Managing Security Issues Of Internet Banking

Managing security issues of Internet Banking: Towards the future of the banking industry

The banking industry has been a target for crime since the beginning of it's time. Bank robberies were being planned and executed since banks were first in operation. In more recent years, criminals have found new ways to access other peoples funds through obtaining account information through the post and looking through individual's rubbish for scraps that have been discarded which could contain vital information that could be used as a means of identification and authentication.

Since the advent of internet banking, the focus has shifted to an overall holistic approach to banking security where electronic security is at the forefront of public concern. But with this in mind, are the banks and other financial institutions planning to combat the ever emerging threats that "cyber criminals" pose? And if so, is the level of protection adequate to provide peace of mind for their customers?

Usernames and passwords have been the primary authentication methods in the computing world since it's origins. Although this was once thought to be an adequate means of securing sensitive data - this is no longer the case. When the internet was first made available to the public, the term "hacker" was associated with a rare, criminal-minded genius that possessed extraordinary computing ability and could penetrate the security infrastructure of any organisation's or individual's computer system. However these days, the term has been "watered down" somewhat due to the mere frequency of hacking occurrences, and ease of accessibility to tools which aid individuals wanting to hack into other computing systems. Nowadays a fairly novice user can perform a search engine enquiry on "password cracker" for example, and download a tool, free of charge, and be on their way to gaining unlawful access to other peoples sensitive and personal data. It is because of this that financial institutions should continually look to better their security and authentication infrastructure and services or they run the risk of losing online customers, and worse yet, losing customers to competitors who have decided to take a proactive approach to internet crime defence.

Internet banking crime can take part in several different forms. One technique that seems to be prevalent today is Phishing. Phishing, as described by techtarget (http://whatis.techtarget.com/), "is e-mail fraud where the perpetrator sends out legitimate-looking e-mails that appear to come from well known and trustworthy Web sites in an attempt to gather personal and financial information from the recipient." Individuals can fall victim to this crime if not properly equipped, and educated in the prevention of internet fraud.

"Banking Fraud is as old as the industry itself, and it continues to be one of the largest expenses faced by many financial institutions, according to Virginia Garcia, research director for Needham, Mass.-based TowerGroup. Garcia estimates that 30 percent to 50 percent of the industry's $55 billion in annual operating losses is attributable to fraud." Bill Harris, chairman of PassMark security in Redwood City, California stated that "In 2005, the industry has reached a consensus that the root problem is authentication," Harris continues. "Passwords are no longer sufficient to let someone in the front door. Traditional authentication methods aren't enough," he asserts. As a result, banks are using a greater array of information and multifactor analysis to lock down systems when fraud schemes are detected" .

So what is authentication? Authentication, as defined by techtarget is "the process of determining whether someone or something is, in fact, who or what it is declared to be". Authentication is generally measured in terms of factors. For example, one factor, two factor, and three factor authentication. One factor authentication is gaining access by providing "something you know", like a password. Two factor authentication is gaining access by providing "something you know", and "something you have", like a security token. Three factor authentication is gaining access by providing "something you know", "something you have" and "something you are", like a finger print, or a retina scan. 192.com have even developed a product called SafeBank, and it "is claimed to be the first ID verification solution to use voice technology to provide extra security for online banking. During customer registration, an automatic call generates a unique audio 'voice-print' as part of the security process." The higher the factor of authentication - the more secure the information will be.

So one factor authentication is what the online banks have had in place since the beginning. The user merely types in their account number and a password. As discussed earlier, we know that this is no longer a secure method of authentication - So why are not all banks adopting at least a two-factor authentication system? "There's a lot of talk about stronger authentication, but banks are extremely hesitant to introduce anything for fear customers will stop using online banking, or go to an institution that doesn't force them to use it," says George Tubin a TowerGroup senior analyst.

We have just examined one reason - fear of losing customers with the adoption of a new process which may make the user experience cumbersome. Banks however are also concerned "whether the cost of introducing some form of two-factor authentication, which would better identify the bank to its customers and vice- versa, would show any return on investment. Two-factor authentication systems strengthen the security of the online environment by adding another element to the usual password identification method now used by most banks. But the methods usually under consideration, like a biometric identifier or a token that generates a random number that the bank computer will recognize as belonging to the customer, all cost money but don't offer a clear business advantage for adopting them." "There's no business case for going ahead with [two-factor] authentication at this particular time, " says Viveca Ware, director of payments policy at the Independent Community Banker's Association.

Avivah Litan vice president and research director of Gartner, Inc, however, could not disagree more - "Most banks are being passive in the face of phishing and other online fraud but should be more proactive" says Litan.

...