Fraud incidents across the banking industry continue to skyrocket, and San Francisco-based Wells Fargo ($492 billion in assets) can attest to just how scary these incidents can be. Already the victim of three security lapses in the past three years that exposed sensitive customer information, the bank again found itself at the center of a security breach this spring. >>
A company computer that contained the names, addresses, Social Security numbers and account numbers of Wells Fargo's mortgage customers was reported missing while in transit between Wells Fargo facilities, according to published reports. While law enforcement officials believe the computer was stolen for the hardware -- not the data it housed -- this tends to be the exception.
Mission-critical data and consumer-specific information often are the target for savvy thieves who prey on the financial services industry. Further, as consumers, employees and external business partners demand -- and are given -- greater access to sensitive data, banks are more susceptible than ever to internal security breaches.
Clearly, fraud is a costly fact of doing business. Approximately 3 million adults said they were victims of ATM or debit card abuse in 2005, according to a survey by Stamford, Conn.-based Gartner that focused on the global IT industry. These incidents resulted in $2.75 billion in losses, with an average loss of more than $900 per incident, Gartner reports. Another 1.9 million online financial services users were victims of illegal checking account transfers, the study adds. These hijacked accounts resulted in nearly $3.5 billion in losses -- an average of roughly $1,800 per incident. Banks absorbed most of these losses, Gartner points out.
"Real costs are being driven out of the business," says Austin Wells, VP, product management, for Digital Harbor, a Reston, Va.-based risk management solutions provider. "Dollar losses aside, however, banks are just as aware of how damaging fraud can be to their reputations among consumers as well as in the way of fines they are subject to for noncompliance with regulations."
The fastest-growing incidents of fraud are cross-functional, meaning they involve multiple areas of a banking customer's portfolio. While banks have solutions in place to evaluate and detect incidents of fraud, not many solutions "look across systems and link the pieces together," Wells contends.
Segregated fraud detection solutions and disparate data streams "remain siloed across enterprises," agrees Andrea Klein, chief marketing officer, IdenTrust, a San Francisco-based provider of identity management solutions. In addition to being difficult to control, these silos require banks to allocate different sets of people and significant IT investments to manage information and detect fraud.
"Fraud does not just encompass Internet-facing issues or identity theft," says Jonathan Rosenoer, global risk officer, financial services sector, for Armonk, N.Y.-based IBM. "Dimensions start at security levels and bridge through to privacy issues. Banks need to consider fraud from a broader sense," he continues. "They need to look at systems and rethink how operations can effectively shut the door to criminals."
The Helping Hand of the Law
Unfortunately, some banks have been slow to react and only have begun to rethink their risk strategies and fight fraud on an enterprise level as the result of regulatory mandates. The USA PATRIOT Act, for example, requires banks to monitor and disclose any potential international money laundering rings or the financing of terrorism. Meanwhile, Basel II requires that banks identify customers on a global level, calculate credit reserves and report credit risks.
"These and other regulations are forcing companies to look at all customer activity, even across silos," says Rosenoer. That is where the CRO comes in. "The role of the CRO -- or chief risk officer -- is to ensure the bank is compliant across these regulations," he explains. "Further, the CRO bridges business continuity in the event of fraudulent events. Again, this is not just an online problem. CROs are evaluating money laundering rings, compromised internal systems or anything that is threatening the enterprise."
Besides creating a watchdog to detect and ward off potentially dangerous scenarios, privacy and security regulations foster something more important -- the need for banks to gain an enterprisewide view of customers and their account activity, Rosenoer suggests. Gaining a holistic view of the enterprise requires an arsenal of risk management tools. The best solution set will enable banks to pinpoint breaches, from compromised consumer privacy all the way up to organized fraud rings. They must be able to monitor instances wherever they occur in the organization. To do this, banks need to employ a common set of tools across the enterprise.
"Banks need a consistent approach to fraud assessment and prevention, otherwise they will never truly get ahead of [the problem]," says IdenTrust's Klein. "Siloed solutions cannot fight the bad guys. Fraud has to be fought on an enterprise level, otherwise this problem cannot be solved."
