Modernizing Authentication — What It Takes to Transform Secure Access
Since U.S. laws put the onus on banks to assume liability, consumers and some businesses tend to think their exposure amounts to little more than a temporary inconvenience while they await new debit cards. But that isn’t really the case.
As diligent as banks try to be, they can’t catch everything and so they must depend on bank customers to report fraud, too. Sometimes those reports don’t come, however, because too many consumers are either unaware of the problem or depend too heavily on banks to solve it.
But there are those that argue that increased public awareness does not and will not lead to a decrease in cyber crime against banks. RSA CEO Art Coviello testified to as much before the House Select Committee on Intelligence earlier this year. "There’s too much awareness without anything being done," he said. "There’s no amount of consumer education to make them smart enough to resist attacks. They’re just too sophisticated."
Coviello was not advocating public ignorance. Instead he appeared to be underscoring that losses from fraudulent activity include decreased public confidence. The public, he said, is left with a sense of helplessness in the face of a deluge of information upon which they cannot act. Coviello thinks the responsibility to solve the problem rests solely on government and businesses.
"It is clear that security and fraud monitoring is a top concern for bankers," said Ed Gainer, senior vice president of North American Cash Management at Fundtech, a provider of financial supply chain applications, in a statement. "Seventy-four percent of our clients think that their business clients would be willing to change financial institutions for better security. Account security is now a key competitive issue as well as a legal concern."
It is likely that Coviello shares much of the frustration consumers feel as RSA, the security division of EMC and a respected security leader, was breached in March by infiltrators believed to have used spear phishing email to gain access. The criminals targeted RSA’s much lauded SecurID two-factor authentication system. The attack left the network security world stunned. Ironically, it is currently being debated as to whether more employee awareness within RSA’s ranks might have prevented the spear phishing tactic from succeeding. But no one really knows the answer to that.
According to David Nelson, a specialist in the FDIC’s Cyber Fraud and Financial Crime Section, overall cyber fraud has declined steadily since its peak in 2006. However, online wire transfer and Automated Clearing House (ACH) Network fraud are still climbing -- racking up $87.5 million in losses in 2010.
But this problem is not exclusive to bank account infiltration.
According to a recent white paper by Fundtech, Fraud: A 360° View, this type of fraud is increasingly occurring across a variety of channels: from bank account infiltration (24%), via call center and fax communication (26%), as well as in-branch (15%). Further, the survey revealed that the majority (66%) of bankers believe that cyber crime will never get under control.
"Institutions can do a lot to smooth the recovery process once an incident takes place," said Zachary Miller, acting deputy assistant director in the FBI’s Cyber Division, in the Fundtech white paper.
He advises companies to have an incident response plan in place outlining the firm’s policies and procedures for dealing with an incident. Firms should also develop a relationship with law enforcement so they know whom to call when an incident occurs. One way to do this is to join an organization, "such as InfraGard or the National Cyber-Forensics & Training Alliance, devoted to sharing information about threats."
Miller encourages individuals to take greater responsibility for the safety of the information on their personal computers. "People have to take a proactive effort," he said. Criminals are out to target the weakest link. "I hate to tell you, but we are all the weakest link."
A NICE-Actimize small business study found that only 18% of small businesses understood they are lible for cyber losses, for example. That leaves 82% of small businesses vulnerable to fraud and ignorant of their real or potential losses. Avivah Litan, a Gartner analyst, warned that small businesses do not have the same protections as consumers and are not necessarily able to recover money stolen from their accounts.
While the country waits for regulation to catch up with advances in cyber crime, professionals like Litan are hoping that knowledge in the hands of consumers, particularly small businesses, will translate to the power to thwart criminals.
A prolific and versatile writer, Pam Baker's published credits include numerous articles in leading publications including, but not limited to: Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, NY Times, and Knight-Ridder/McClatchy newspapers. She has also authored several analytical studies on technology and eight books. Baker also wrote and produced an award-winning documentary on paper-making. She is a member of the National Press Club (NPC), Society of Professional Journalists (SPJ), and the Internet Press Guild (IPG).