The Security Outlook for Financial Institutions

April 5, 2006
Banking industry on high alert after breaches, incidents of identity theft

A plethora of high-profile data breaches and concerns about identity theft have put the banking industry on high alert. To secure their information assets, banks must implement a cross-channel, multilayered approach that extends beyond technology.

--The Panel--

NALNEESH GAUR, Manager, Financial Services Practice, DiamondCluster Int. (Chicago)

JOHN CARLSON, Senior Director, BITS (Washington, D.C.)

T. KENDALL "KEN" HUNT, Chairman and CEO, VASCO Data Security (Oakbrook Terrace, Ill.)

RAN NUSSBACHER, Business Development Manager, Viisage (Billerica, Mass.)


Q: What lessons have banks learned from recent data breaches?

Nalneesh Gaur, DiamondCluster International: The Anti-Phishing Working Group recently reported that financial services continues to be the most targeted industry sector, growing to 89.3 percent of all attacks in December 2005. Banks have responded by improving customer awareness, improving fraud detection and implementing site takedown services. Other incidents such as stolen laptops and lost tapes also received the media's attention. Most of these incidents resulted in a public relations nightmare for the banks. Nevertheless, banks responded by encrypting backup tapes and prohibiting their staffs from storing customer information on workstations.

John Carlson, BITS: There's a continued focus on improving the controls that financial institutions have internally and with third-party providers, retailers and other organizations that can be a source of data breaches. There's also an increased focus on consumer education on things related to protecting customers from fraud, such as phishing and identity theft. Financial institutions are providing customers with information on steps the financial institution and the customer can take to protect themselves and to deal with identity theft.

Ken Hunt, VASCO: The biggest lesson that we have learned over the past 18 months is that the problem and threats are real. And, unfortunately, once a breach occurs to an organization, the resources used to rectify the situation are significant and substantial. Financial institutions that have already deployed proven security are far less reactive and are methodically and efficiently expanding their usage into new customer segments (e.g., small business and corporate log-in). Financial institutions that were slow to react to a proven security solution over the past 12 months and are doing so to adhere to the FFIEC [Federal Financial Institutions Examination Council] guidelines and/or to protect themselves from fraud are doing so at an aggressive pace. This has used up significant resources. The message is clear: The banks that are reacting to the guidelines and looking to implement the quickest and easiest solutions are merely prolonging the inevitable.

Ran Nussbacher, Viisage: The main lesson is that identity fraud has become "industrialized" - a large-scale professional operation. Therefore, banks can expect to see an increasing amount of stolen and fabricated identities used to establish new accounts, hijack existing ones and perform fraudulent transactions. Moreover, banks must understand that customer data obtained from data breaches and phishing attacks is not limited in its use to the online banking channel. Rather, customer data also is used to create fraudulent identity documents, which are then used at the branch, where the majority of fraud is still committed. Thus, a cross-channel, multilayered approach to identity risk management is needed to successfully prevent identity fraud.

Q: What are banks doing to address identity management challenges?

Gaur, DiamondCluster: Banks must take a holistic view of security and identity solutions to provide preventative, detective and corrective measures over all channels. As a detective measure, banks use sophisticated behavior and risk-based fraud detection solutions to verify suspicious transactions. As a preventative measure, some large banks are developing multichannel authentication strategies for their customers. As a corrective measure, banks have devised policies to rehabilitate their customers after an impact.

Carlson, BITS: Many of our member companies are participating in the Identity Theft Assistance Center, an organization that helps customers affected by identity theft deal with other financial institutions, credit bureaus and others in order to mitigate losses and restore the individual's good name. There are some efforts going on within the industry to share information about phishing attacks and as a means to refer information to law enforcement on the sources of those attacks.

Nussbacher, Viisage: Banks must adopt a multilayered approach to identity risk management as no one tool or technology is sufficient on its own. For example, in the branch, identity verification solutions that use public consumer records to test identity information should be combined with technologies that quickly establish the authenticity of identity documents. Only by using both technologies will banks adequately and consistently mitigate identity risk and prevent identity fraud.

Hunt, VASCO: More and more U.S. banks turn toward strong authentication (two-factor) products to protect against fraud. There is a definitive need for the banks to understand the impact that these solutions have on their customer. After all, there are three pieces to the puzzle: security vendor, bank and, ultimately, the customer. Therefore, the banks need to keep the customer in mind at all times throughout their decision and educate them on security.

Q: How are banks responding to the FFIEC's guidelines for multifactor authentication?

Carlson, BITS: Right now, there's a focus on looking at the authentication practices currently in place, and on analyzing the risks of those authentication systems today and what the risks may be in the future. The industry also is focused on examining what customers will find acceptable, since many of the current multifactor authentication practices are not particularly convenient. We also see an industry focus on dialog with third-party vendors to help identify those systems that strike the right balance in terms of increased security, cost and, most important, convenience.

Nussbacher, Viisage: Banks would be remiss to focus their efforts on the online channel alone or separately from other channels. Truly reducing fraud exposure requires a holistic, cross-channel approach. Two-factor authentication, for example, while securing online transacting, does not fully help with screening prospective customers online. This is because most authenticators are nothing more than access keys, and how can banks be certain about the holder of these keys to begin with? Collecting biometrics at the branch as part of customer identification programs is one example in which offline identity risk mitigation can facilitate the secure use of biometrics as strong factors of authentication in online banking.

Q: How do information security challenges for large banks and small banks differ?

Gaur, DiamondCluster: Big banks engaged law enforcement agencies early to successfully apprehend and prosecute some of the crime perpetrators. Their deep pockets and access to a larger pool of resources allowed the big banks to act quickly, causing the attacks to shift to smaller banks. Small banks lack both deep pockets and adequate access to resources. Therefore, small banks have adopted customer awareness and fraud detection as their primary lines of defense. Small banks should consider collaborating to protect their businesses and customers.

Hunt, VASCO: Fraud always will take the path of least resistance. With respect to protecting themselves, the size of the bank seems to matter less than the bank's security strategy. The banks that focus on protecting their customers against fraud - and not merely adhering to guidelines - seem to work very similar to one another regardless of their size.

Nussbacher, Viisage: On average, large banks have been reducing their exposure to identity fraud through technology, and, consequently, much fraud is now directed at small banks. While some are adopting new technologies, others are fighting the problem by raising their guards and turning away prospective customers for whom little data is available (foreigners and newcomers often fall into this category due to their lack of financial history in the U.S.). While such a strategy is successful at fighting fraud, it clearly hurts banks' efforts at generating new business. This further exemplifies the need for multiple and complementary risk mitigation tools.

--Bank Systems & Technology -- 04/04/06