How many times have you heard a financial institution's CEO proclaim that protecting its clients' information is a "top priority." No kidding. That's like saying Curt Shilling's job is to win ball games. Talk about stating the obvious.
It's true that a financial institution's reputation is at stake every time a data tape falls off the back of a FedEx truck or a phisher manages to obtain a client's data. However, protecting a client's information is becoming more difficult by the day. Hackers, key loggers and phishers are regularly finding new ways to circumvent established security safeguards. As a result, new security technologies are being developed to address specific threats. But it seems that each new measure -- such as hard tokens, biometrics and usage tracking -- has at least one drawback. Thus, firms are reluctant to deploy any of the technologies.
Hard token authentication requires each user to carry a key chain-size device that generates a changing pass code. What happens if a user loses the device? Who pays for the replacement? Biometric authentication still is expensive and can be intrusive. And usage tracking authentication -- in which a computer tracks how, when and from where users typically access their accounts -- can lead to ease-of-use concerns if the tracking is too stringent.
Further, while each security method serves its purpose, no single procedure can provide total security. This forces many firms to pick and choose which technology to implement. As a result, consumers aren't quite sure which institution offers the best security or which threats should be considered the most dangerous. To help, the Federal Financial Institutions Examination Council (FFIEC) issued guidance late last year that effectively mandated multifactor authentication for online transactions. But many firms still are confused over what "multifactor" really means (see cover story, page 28).
But to formalize any industrywide security response likely would be useless, as cyber criminals will continue to find new ways to steal financial data. Not surprisingly, TDAmeritrade, E*Trade and others have customer online security tutorials right on their home pages; others have removed all URL links in their e-mail correspondence with consumers and have let users know that they should consider any e-mail with a link from their firms to be fraudulent. For now, it seems, the industry's best line of defense -- and the proverbial low-hanging fruit -- is the education of the financial customer.Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio