Most Banks Focus on Compliance, Not Security
(http://www.bankinfosecurity.com/articles.php?art_id=3257&opg=1
January 12, 2011 - Tracy Kitten, Managing Editor
Share
What financial industries need is a shift in the way they think about fraud-prevention. It's security first, compliance second.
That's the way Adam Dolby, who heads up online security and authentication systems for Gemalto North America, sees it. Dolby says banking institutions in the U.S. have for too long focused on regulatory compliance, rather than centering their attention on solutions that actually detect and prevent fraud.
"There has been a number of solutions that were presented as a way to get to compliance that really led people down a bit of the wrong path," he says. "It almost created the illusion of security, rather than delivering security solutions. So, some of the fraud solutions that have been deployed really haven't done anything to mitigate the actual occurrence of fraud. What they have done is provide a bit of a false sense of security."
That false sense of security has had a domino effect, because it's led many institutions to be caught off guard. For instance, some of the steps put in place to comply with regulatory mandates, such as one-time passwords, have actually helped fraudsters to compromise transactions.
After reviewing results from Information Security Media Group's The Faces of Fraud Survey, Dolby says financial institutions are falling victim to what he calls the "CSI phenomenon."
"This is like trying to act against crime but starting with a dead body and investigating backward, rather than actually trying to stop people from getting whacked in the first place," he says.
During this interview with Information Security Media Group, Dolby discusses:
•How U.S. institutions could learn from their overseas financial counterparts;
•Needed investments in fraud-detection technology;
•The role stronger authentication will play in the future.
Dolby oversees online security and authentication systems via channel relationships for Gemalto North America, where he builds and maintains regional partnerships. Dolby also supports Gemalto's business and security objectives, through consumer education and advocacy on Gemalto's online resource www.JustAskGemalto.com. Before Gemalto, Dolby worked in the banking industry, serving in executive management roles for online banking and partnering with the world's leading financial institutions. Dolby's experience encompasses management of multiple e-banking systems including ACH, wire, treasury management, consumer e-banking, card networks and ATMs.
Current Fraud Detection
TRACY KITTEN: What fraud trends can the financial industry expect to face in 2011? I'm here today with Adam Dolby, who oversees online security and authentication solutions for Gemalto North America. Building on newly released results from Information Security Media Groups, the Faces of Fraud survey, Dolby shares his thoughts about surprising and not-so-surprising trends in financial fraud and investments banks and credit unions are expected to make in security solutions in the New Year. Adam, you've reviewed some of the results from our fraud survey and this one caught a number of the experts' eyes. Seventy-five percent of respondents said they learn about fraud from their customers or members. What does that tell us about fraud detection, and is the industry continuing to rely too heavily on customer and member notification?
ADAM DOLBY: I certainly thought that this particular question, and the fact that it led study, was very interesting. If 75 percent of respondents are saying that they are learning about fraud from their customers, what it is really issuing is a bit of an indictment on the industry as a whole, and the measures of fraud detection and prevention that are existing in the market place today. You could sort of equate this a bit to, say, maybe the CSI phenomenon, for those of you who watch the show, where we are seeing evidence of a dead body first and relying on people to report the crime, rather than preventing the crime from happening in the first place.
KITTEN: How much fraud do you think, Adam, is slipping through the cracks as a result of the way financial institutions are learning about fraud?
DOLBY: I think that is an excellent question and perhaps a bit of a scary one. Knowing how well customers, in general, look at their statements and their banking activity, I would suppose that quite a substantial amount of fraud is actually slipping through the cracks; whether it's undetected or late detected or perhaps under-detected remains to be seen. Also of issue in here is not necessarily where fraud occurs, but just where accounts have been entirely taken over and customers have no method for verifying what transactions have taken place. I think all of those factors here paint a bit of a grim picture on what the industry looks like as a whole, with regard to fraud and Internet banking; but it also means that there is quite an opportunity to be able to act on what the results of this study are.
Fraud Detection and Audits
KITTEN: You also noted that you found it interesting that 25 percent of the survey's respondents said they discover fraud during audits. Why is that interesting, and what does it tell us about current fraud-detection mechanisms, or the lack thereof?
DOLBY: I found that number a bit interesting, perhaps a bit differently, in that I thought 25 percent was actually a bit high. If we're actually discovering fraud one out of four times during an audit, rather than a customer reporting it or any detection or prevention mechanism addressing the issue, then, really, one out of four are saying that there is fraud being detected substantially after the fact. Money has actually moved out of an account. What is particularly troubling there is that no detection mechanism or the customer is finding it when it occurs. It is actually slipping through almost all of the cracks and being found sort of at the last possible moment, during an audit of either the account balancing or any other system detection. So, yes, I think it is good amount that it is being found that late, and I think that it is a bit troubling. That means it has gotten past the initial detection systems, including the eyes of the customer.
ACH Fraud: 'Unprepared to Fight'
KITTEN: ACH and wire fraud is a growing problem. That is not a surprise. But banks and credit unions in the survey said they feel very unprepared to fight ACH and wire fraud.
DOLBY: Really, to date, there has been a bit of hesitancy to move forward with really aggressive fraud-prevention measures, rather than detection. I would say that the challenge for the industry, at this point, is to move toward solutions specifically designed to address the spectrum of money-movement fraud -- whether it's ACH, wire, account-to-account transfers, or any other type of money-movement -- and really making sure that we're addressing all of those problems before it's possible for them to happen. I think the other challenge, quite frankly, has been that there have been a number of other issues that have plagued the financial industry, including the relative instability in that space over the last few years. From a simple perspective, people have had other things to worry about. But at this point, I think we really have to recognize that security is an ongoing battle. It is certainly a necessary part of delivering financial services online that every bank should have a plan and staff to address. As an industry, we need to make sure that we're looking at and making long-term investments aimed at stopping fraud as it can occur today, but also as it can occur tomorrow and the day after tomorrow. We also need to look at what other vectors that it can take; whether it is starting as simple as phishing and moving to more advanced malware and key logging, and making sure that we're addressing the transaction set that has seen fraud today and will see fraud tomorrow.
KITTEN: This is something that we have discussed in the past, not something that is directly related to the survey results, but it does have a tether of sorts. You've noted that authentication is a problem, especially as it relates to ACH and batch transactions. One-time passwords have, in some ways, you've said, assisted fraudsters. Can you explain and tell us what you think institutions should be investing more in when it comes to ACH-fraud prevention?
DOLBY: I think one of the point of clarification is that the initial investment in, not necessarily just one-time passwords, but some very basic fraud analytics have created a bit of a green-field opportunity for those folks who know how to execute a sophisticated technology-based attack on a financial institution, be that "man-in-the-middle" or "man-in-the-browser." So, with that sort of opportunity presenting itself to those folks who really know how to execute that technology-based attack, what it means is that they have an opportunity to sort of get by those security measures, as the earlier pieces of the study would indicate, and really go after the money. What it requires is a bit of a shift in thinking, from the part of both security companies as well as financial institutions. And then we have to look at, "How do we defend every type of transaction within the banking infrastructure?" The early emphasis, and rightfully so, was on protecting wire transfers, because those are one-to-one movements of money and payment options; but we've historically defended wire transfers very well at a very basic level.
I could pick up the phone and call you and say, "Hey, Tracy. Do you want to move money to Francesca in Massachusetts?" And you would have the opportunity to say "yes" or "no" and approve that transaction. But you can't do that for transaction batches, in particular, ACH. If you think of a large payroll being transmitted weekly, it's not possible or even feasible to go in and verify every transaction and all of the account holder information for everyone in that direct-deposit file. So, if that becomes the weakest link in the security chain, it will become the vector that we're seeing attacked most often. What that means is we have to look at security solutions that are aimed at protecting large amounts of alphanumeric data, which the solutions that are currently in place, whether that is OTP or fraud detection or prevention mechanisms and analytics, are not designed to protect. Really, what it requires is a shift in thinking: Looking at more PKI-oriented technology, which is really designed to protect massive amounts of information, and also alphanumeric information, so that it would protect payee information, account-number information and or anything else that is contained in a database, in transit and at rest.
Budget Constraints
KITTEN: Going back to the survey results, financial institutions noted in their responses that budgetary constraints and inadequate technology were listed as the most-often to blame for lacking fraud detection. Are banks really strapped for fraud-detection investments, or are they just investing in the wrong types of solutions?
DOLBY:I thought that piece was very interesting as well, and I think it is probably a mix of the two. For me, I think fraud detection is a bit of misnomer, because I think in order to build your fraud-detection solution, you have to at least see some instances of fraud to build your model off of. In the banking industry, again, if you go back to sort of the crime-scene model, one body is too much, in my opinion. Just seeing any financial loss for any particular customer is a potential PR nightmare, let alone the dollars that can be lost. So, from that standpoint, I think what has really happened is there has been a bit of a tendency, and we saw this with the FFIEC guidance that came out several years ago, to think more around compliance, rather than looking at true security-based solutions and how we can actually prevent fraud from occurring in the first place. Solutions certainly exist. Really, what it requires is a bit of a shift in thinking. Institutions need to accept the fact that security is a piece of the necessary puzzle to deliver online services. They need to have a bit of that forward-looking, forward-thinking mentality that says, "I need to invest in what amounts to an insurance policy for each customer that merits it," and pick the level that is appropriate for those customers. I don't believe in a one-size-fits-all approach. So, you would have a blend of security solutions for your customer base or even for particular users within an individual business, for example, and move forward in a way that really treats security as that necessary part of the puzzle, rather than something that has to get done to get examiners off our back.
I also think there has been a number of solutions that were presented as a way to get to compliance that really led people down a bit of the wrong path, where it almost created the illusion of security, rather than delivering security solutions. So, some of the fraud solutions that have been deployed really haven't done anything to mitigate the actual occurrence of fraud. What they have done is provide a bit of a false sense of security, and to me that is almost worse than no security at all. When your security solution is compromised, you have quite a bit a shake in confidence from your customer base and, perhaps, a very difficult time getting them back.
Reputation Loss
KITTEN: I'm going to build on that just a little bit, talking about reputation loss and customer confidence. Forty percent of our survey's respondents said that reputation loss and customer confidence were adverse side effects of fraud. What does that tell you about investments banks and credit unions should be making in fraud prevention, to not only cut their hard costs but also their soft costs, which would be the customer and member losses?
DOLBY: Security is a necessary part of delivering online banking. If you could save half of, or even a third of, your customer base that is potentially vulnerable from a compromise, I think that is a huge number. In fact, having that many customers vulnerable to outside influences is huge in and of itself. So, if one individual or a group of individuals has it in, so to speak, for any financial institution, or just sees that bank as the weakest link in the security chain, that is a tremendous number of your base that you are going to have to not only spend money on to try to keep, not to mention the money that will have to be spent to respond to any media leaks or announcements that go out about publicized attacks. At a time when customers are already looking for a reason to be aggravated with the financial industry, it really creates a potential point of compromise that is extremely dangerous for the industry as a whole. Even if you as an individual are not compromised, there is the possibility that others in your peer group, if they are compromised, you could still have shaken confidence. For a bank, their customer based could be shaken, because they are going to question the security measures their bank has in place. So, certainly, it is a very interesting and challenging time. Fortunately, there are security solutions that exist that can make fraud virtually impossible. It certainly requires some investment from the financial perspective, but it also requires a bit of a mind shift on the part of the customers themselves. Customers need to realize, "Hey, for me to access my online banking, it may be a bit different than it was in the past. It may require me to carry a device." So, there is an educational campaign aspect to this that has to occur as well. But, certainly the fact that 40 percent of respondents are saying loss of customer confidence and loss of the customer himself is a problem is huge. That is a huge number of people to be potentially vulnerable, if you are a financial institution is attacked.
KITTEN: Now, I'm going to go back to the customer education piece for just a moment. We talked about this earlier, and it's come up in this last question here. Customer education is effective, but can only go so far. Yet it seems that banks and credit unions say education and awareness are the best fraud prevention measures they have in place. Why is technology not seen as a critical investment, when it comes to fraud prevention, and do you see that as a being U.S.-centric perspective? Is fraud prevention addressed or viewed in a similar way by financial institutions throughout the world?
DOLBY: I'm a huge proponent of customer education, and I think it is going to be even more essential going forward. Customers are continually educated on what to look for, whether it is phishing e-mails or not clicking on links, etc. I think for a proactive institution, the opportunity to position the bank as a resource for that type of information, especially if they have a small-business customer portfolio, is excellent. There is an opportunity to continue to educate them about protecting VPNs and firewalls and all of those things. However, customer education can only do so much, as you say, and it's a bit like expecting individuals to not transmit the flu by telling them they need to wash their hands all the time. Well, certainly we do that, but we also have a flu vaccine, and really, that is where technology comes into play. As we deliver that vaccine and prevent the spread of that infection, we control the sickness.
I think it seems to be more of a U.S.-centric mentality; outside of the U.S., you see very rapid expansion and adoption of authentication solutions and stronger authentication solutions for customers, both at the corporate and retail levels. At the retail level, it is almost unheard of in the U.S. There are a few banks that have taken proactive measures, but they are very few and far between.
I think technology is seen as too expensive and, perhaps, a bit too complex. I think that is, in large measure, a bit of a red herring. I think if you really look under the covers of solutions, you'll find they are very customer friendly. And if you present them to a user in the correct manner, they will be very accepting of those solutions. We've seen technology presented out to customers in a way that would lead to some negative feedback. For example, I've seen financial institutions that will say, "Do you want to use thing to connect to Internet banking or nothing. Well, human nature is going to say, "I don't want to carry anything else to do this if I can get away with it." Certainly, if you present security in that manner, it's not received well; but if you go to the same customer and say, "Would you like to be able to access your bank securely and guarantee that no one can commit fraud on your account?" That is a much different presentation of the technology.
I would also take it a step further, in that we have a set of regulations called Reg E in the U.S., where we have a number of consumer protections that actually dumb down, a bit, the level of sophistication on the part of the end-user and their awareness of security. That's because the bank is ultimately responsible when fraudulent movements of money occur. That is why you see a strong push on the corporate side, which is not covered by Reg E, for security solutions. On the retail side, there aren't many security solutions or very many strong authentication solutions deployed, because those consumers are protected by Reg E. Really, what we've done is said, "Security is going to be the bank's concern, and when you go to try to alter the user experience for those people that are protected by that regulatory protection, they don't have to adopt any additional measures and more protected measures for accessing their accounts. So, there are a number of forces at work. There is certainly an environmental issue in the U.S. that is a bit unique and I do believe that education is a good step and a necessary step. But, really, in terms of that actually fixing your problem or helping fraud prevention, I think that first question of 75 percent of institutions learning about fraud from their customers and members says it all. To learn about fraud from their customers is still troubling. It's clearly still happening and to expect your customer to prevent is a bit naïve.
2011 Agenda
KITTEN: In closing, Adam, I would just like to ask where you see the industry heading over the course of the next year? Banking institutions are looking for more fraud prevention and security tools. Why, in your opinion, is knowledge so lacking, and what can the industry do in 2011 and beyond to break this cycle?
DOLBY: Yeah, I certainly think it is a bit incumbent upon providers to make sure that we are doing our best to educate folks, whether that is through conducting a podcast like this or webinars, etc. Really, that is our responsibility to educate, not to simply go out and promote a product. We need to educate the industry about the threats that exist and talk to customers about what challenges there are and how they can be addressed.
I do think we'll see better responsiveness from the industry in 2011, if only because the industry continues to settle with a bit of consolidation here and there. But, really, the uncertainty has passed for a lot of folks and they can start to really focus on security now, instead of worrying about if they have a job. I also think there is certainly a growing awareness. I've seen it all the way up to the board level, where they clearly understand the risks involved with Internet and doing business on the Internet. We have to make sure we are protecting customers in the appropriate manner. I also think it's been a bit of a struggle to really bring in some of the foreign influence, where we've seen banks adopt strong authentication for 10, sometimes 15, years now. We'd like to show banks here what they've done and get response for what's happened environmentally overseas. It can prove that customers will adopt this technology and use this technology, and actually do more transactions online. That mentality has changed. Having been in the industry for eight or so years now, I know when I first started doing this, if you talked about a bank in the Netherlands that was using strong authentication, banks in the U.S. would say, "What does that have to do with me?" They never considered that it is just one Internet. But now you see that awareness improving. Banks are willing to look overseas for expertise. So, I do think 2011 will be a much stronger year in the authentication space. I think it is important to learn lessons from around the world.
No comments:
Post a Comment