Earlier this month, federal prosecutors unsealed an indictment
charging several men with bank theft on massive scale. According to
prosecutors, the thieves loaded stolen account data onto magnetic stripe
cards, which they then used to steal $45 million from ATMs around the
world.
As financial institutions reconsider their security procedures in the
wake of the breach, much of the attention will naturally fall on
America's reliance on magnetic-stripe cards, instead of the more secure
chip-and-PIN (also called EMV) cards used in other parts of the world.
While they're at it, though, the banks should also consider another
big security black eye: The fact that it's easier to hack into your bank
account than it is to crack your Facebook account.
Protecting Us From Ourselves
It's a fundamental truth of network security that no system can ever
be truly safe from intruders. That's because of one universal weak
point: the user. As long as people insist on opening phishing emails,
picking weak passwords and leaving their PCs unprotected from malware,
hackers will find a point of entry.
So recent innovations in online security have focused on solutions that protect consumers from themselves.
One such solution is two-factor authentication, which aims to protect
users even if their log-in information has already been stolen. It
typically involves sending a second, temporary passcode to your mobile
phone, on the assumption that whoever managed to snag your password
probably doesn't have access to your phone too. Facebook and Google have
both implemented two-factor systems in recent years.
Javelin Strategy & Research, which consults for the financial
services industry, surveyed the top 25 largest financial institutions
and found that just eight let users set up "out-of-band" authentication
on their phones. While that list includes large institutions like Bank
of America, Citibank, JPMorgan Chase and PNC, that still leaves another
17 banks that haven't gotten on board, including Capital One, HSBC and
TD Bank.
"When we have better security for our Facebook and Gmail, maybe it's
time for the banks to step up," says Chester Wisniewski, security
researcher for Sophos. "Consumers are genuinely surprised that it's
easier to log into your bank than it is your Facebook."
Banks that don't offer two-step authentication will usually attempt
to verify your identity by prompting you to answer security questions
that you set when you initially created your account. But those
questions -- including your mother's maiden name and the name of your
favorite pet -- have been criticized as ineffective in the age of
social-media oversharing.
"If and when [users] register secret questions with financial
institutions, they should not be putting the answers on social media,"
says Shirley Inscoe, a banking industry analyst for the Aite Group. "A
lot of banks are discontinuing the use of those secret questions because
bad guys are able to find the answers."
Locks on the Door, Motion Detectors in the Vault
If the bad news is that many banks are behind the times when it comes
to preventing access to your accounts, the good news is that log-in
security procedures aren't the only lines of defense against fraud.
"You have to assume that [intruders] are going to gain access, so you
need a platform of protection that works up against that reality," says
Terry Austin, CEO of Guardian Analytics.
Much like the procedures that credit card issuers use to detect card
fraud, Guardian builds a profile of how you typically use your online
banking account; it can then detect when your account is being used in a
way that you don't usually use it. Common giveaways that trip the
alarms can range from unusually large transactions to simply navigating
to a part of the site that you've never used before.
Even if the algorithms don't stop thieves from making off with your
cash, consumers still have one last line of defense: Federal regulations
say that in most cases, consumers are not liable for fraudulent
transactions on their account.
Still, if someone cleans out your account and you have to wait a week
or more to get your funds back, it's a huge disruption to your life.
And since the financial institution will incur the cost of the fraud,
they too have a clear incentive to stop fraud before it starts.
So that brings us back the original question: If Facebook and Gmail
can offer account holders two-step authentication, why have several
major banks failed to follow suit with so much money at stake?
Convenience vs. Security
Wisniewski says it's partly a matter of banks not wanting to hinder
the convenience of online banking by introducing another barrier to
entry -- no bank wants to be the first to make it harder for customers
to log into their accounts. Even banks offering two-step log-in don't do
so as a default. Bank of America, which was named best in class by
Guardian's security report, made me click around a bit before I could
find and enable the feature.
And I'm security savvy. The people who need extra security the most
-- the careless types who reuse passwords and leave their PCs unsecured
-- are the least likely to put enhanced features in place. "If banks
make it optional," Wisniewski observes, "the people who don't need it
will be the only ones who use it."
No comments:
Post a Comment