The days when you had to hit someone over the head to steal money are long gone. Now you just zap them in cyber space. What’s more, instead of going one-on-one with a potential victim, now you can attack millions of targets at the same time.
“It’s really a continuous assault from a cyber security perspective. Criminals are out there constantly pinging everybody to try to get in and to find out what they can get, be it intellectual property, personally identifiable information, or getting into someone’s bank account,” says Michael Urban, director of financial crimes risk management, Fiserv.
The latest identity-fraud numbers are truly staggering. In 2011, identity-fraud incidents increased by 13%, meaning that 1.4 million more adults were victimized compared with the previous year, according to a study by Javelin Strategy & Research. Data breaches increased 67% year-over-year, to the point that 36 million Americans were notified by their account managers that they had been potentially vulnerable to electronic fraud.
The only comforting result—if it can be called that—was the amount actually stolen remained steady.
Still that’s cold comfort, especially to bankers responsible for protecting both their customers and their own reputations.
“The type of threat hasn’t changed much at all. It’s the enormity, the complexity—how much and how many,” says Jeremy Callais, vice-president and chief operating officer for MC Bank and Trust Co., Morgan City, La. “Just looking at our intrusion reports, the number of things that are having to be blocked as compared to a few years ago when it was just a handful in a day—it’s just so constant now. So many attacks coming in everywhere.”
Much of the increase can be attributed to the rise of mobile devices, particularly smartphones, and their owners’ often cavalier use of them— such as failing to install the most basic security features.
“The smartphone is perceived more like a toy than a device that is probably as powerful as many PCs were 10 or 15 years ago, with even more network capabilities,” says Urban. “They don’t necessarily lock their phone with a code. They’ll save credentials that they use to access financial services and other websites inside their web browsers and apps.”
The identity fraud study backs this up. It found that 32% of smartphone owners do not update to a new operating system when it becomes available; 62% do not use a password on their home screen; and 32% save login information on their device.
Yet the move to mobile is unstoppable, especially with the fast-rising interest in mobile banking. Fiserv’s Urban ran down a list of mobile-related threats: malware received through text messages; information stolen while sharing an open WiFi system; malware hidden in downloaded apps; and the nonuse on smartphones of antivirus and other security programs commonly employed on PCs and laptops.
“It’s critical...to have the same level of security requirements and security practices [on mobile devices] as you would for any other development project,” says Urban.
MC Bank and Trust Co. is still a year or more away from offering mobile banking, says Callais, but it is nearing the end of the research phase. Its online banking channel has provided a lot of analogous information in the sense that laptops can be seen as a form of mobile banking. Specifically:
“We are at their mercy if [customers] are not protecting their computers,” says Callais. “If they pick up a little piece of malware that’s logging their passwords and IDs, that’s the type of threats our customers are having. Customers have to be pretty diligent on their side as well. That’s another ever-changing thing. It used to be you didn’t have to worry about the customer or how well they maintained their device. But you do now.”
Behavioral analysis helps
The Fauquier Bank, Warrenton, Va., is much closer to offering mobile banking and has laid significant groundwork for security, according to CIO Chip Register. Some features: the system’s inability to remember passwords across sessions; a sign-up requirement for the mobile channel through the online channel; and most significantly, the use of session and transaction behavioral analytics.
In other words, the use of “big data” analysis to get a step ahead of the “bad guys.” It comes down to business-decision management, says Alan Fish, principal consultant at FICO. “Through modeling [as it relates to fraud], you can recognize the characteristics of a fraudster from the way they present themselves in the application process,” says Fish. “Through business-rules management, you can represent the things you’re looking for and then manage them by the hour as circumstances and threats change.”
Says Register: “We’re trying to get a better picture of our customers’ session information during their log in, from some of the time patterns, system patterns, geolocation patterns. So we have tools in place to give us a better profile of all of our customers.” For example, the automated system will sift the data for anomalies, such as sudden withdrawals from accounts that usually are deposit-only. Ironically, smartphones can actually add a security feature unavailable through other channels—the ability to alert a customer to a possible fraudulent transaction in real time.
“This may yield some false positives, as we better learn the transactional behavior of our clients. But I’d rather call a customer with a false positive than to just assume a transaction is normal and it turns out it’s not,” says Register.
Besides high-tech analytics, increased customer and employee education is seen as crucial to cyber protection. Register’s bank currently is rebuilding its website security pages to make them more active, dynamic, and refreshed regularly. Also, the bank sends out regular emails about current or ongoing threats. Although, he says, care has to be taken lest readers become numb to too much white noise.
Callais’ bank does much the same thing. It also focuses on maintaining security awareness among employees: using annual online training sessions available from ABA, quarterly one-on-one meetings, and periodic email updates. “We’re just trying to keep everybody always on their toes,” he says.
At the Fauquier Bank, employee education is stressed through webinars, seminars, articles, quarterly updates, and specific-threat recaps.
According to Register, “We do all this to drive home the point that cyber security and fraud management is not just something we do as an event, but it’s part of our entire working culture. It has to be that way. You have to inculcate the idea that risk management is everybody’s responsibility.”