In our first look at safer eBanking, we provided an overview of the threats that exist in today’s online world. Now, we will tackle the levels of security available today and what to expect in the coming years.
Today, most corporate eBanking applications offer secure environments for business customers. This is attributable to two factors - the first being the lack of regulatory protection for corporations or businesses. Without regulations in place, businesses have demanded stronger security from their banks, because if they experience fraud, the bank does NOT have to reimburse them. The second factor relates directly to the velocity and volume of funds. Criminals can get very large sums of money from corporate transactions very quickly from almost anywhere, further reinforcing security demands for corporate banking applications.
While security exists for most corporate banking applications, it can be improved. Security today is very basic and readily compromised. The “arms race” for robbing a bank still leaves the banks painfully behind. Instead of investing in stronger security, banks continue to try to leverage their existing short-term investments to improve security. Where they previously had a dynamic password at login, they now have it at the transaction execution. This year the FFIEC updated banking guidelines to include adoption of a multi-layered approach to combat highly sophisticated attacks resulting from high-profile security breaches – which was a major step in the right direction toward stronger banking protection.
When it comes to attacks, Automated Clearing House (ACH) is emerging as the leading attack vector. The complexity of the transactions (and volume) makes it impossible to adequately protect with the current counter-measures banks have in place. These types of wire transfers are still heavily attacked because of the speed of execution. However, when it comes to protection, it is easier for banks because of the one-to-one transactions and ease to verify the intent with the customer.
On the other end of the attack vector is retail banking, aimed at consumers, who are not often attacked for a variety of reasons. The first reason being the U.S is a credit-based society – customers carry low checking balances (whereas in EU and other regions, retail is attacked heavily). There is also a low speed of money movement and lack of robust functionality for retail. This channel is still quite slow to move money out of a personal account to another bank. Consequently, security for retail customers has basically gone unchanged for the past 5-7 years for several reasons: low risk, low money movement, and low number of attacks.
Historically, consumers view security as “the bank’s problem” and tend to pushback on requirements to use additional security they view as inconvenient. Regulatory protection for consumers exists requires reimbursement for any fraud losses. The trend on the consumer side is to provide a hardened browser for the user to leverage for banking. This is a strong step in the right direction, although limiting in portability and also does not address the mobile sector, which s increasing growing with the rise of the smartphone adoption. The security on mobile devices is largely overlooked as attacks are rare, but this sector will see an increase in attacks as mobile banking continues to grow. New ways of managing money are new targets for attackers.
So what does the future hold? Well for corporate banking strategies, it will mean implementing PKI into the mix. Public Key Infrastructure (PKI) is a cryptographic technique, which enables users to securely communicate on an insecure public network, and reliably verify the identity of a user via digital signatures. 2012 will see banks dramatically improving their corporate banking security with many launching full PKI initiatives to protect ACH fraud - which is the only effective way to address it. While most projects will not complete in 2012, the tipping point will be in sight if not reached already.
Retail banking will begin to evolve and require legitimate security. As customers demand more robust functionality for retail banking, security will become the limiter in what banks can safely deliver. In a new survey, 2012 Faces of Fraud, 58%of the 200+ respondents indicated their institutions would see increased fraud resources this year, yet only 11% have fully conformed since the FFIEC guidance was updated last summer. The need to invest is stronger security technology is here, and banks will begin to recognize this necessity as regulations become tighter.
Mobile banking security will also become a top priority this year and in the years to come. Speculation on FFIEC guidance for mobile is coming, setting requirements to add security elements. Attacks at the mobile channel will proliferate until security is added. To fight this, banks will layer a secure web browsing experience with other technology like one-time passwords (via the mobile phone) for stronger protection.
On the consumer-side, customers will start to demand and expect security. As the demographic of the customer base shifts to a generation that is more familiar with the Internet, customers will put increasing pressure on banks to improve security (and functionality). This new group of consumer knows the threats that exist today online and will begin to pullback from the channel if security is not improved. That said, security could become a new line of business for bank-to-bank relationships, mirroring the correspondent banking relationships that exists today.