Financial services companies are struggling to deal with a variety of challenges associated with authenticating and securing their customer accounts in an increasingly complex multichannel environment, a panel of IT security professionals said at this week's RSA Conference in San Francisco.
One of the biggest challenges for financial companies, is the speed at which attackers shift their criminal activities from one channel to another, noted those in the panel discussion, titled “Multi-Channel Authentication and Corresponding Fraud Challenges.”
“Whatever channel they can get into, they will,” said Cynthia Bohman, manager of computer security at Discover Financial.
For instance, criminals will phone a bank's call center and use social engineering tactics to reset a customer's password, then access the customer's account via another channel, such as online, said Peter Cookson, the senior IT architect at eBank Portfolio, a TD Bank financial group in Canada. "It's amazing what criminals seem to know about the financial services industry and customer information," he added.
Andy Wen, the director of business systems architecture at eTrade Financial, noted that it's not uncommon for criminals to take the opposite tack. That is, to use customer credentials stolen online to contact a call center, then gain unauthorized access to a customer's account.
Cookson noted that when financial services companies increase security in one channel – online, for instance – the criminals “push fraud to another channel.”
One of the keys to combating this sort of crime, said Wen, is to “focus on the customer, and ensure that our staff have the same view of the customer account no matter what channel they're dealing with." This channel-agnostic approach is one of the key areas that Discover Financial is addressing, noted Bohman.
A dichotomy in customer attitude is another major factor in authenticating customers and detecting fraud across multiple channels, the panel members noted. One segment of the typical financial institution's customer base is concerned about the security measures in place. The other “doesn't want to deal with it,” Bohman said.
Providing this unified view of the customer, however, takes time, said Cookson.
Financial institutions, like other industries that rely on legacy systems in place before the web became popular, are also dealing with issues related to so-called silos of information. These standalone data repositories mean that information is not readily available across multiple channels.
The authentication issues only promise to become even more increasingly complex, noted Wen. On one hand, the services area that financial companies serve is expanding . Mobile devices, such as smart phones, are slowly being used to access customer accounts, for example, he said.
In addition, the crooks are more sophisticated, said Wen. The good news: He thinks the industry as a whole is catching up with the bad guys.
The panelists indicated they're still formulating strategies to deal with account access and authentication via mobile devices.
Also taking part in the panel was Jan McGowan, vice president/IT general manager at Bank of the West, and moderator Joram Borenstein, a senior product manager at RSA, the security division of EMC.