2011's Answers to Fraud?Expect Stronger Authentication and Cloud Computing
The financial industry is taking steps to fight back, but it seems the fraudsters are always a pace ahead. And the security steps the industry has taken so far might be misguided, I'm told. What we need more of in 2011 are stronger cardholder authentication and more computing in the cloud.
Let's take a quick look at the year. In 2010, ACH fraud led to marked increases in corporate account takeovers. The Federal Bureau of Investigation estimates 205 separate businesses have reported incidents of corporate account takeover since 2004, most of which occurred in the past 12 to 18 months, with estimated losses totaling $40 million. Those estimates are probably low, since many cases of ACH fraud, until recently, have flown under the radar.
In 2011, banks will have to move beyond mere two-factor authentication if they expect to curb fraud.
And then there is card skimming. According to the Identity Theft Research Center, 45 skimming and payment-fraud incidents were reported in the U.S. in 2010. Increases in attacks were reported at points of sale, and most experts agree those reports, too, are probably low. "POS fraud is rising, and it's likely because of skimming," says distinguished Gartner analyst Avivah Litan.
Finally, let's not forget malware and Trojans like Zeus. Zeus has unquestionably gotten more sophisticated in its attacks against online banking, and now it's broadening its range, aiming at the emerging mobile channel. Mobile malware is a new threat, and Zeus attacks, such as Mitmo, aimed at mobile devices have already been identified.
Industry experts say banks and credit unions can access the right technology to thwart those attacks, but many are not making the right investments. Banks can put an end to many card attacks, Litan says, if they can identify points of compromise, "but many have a hard time doing that with current fraud-detection solutions."
Stronger cardholder authentication, through contactless or contact chip technology such as EMV, could significantly cut card fraud, but banks have not made significant moves in that direction. Fraudsters have already figured out how to get around two-factor authentication, which often incorporates online banking logins with one-time pass codes or tokens. In 2011, banks will have to move beyond mere two-factor authentication if they expect to curb fraud.
Josh Corman, research director at security consultancy The 451 Group, says banking institutions spend way too much money on relatively useless security solutions. The recent breach of payment card data at City Sights NY, an online tourism company, highlights security gaps in data protection, he says. Hackers accessed information for 110,000 credit cards with an SQL injection -- one of the most common known modes of attack.
Why is payment card data still vulnerable to SQL injection? Good question, Corman says. "We should know better by now, but we don't," he says.
A web application firewall would have prevented the City Sights breach, but most banks and retailers like City Sights don't invest in that level of security. "We don't spend enough money on app security and we spend way too much on antivirus software, which is basically worthless," he says.
Stronger application security is the only solution. "Everyone focuses on protecting the services and the infrastructure, but no one focuses on the software," Corman says. "Rugged software that protects the application is what we need more of."
I'm not hearing a great deal about rugged software, but I am hearing more about the cloud. And industry insiders tell me banks are warming to the cloud computing phenomenon.
Andy Greenawalt, the CEO and founder of Continuity Control, a New Haven, Conn.-based provider of web-based software, says many banks are now using Google Documents for shared access, rather than relying on traditional sent-and-received correspondence that can easily be traced, intercepted and/or intentionally or unintentionally compromised by an employee. "By putting traffic in the cloud, you make the security and access equation fundamentally more solvable," Greenewalt says. "It helps to keep you from missing a gap."
The cloud eliminates the need to store information on a hard drive or to a thumb drive, which also limits chances for breaches, he says.
I find it hard to believe that banking institutions would rely on something like Google Docs, since cloud security is something they've questioned for years. But perhaps that reliance is a good sign that the industry is moving in a modern, more secure direction.
If nothing else, 2011 will prove to be a year of interesting investments and directions.