the e-mail along to the bank’s security department. If banks can prevent their customers from entering complete account numbers into bogus e-mails, the practice of phishing might well disappear altogether.
Keeping Up to Date: While there are many, many viruses on the Internet poised to take over a customer’s computer, there are plenty of protections available to stop those viruses dead in their tracks. Those protections include the use of the latest Internet browsers and regular software patching.
Many customers take a laissez faire attitude to Internet banking: they use the computer they have and resist upgrades that will make them safer. Today’s Internet browsers will warn users when there’s a difference between a link’s description and its real Web address. Patches to key programs such as Windows and Internet Explorer will close most of the loopholes that make viruses deadly. Updates to virus protection programs will help keep the bulk of the Internet’s assaults from overwhelming a customer’s computer.
These steps may sound overly simplistic, but they could prevent more than nine out of 10 attacks from taking hold. That’s a ratio that will keep the Internet viable as a banking and business channel for years to come. s
John Jaser is an Internet security manager at Avon, Conn.-based COCC Inc., (www.cocc.com), a 40-year-old firm specializing in outsourced information technology and support. “Guarding the Gate” is a regular feature in Banking New York focusing on banking technology and security trends.