For example, identity theft is consuming many banks' fraud prevention resources. However, companies are equally bombarded by threats of money laundering and from organized fraud rings. That's why Digital Harbor's solution links disparate fraud detection technologies throughout the organization to detect patterns across each area, according to the company's Wells. By investigating the exceptions across multiple systems, the solution "provides a single view of a suspicious customer or account," he says. "If banks can start to find patterns of fraudulent activity across accounts early on, they can avoid big losses." By linking different fraud detection systems together, Wells asserts, banks can reduce fraud losses by 30 percent and increase their loss recovery by between 25 percent and 40 percent.
But monitoring systems for outside threats is not enough; increasingly, banks are challenged by threats that originate inside their corporate walls. Employees have access to sensitive customer data and mission-critical information on a daily basis. Yet many organizations underestimate the damage this can cause. For example, employees who had access to sensitive consumer data -- including Social Security numbers and bank account numbers -- reportedly masterminded security breaches last year at Wachovia (Charlotte, N.C.; $542 billion in total assets) and Bank of America (Charlotte, N.C.; $1.3 trillion in total assets).
Like many banks, Bank of America's associates must adhere to a code of ethics and company security policies, Tara Burke, a company spokeswoman, said in a recent article from The Associated Press. She added that bank associates only have access to the information they need to service customers. In fact, Bank of America spends about $250 million annually on various security measures and protections, Burke related in the article, adding that the main function of hundreds of associates is exclusively to protect information.
However, even these efforts may not be enough. "The only way to adequately control employee access to critical data is to monitor their activity and use authorization methods that authenticate users," says IBM's Rosenoer.
While banks also should follow this advice when providing consumers with access to data, the task becomes more difficult. "The challenge is how to do this in a secure fashion," says Roger Sullivan, VP of business development, identity management solutions, at enterprise software provider Oracle (Redwood Shores, Calif.).
Clearly, a standard password or PIN is not sufficient in today's volatile marketplace. "Long ago, customers were satisfied with this method. It provided easy usability and provided what everyone considered secure access to sensitive information," says Kim Legelis, director of industry solutions, Symantec, an information security software provider based in Cupertino, Calif. However, phishing attacks proved just how insecure this method could be. "People worried about how secure this method was since information could easily be shared," she recalls. "In the end, it was an old-fashioned scam that broke the security of passwords and PINs."
This is a prime example of why the Federal Financial Institutions Examination Council (FFIEC) recommended last October that financial services companies employ two-factor authentication technologies, particularly for online applications. But companies also can benefit from deploying multifactor authorization to manage internal user access to mission-critical information.
Two layers of security could be what saved Wells Fargo's computer heist from turning even uglier. There is no indication that the information stored on the computer has been misused in any way, Alejandro Hernandez, a company spokesman, said in an article that appeared in Computerworld. "The computer has two layers of security, making it difficult to access the information," he commented.
In response to the FFIEC guidelines, many banks are adding physical keys to the authentication equation as a second factor. Some banks may require users to input the code embedded on their bankcard or credit card when accessing systems, and others may issue physical token devices that generate random pass codes. Still other solutions tap biometrics, such as fingerprints, to authenticate users.
But with so many methods available to support multifactor authentication, banks currently struggle with how to ensure ubiquity among their user base -- both internally and externally. "For example, should banks provide tokens for users? And are they compatible with what is being used inside institutions?" asks Oracle's Sullivan. "Incompatible tokens create a tower of babble -- not strong authentication."
Set the Standard
The only way for the industry to find the ideal solution for secure consumer and employee access to data is to approach the problem from an industrywide perspective, experts agree. This includes the creation of industry standards that will ensure the protection of consumer privacy as well as the security of mission-critical information on an organizational level. This will be especially important as global commerce continues to explode.
"To do business globally, people and companies will need to open accounts globally as well," says IdenTrust's Klein. "Clearly, companies cannot expeditiously expand their businesses by having to send people to each new location across the globe where the business wants to open a bank account." Thus, companies will need an automated, globally interoperable standard that is accepted by banks when opening accounts and doing maintenance, such as signatory changes, she suggests. Currently, IdenTrust is working to provide a set of standards that authorize the credentials used during account openings, according to Klein.
"These standards will honor a single set of credentials that can be shared across banks globally," says Klein. "It will facilitate account maintenance and be accepted globally by IdenTrust member banks to prevent fraudulent account activity." Nineteen corporations and banks are slated to pilot this initiative, which is being driven by the TWIST Bank Mandate Working Group, she adds. The pilot is scheduled to go live at the end of the summer. **