Download our December digital issue to learn more about navigating e-banking.
Online banking feels like a traditional channel these days -- especially compared with its newer, sleeker cousin, mobile. But security threats to online banking are anything but old news.
Facing evolving and increasingly sophisticated online attacks, banks must remain vigilant in creating the proper defenses while still enabling the online channel to provide the convenience that customers have come to expect. At the same time, banks also must continue to educate consumers about how to protect themselves and their data. Creating that delicate balance between strong security measures and convenient access can be a challenge, acknowledges Ghan Desai, CIO and CTO of Team Capital Bank ($773 million in assets). But achieving that goal is critical.
According to Desai, Team Capital uses multifactor authentication and one-time passwords, but the Bethlehem, Pa.-based bank eschews challenge questions because they can annoy customers and don't enhance security that much. And while some customers find using one-time passwords inconvenient, he relates, Team Capital is quick to point out that the security benefits outweigh any inconveniences. "Sometimes we have to explain to and educate the customer so they know we are doing this for their own security," Desai says. "At the same time, customers want convenience -- they don't want to jump through 10,000 hoops to get to their accounts."
Desai believes that phishing still is the top fraud threat for online banking consumers. For this reason, he says, it is critical that customers exercise vigilance. "We believe that if consumers follow a bank's multifactor authentication guidelines, they will be safe," Desai notes.
But while most people take the proper security precautions with laptops and desktop computers, they often do not follow security best practices on a mobile device, according to Julie Conroy McNelley, a senior analyst with Aite Group (Boston). "They don't treat their tablets and smartphones like the little computers they are," she says, adding that consumers need more education about mobile security risks from banks. The online and mobile channels, however, also make it easier for consumers to detect fraudulent activity on their accounts, Conroy McNelley adds, because they often check them with regular frequency, rather than "waiting to get mailed a statement once a month."
Small Organizations Are a Growing Target
Its not just individual consumers who need to be more aware of online security risks. Team Capital's Desai reports that business accounts increasingly are the target of fraud -- and they entail a different set of security concerns. "There are larger sums of money to be gained there, and businesses have more sophisticated services, such as wire transfers and ACH transactions," he says. "Someone can hack into a business's online banking and wire money out."This especially can be an issue for small business owners, Desai stresses, because many lack even basic online security knowledge. For example, "An owner of a small shop might just buy a router from Best Buy and keep the default admin password on it, and it's easy for someone to break into the network and potentially install malware," he relates. And while banks tend to assume responsibility for fraud targeting consumer accounts, Desai adds, business customers typically are held liable for fraud committed against their accounts, making security measures on the business customer's side paramount.
Meanwhile, community banks and credit unions, which in the past may not have been targeted to the same extent as large banks, also face intensifying attacks as more consumers move their money to those institutions, contends Aite's Conroy McNelley. "I guarantee the bad guys were aware of Bank Transfer Day and that there were fraudulent applications made that they hoped would not get noticed and fall through the cracks," she says.
An Evolving, Cross-Channel Arms Race
But even large banks with best-of-breed technology cannot let their guard down. Although online banking has grown into a more mature channel over the past decade, malware and fraud schemes targeting it also have evolved, points out Ben Knieff, director of product marketing at New York-based Nice Actimize. "We're in a continual arms race with the bad guys," he says, noting that part of the problem is that "How we interact with computers has changed" over the past decade. "We can access financial services from a ... wi-fi hotspot at a public park," Knieff says. "People maybe don't have the security concerns anymore [with online activity] that have been instilled in them over the last decade."
In addition, just as banks seek to glean customer insight across channels, criminals too have embraced the cross-channel outlook when it comes to fraud, Knieff says. "The criminals are seeking to compromise multiple points of control," he explains. In order to combat this, Knieff continues, banks' fraud prevention teams must have access to that same cross-channel picture of customers that is provided to the marketing department.
Further, banks must be aware of online attacks against third-party sources that have access to customer account information, Knieff stresses, citing the Sony PlayStation breach earlier this year that exposed 77 million user accounts. "Unfortunately, somebody else's failure in security can have an impact on financial institutions," he says.