Although phishing has been the target of banks' security efforts for some time, Brad Johnson, VP of consulting with Sudbury, Mass.-based security consultancy SystemExperts, says the increasing use of e-mail by consumers provides an almost endless pool of new victims for phishers. "It is a problem that reinvents itself because new users gain essentially no useful experience from previous exploits," he explains.
Javelin's van Dyke acknowledges that phishing is a problem, but he believes the industry's reaction is off the mark. "[Phishing] attempts are very common," he says. "But the actual number of losses from it are low$337 million annually in the U.S. [compared to the $52.6 billion overall cost of fraud]. We should take it seriously, but must understand that a high number of attempts doesn't mean they're successful."
Van Dyke stresses that other forms of fraud are more serious. "To fight traditional fraud, banks have to really partner with their account holders," van Dyke says. And that potentially can revolutionize the way banks and consumers relate to each other. "Half of all identity fraud is detected by the account holder first, and the bank's fraud experts have proprietary information that customers don't. They need each other. But banks aren't making this a high priority."
And new threats loom on the horizon. The trend toward implementing service-oriented architecture (SOA) presents CIOs with a particular dilemma. According to Richard Mackey Jr., principal, SystemExperts, the problem of internal network attacks will increase with the growth of SOAs. The open relationships between applications inherent in SOA "run counter to specifying exactly who interacts with whom and exactly to what extent," he states. "General purpose functionality will not support the security requirements of more-sensitive applications."
No discussion about security technologies would be complete without mentioning biometrics. But biometric solutions' effectiveness is debatable. Javelin's van Dyke, for one, is not too enthusiastic about the technology. "[Biometrics] have value for identification," he says. However, "They're not the silver bullet for authentication."
Jon Gossels, president of SystemExperts, asserts that the technology will not gain acceptance until "standardized readers are integrated into common office or home devices such as keyboards." He adds, "At that point, a different challenge comes to the fore: How does one securely store the biometric data?"
ATM giants NCR and Canton, Ohio-based Diebold have been dabbling with biometrics for some time. Yet, despite successful installments of biometric-enabled ATMs in Latin America, neither company has seen a major international bank hop on board. It is a matter of social acceptance of the technology, according to NCR's Race. It is common for some developing countries to keep fingerprints of citizens on file, he explains, while privacy-conscious Americans and Western Europeans resist the notion.
"We're mostly seeing interest in biometrics in emerging markets," adds Mark Grossi, NCR's CTO. "Although U.S. and European banks are interested, they tend to have too much legacy in place; however, we are seeing some applications of biometrics internally for vault access."
All agree biometrics do have a good deal of value for security; however, not everyone agrees it will transform banking. "'Transform' might be too strong a word," says Jim Block, director of global advanced technology with Diebold. "It won't transform banks, but it will allow banks and their customers to step up to a higher level of comfort in transactions."