MBA (4/28/2008 ) Palaparty, Vijay
Thirty-two million consumers either discontinued banking online or refused to begin online banking last year due to a lack of confidence, said research from Gartner Inc., Stamford, Conn. Their reluctance may be justified as some banks such as M&T Bank, Buffalo, reveal frequency of attacks increasing tenfold in the past three years.
“The volume of attacks has increased and they are specifically targeted toward consumers,” said Matt Speare, CTO of M&T Bank. “The biggest threat to the online channel is having a high level of assurance that the consumers are who they say they are while maintaining a user-friendly experience. What’s we’ve seen, as the internet fraud hackers moves from an egocentric model to a financially drive one, is that they’ve migrated from the traditional consumer type of hacks to those of commercial business as well.”
Avivah Litan, vice president and distinguished analyst at Gartner, reported the emergence of four attack vectors in 2007. “The first vector attacks directly against consumers through phishing and spyware,” she said. “Thieves are stealing financial and personal data, usernames and passwords.”
The other vector codes include hackers injecting malicious code into e-commerce sites. Card system breaches were reported as a significant development because companies tend to leave devices that are situated on network peripheries unsecured, Litan said.
“They gain access through wireless networks that are not secure or secured improperly," Litan said.
The fourth attack vector against companies involved internal fraud that was linked to external fraud—collaborations between “crooks” within companies who aid outside “crooks” to compromise data.
“Last year alone saw a $2 billion loss in sales transactions online,” Litan said. She suggested a layered approach to security because of the amount of uncertainty in the source of attacks, often occurring through email, data transfers, hackers entering using malware, database administrators making unauthorized changes or taking data outside the company.
“It requires many approaches,” Litan said, listing data protection through encryption, host intrusion prevention to stop hackers, email monitoring, application with source code scanners, application security scanners and even firewalls as possible mechanisms for protection and prevention.
“You have to be able to look inside the application to determine whether the user is a legitimate user," Litan said. "When thieves hijack accounts, you have to be able to detect that.”
The advances in malware still pose problems form companies to be able able to separate legitimate users versus imposters. Litan described a behavior monitoring approach to alert of fraudulent activity, monitoring users through access points. Access to banks is available through a branch, ATM, kiosk, phone and online. Fraud detection requires monitoring these channels from a physical location perspective and even closely through IP address monitoring.
“Look at channels and what we expect of the users,” Litan said. “Apply our own rules on what our enterprise considers suspicious and monitor and stop the transactions that are questionable. It requires going back to the consumer to verify activity.”
For example, Litan said, a user might make an online transactions on one coast of the U.S. with simultaneous activity at an ATM machine in another distant geographic location. She said that should raise a red flag to stop both transactions until the user is contacted and asked for verification.
“It’s a seamless, continuous method to monitor access behavior and compare that to what we expect of the user to ultimately stop unauthorized transactions,” Litan said.
Both Speare and Litan agreed that too much interference could also be troublesome, throwing off their "good" users. Consumers want a few questions to authenticate but are concerned mostly with efficiency, Litan said. Regardless, visible security measures seem highly important to most consumers—80 percent find them very important while only 5 percent said they do not care at all.
“The solution should catch 95 percent of fraud and you don’t want a high false positive rate,” Litan said. "It should also have a response team that is available 24/7 because criminals tend to strike on weekends and holidays. The system should provide ease of use for companies and also have a web portal. Most importantly, though, it should provide analysis and information from which companies can learn and constantly work to improve their systems."
“Risk-based authentication will be a cornerstone for our anti-fraud efforts,” Speare said. “While there is a lack of an available federated identity theft management model, risk-based authentication offers the best hope of assurance to prevent loss for both our institutions and consumers.”
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment