The hackers who conducted cyber-attacks against Target, Neiman Marcus, and other retailers this past December pushed payments security to a new level of public awareness. Data breaches aren't new, but the scale of the attacks and the wave of headlines that followed had never been seen before. The Target breach alone could have affected up to 110 million consumers, with an estimated 40 million credit and debit cards stolen. Since then, Congress has held multiple hearings on payments security, and surveys show that companies, including banks, are increasing their cyber-security investments as a direct result of the attacks.
The breaches aren't going to stop any time soon, either. More than 600 data breaches -- a 30% increase from 2012 -- were reported last year to the nonprofit Identity Theft Resource Center. A recent global survey of IT executives by BAE Systems Applied Intelligence, a security solutions provider, found that 82% of the US respondents -- across all industries -- expected that targeted cybercrime would increase in the next two years. The same BAE survey found that 60% of the respondents are increasing their cyber-security investments, with 78% of those respondents directly attributing that increase to last year's data breaches.
Banks are in an unenviable position in regard to securing payments; they have to absorb the cost of fraudulent transactions that result from breaches, yet cannot guarantee the security of payments credentials throughout the payments system. And each new breach leads to the costly reissuing of potentially millions of card credentials. More than 17 million cards have been reissued since the Target breach, at a cost of $172 million, the Consumer Bankers Association estimates.
Customers expect their banks to protect them from financial loss when a breach occurs, but retailers play a large role in protecting credentials when they are received at the point of sale and processed. Banks have invested heavily in online security over the past several years and have to comply with strict regulations in protecting their customers. Retailers aren't held to the same standards, though, making them an easier target for cyber-criminals. Out of the 614 data breaches reported to the Identity Theft Resource Center last year, only 3.7% targeted banks, while 34% were aimed at retailers.
But banks, like other companies, are investing more in cyber-security, according to a recent survey of bankers by ACI Worldwide, which found that 50% of financial services respondents say they are increasing their investments in fraud detection. "You can only throw so much money at something that isn't under your control, and breaches aren't going away," Michael Grillo, a product marketing manager at ACI, says. "Banks need to look at their whole risk management tools and procedures and develop a multilayered approach to security."
Much of the attention after the data breaches last year was focused on the Europay, MasterCard, and Visa (EMV) standard as a possible solution to protecting payments credentials. But EMV is no cure-all for the vulnerabilities in the payments system today; for instance, EMV wouldn't have prevented the malware attack that hit Target. EMV could eventually help improve security as part of the multilayered approach that Grillo mentioned, but it's still years away from reality here in the US. Banks can help protect customers right now, though, by implementing two-factor authentication and better fraud monitoring, and collaborating with merchants on stronger encryption of credentials. That collaboration could be a challenge, but as the payments system works toward implementing EMV, the liability for fraud losses from breaches will be placed on retailers instead of banks, which may give them an incentive to work with banks on improving security.
An Extra Step in Authentication
Gmail, Twitter, and Facebook already use two-factor authentication through mobile devices for better security, and banks could implement similar systems to protect their customers, says Deena Coffman, CEO of IDT911 Consulting and CISO of IDentity Theft 911. Rather than using a static PIN, customers could have a PIN sent to them via text message that would be good for a certain amount of time or a set number of transactions, limiting the potential risk if a thief were to steal the PIN. Banks offer two-factor authentication to secure other functions, such as online banking sessions, but haven't implemented it at the point of sale, Coffman notes.
"I think people will be willing to [use two-factor authentication]. But they need to understand the repercussions to them of someone getting their information. They need to understand the loans, the jobs they won't get with the damage to their credit. People have been arrested because of fraudsters doing illegal activities with their stolen identities and cards," Coffman says.
And those customer education efforts will probably cost banks less than the mass reissuing of cards that normally occurs after a breach, she points out.
Customers wouldn't bring their money to a bank if they didn't want it to be well-protected, so banks should be able to get their customers to take extra steps to protect themselves, says David Pollino, senior VP and fraud prevention officer at Bank of the West (headquartered in San Francisco, with $62 billion in assets). "Customers bring their money to a bank to keep it safe. … If they're doing an unusual transaction, then they like to see extra security measures in place," he observes.
ACI Worldwide's survey found that customers actually responded well when banks took actions such as blocking their cards to protect them from fraud. Among the bankers surveyed, 42% reported that customers viewed their efforts in the wake of last year's data breaches favorably, even though banks were often inconveniencing customers with those interventions.
"I was surprised by the number of people that thought banks were handling the situation well. It's definitely worth noting that for a good number of banks, customers appreciate what they're doing," ACI's Grillo shares.
Two-factor authentication alone won't fully protect bank customers; it has to be implemented along with other systems as part of a wider risk management strategy for banks to offer the best protection possible, Bank of the West's Pollino says.
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio