When a gang of armed thieves raided a cash security depot in the south of England last month, they made off with more than $90 million in the largest robbery in the country's history. However, a slew of arrests just days later highlights the risks criminals run by adopting such highly visible tactics. It is not surprising, then, that more-insidious, faceless forms of financial crime -- many targeting consumers' growing penchant for online banking and financial transactions -- are on the rise. >>
Indeed, in its Financial Risk Outlook 2006, published in January, the U.K.'s Financial Services Authority (FSA) points to financial fraud as one of the areas of greatest concern for the coming 18 months. And it is the same picture the world over. As the U.S. Federal Deposit Insurance Corporation (FDIC) noted in a supplement released last June to its Dec. 2004 study, "Putting an End to Account-Hijacking Identity Theft," identity theft in general, and account hijacking in particular, continue to cause significant problems.
Previously, phishing had been the biggest online threat. But over the past year or so, that has begun morphing into more behind-the-scenes, less-obvious malware attacks, such as the use of key-loggers, with which criminals capture customer key strokes (and passwords), notes Alecia Kontzen, senior vice president, e-commerce risk manager with Charlotte, N.C.-based Wachovia Bank. "The MO [modus operandi] of the fraudsters has evolved to be much more sophisticated and stealthy," she says. "So that, in turn, means we have to look deeper beyond the obvious."
Given these enhanced and evolving threats, the FDIC concluded in its June update that financial institutions should implement some form of multifactor authentication or layered security to protect sensitive customer data. Those findings were bolstered in November by the Federal Financial Institutions Examination Council's (FFIEC) guidance, "Authentication in an Internet Banking Environment," which concluded that single-factor authentication -- for example, a user name and password -- is inadequate as a stand-alone measure for high-risk transactions, such as those in which customer information is exposed. Instead, firms should implement multifactor authentication, layered security or some other control where a perceived weakness exists, the FFIEC recommends.
For many of the leading financial institutions, this is the direction in which they already have been moving. The top 25 banks, at least, already had multifactor authentication of some sort in play before the FFIEC ruling, relates Karen Massey, senior research analyst, consumer banking practice, with Framingham, Mass.-based research and consulting firm Financial Insights. "Multifactor authentication doesn't necessarily mean every login or transaction needs two authentication procedures," she explains. "What it means is you need to assess the risk. So a lot of banks already had something in place where a wire transfer over, say, $25,000 would have some sort of checkpoint, and that would fulfill the definition of multifactor authentication for particularly risky transactions."
Below the top tier financial institutions, however, multifactor authentication is less common, either because of the expense in supporting such initiatives internally or the fear that customers will react negatively if the security burden is passed to them. The current push by regulators to force banks toward multifactor authentication is, therefore, to be applauded, particularly for corporate customers, says Maggie Scarborough, research manager, corporate banking practice with Financial Insights, "because then there is enough attention around multifactor authentication that these banks that haven't done anything, or have only done it for certain customers, will appropriately react and implement it."
Yet, there is something of a customer paradox for financial institutions to face as they address these issues. While various studies show customers are concerned about online security, at the same time, many express an aversion to dealing with additional, and potentially burdensome, security measures. As Rob Shenk, vice president of retail cash management with E*Trade Financial, observes, "While many customers have started to vocalize concern over security, they'll be more vocal if you change something in the transaction environment that is already working well for them. So they want both security and continued ease of use."