Well Street Journal, May 13, 2007 – The last remaining banks offering Internet banking services have finally thrown in the towel and announced cessation of Internet banking services. Internet banking products have been gasping for air since early 2005 when Bank of America stood up to its own customer. In a widely publicized case, B of A held its legal ground when e-thieves illegally transferred $90,000 from a customer’s account. Thieves gained access to the account after discovering the customer’s user ID and password on the laptop computer they had stolen.
B of A’s position was that their security had “done its job” and they could not be held responsible for their customer’s inability to adequately protect his computer and the information it contained. Banking customers across the country reacted negatively to the news that funds in their accounts were not being protected. “If I loose my checkbook, or have it stolen, my bank will stand behind me and protect my funds. Why doesn’t this apply to every method of accessing my accounts?”
Long time e-banking customers recognized the risk of continuing to do Internet Banking with their bank and began closing their Internet accounts. Most bank customers have gone back to the paper check as their primary way of making payments.
As anxious customers cancelled their Internet banking services, banks noted the impact in multiple places. Paper check volumes increased by 10 percent, the first increase in more than five years. Call center and branch transactions increased by similar amounts. Banks responded by increasing staffing at their branches, call centers, back offices and item processing facilities. Bank earnings nose-dived as non-interest expense increased at precipitous rates.
Read the full story, A13
Is this a pipe dream? Not really, this one event plus the multitude of recent intrusions and data thefts will go a long way toward weakening customers’ tenuous hold of trust in doing financial transactions on the Internet. A recent article in the Wall Street Journal included the following incidents reported this year:
Once that trust has been broken, it will be very difficult for it to be reestablished.
Banks have tightened security measures but continue to be exposed to increasingly sophisticated attempts to gain access to customer accounts. Phishing, and now pharming, have received a tremendous amount of publicity in the past few months. Education of the customer has been the first line of defense. It is now estimated that 85,000 sites are generating phishing attacks, some against bank customers. Do the math, if a million requests for user ID and password are sent out, a meager success rate of one-half of 1 percent will yield information on five thousand accounts. Given the numbers, it is simply not possible to guarantee perfect security.
Well GonzoBankers, what can be done to keep customers’ trust in the safety of the Internet? First, repeat after me, “I have devoted significant resources to protect my customers’ data and I am now convinced that total security is unattainable!” Excellent! The new mantra is, “In spite of my best efforts, bad guys are going to gain access to my customers’ information; my objective is to prevent or limit damage when they gain access.” Don’t conclude all the efforts to date should be abandoned; they must continue and get more sophisticated as the techniques become more sophisticated.
Banks and service companies have two major exposures to the bad guys:
Internet banking applications offer thieves several opportunities to instantly enrich themselves. In the Bank of America incident noted above, the thief gained access with stolen credentials and then transferred all of the customer’s money to a foreign bank account. Another exposure is the bill payment feature. Like a transfer of funds out of an account, it is also possible to make a payment to a third party. When bill payment processing is performed, it will then make payment to the thief with an ACH transaction or a paper check—same result, but the damage takes a day or two to complete and could possibly be reversed if discovered in time.
Here are some best practice strategies that could be implemented to prevent damage when – and it’s safe to assume it will happen – the bad guys have gained access to customer accounts.
Strategy 1. Do not allow transfers to external accounts. I can hear the marketing department screaming now. But think about it, if the money cannot be transferred out of the bank, the thief cannot possibly remove the funds. Many of our clients allow unlimited transfers within the bank to accounts owned by their customers. At worst the thief could move money around and cause mischief, but could not financially hurt the customer.
Strategy 1a. Allow external transfers, but only to registered accounts. If Strategy 1 causes too much backside puckering in the marketing department, this may be a reasonable and safer alternative. Transfers can be made outside the bank, but only to accounts that a customer has requested and that have been verified as legitimate by both the bank and the customer. My Internet banking account works in this way. It is necessary for me to identify the account, and then the bank verifies it to be a valid account that belongs to me. Before the account is activated, a letter is sent to me verifying my intentions before it becomes available for transfers. For the thief, the additional steps make it unlikely that an account can be set up before a red flag is raised.
Strategy 2. Like the ATM daily limit, set limits on how much can be transferred outside the bank in a given day. Allowing customers to pick a limit would also give the bank the opportunity to educate customers on the purpose of a limit and how it can protect them from potential criminal activity.
Strategy 3. Requiring a normal range of payments to be specified for each vendor can reasonably protect bill payment. When making payments, the amount paid can be compared to the range limits. An attempt to make a payment outside the limit would trigger an exception that could be investigated before being paid.
Strategy 4. Put the full court press on your Internet banking product vendor to implement fraud detection software.
Credit card companies are great at this. As frustrating as it is to get a call from a credit card company when it spots suspicious, but legitimate activity, it is a relief to know the company is on the lookout for fraud. Similar capabilities will eventually get into Internet banking products over time. Banks can help shorten the time required by pressuring their vendors to implement measures to detect and prevent fraud.
Theft of information contained on files has risen to alarming levels. Recently several incidents have occurred where backup files were “lost or stolen” while in transport to an offsite storage facility. Information contained on the files included credit card numbers, account numbers, Social Security numbers and other critical information. Online vendors increasingly are saving their customers time by storing their credit card information for them. Hello, criminals, I have a file containing hundreds of thousands of valid credit card numbers along with cardholder names and addresses! These sites are chumming for criminals.
As with Internet banking, extensive sums of money are being spent to secure information. If it is assumed that, in spite of every precaution taken, the bad guys will find a way into the bank’s network (because there’s a good chance they will), it is time to initiate the following strategy:
Strategy 5. All sensitive information inside the network and all information on files sent outside the facility will be encrypted.
Yes, it will take some work to follow this strategy but the results will be dramatic. Should criminals gain access to the network or should they “borrow” a backup file, the information will only be gibberish and unusable. It will take some serious and expensive computer resources to break the encryption. For this reason, encryption will effectively neutralize a successful attempt to obtain a bank’s sensitive information.
Regardless of the sentiment about Internet banking customers, a bank that disclaims responsibility for the safety of its customers’ money will soon see those customers losing trust in the bank and Internet commerce. For customers that lose money from their account due to the bad guys, banks should do the right thing. Replace the money and continue working on these and other ideas to gain back customer confidence in the bank and Internet commerce.
Does it really make sense to add staff when the electronic channels are abandoned?