After the recent analysis on EMI vs. Comerica, discussed in part 1, several resources came to light. A new study performed by Guardian and the Ponemon Institute surveyed 500-plus executives and business owners in small- to medium-sized businesses in its 2010 Business Banking Trust Study about the impact of fraud on businesses' relationships with their banks. The highlights:
Laura: Criminals can capture password but not timing info if they are getting the password through a phishing site or the malware has a keystroke logger but does not actually look at the browser.
Marsh: A phishing site or keylogger could capture timing info, it is simply a matter of a little programming.
Laura: Unfortunately, there isn't a "small enough" size. I can tell you from experience that if the criminals can make $.50 10,000 times, they would be happy to do so. The lower you make the limits, the more accounts they have to steal to make the same amount of money, but it won't stop the cybercriminals.
It works like this: The question most banks ask themselves is "what level of false positive rate am I willing to accept?" This will depend on the potential loss. So, for example, if there is the possibility that the criminal is stealing $.50, the bank might be willing to miss 20 of those per day.
But, if the criminal is stealing $5,000, the bank might not be willing to miss any of those and would be willing to review 100 cases for every one that is fraud to keep that money from being stolen.
Laura: It's a tough question. My response: "The banks should do it out of integrity for their customers, but they can't until they have a business case for it." The worst part of this is that the only way to get a business case is:
Marsh: Or maybe the playing field is already too level? Banks are in the habit of simply writing off losses due to fraud as an ongoing cost of doing business. Certainly the banks bear large costs, but much of the true cost is borne by merchants and customers too.
Virtually any level of fraud is considered unacceptable in other businesses (except perhaps insurance). Perhaps the playing field should actually be allowed to naturally tilt more in favor of those banks that elect to emphasize security.
Laura: It is bad that the customer is going to have to experience fraud, and more before the banks can justify this. Supposedly, that is where the government steps in – to require it of all banks and even the playing field.
Marsh: Perhaps banks should be required to purchase third-party insurance for these risks. Let them convince outside actuaries that their online security earns them a good rate.
Laura: I'm torn. I hate seeing consumers/businesses penalized because it doesn't make business sense for the bank to deploy countermeasures, but I don't think the banks should be required either. But I don't have another answer.
Marsh: I just don't think we even have a good enough definition of security, authentication, multifactor, etc., to know what to mandate. For example, would keystroke timing count as a second factor under some proposed regulation? If not, why not?
If so, Zeus would probably chuckle for a second and hardly be slowed.
Laura: Charles, I disagree with the statement that this type of vulnerability could diminish the trust in the banking system as a whole.
I don't think we're even close to people distrusting the internet, but I do think that if enough "bad events" happen and people start using the internet less (for banking, for commerce, for looking up information...) that will hurt our society and our ecosystem substantially.
Marsh: I know I sure don't trust the internet. With malware in the picture, it is the endpoint PC that can't be trusted either.
It is like going out to dinner downtown. We don't want to discourage people from going downtown and spending money, but people do need to know that they have to be significantly more alert for scams and attacks there, which they don't worry about so much in their bank branch in suburbia.
Laura: Again, we aren't there yet, but I think it is important to watch for that erosion of trust, because one bad experience online will have impact across many online verticals.
One recent quote sums it up:
"Banks have a new troubled asset – their customers," said Terry Austin, CEO, Guardian Analytics. "The survey data proves that financial institutions are failing to protect the small and medium businesses that are at the heart of our economic recovery. SMBs are fed up with the banks that are leaving them vulnerable to fraud and not reimbursing them when they are attacked. Banks that do not improve their fraud prevention practices will lose customers and hurt their own recovery."
Here are three steps any small or large business can take to protect its bank accounts: