Keeping just ahead of competitors is not the solution to online fraud protection, says banking risk adviser David Leach. Ultimately banks may require more help from government and other industries
When I first moved to Singapore from Australia nearly five years ago, I needed to transfer $20,000 to help set myself up. My Australian bank advised me that I could simply log into internet banking and do it there. I couldn’t believe it: a simple username and password to transfer a relatively substantial amount of money, enabled and available by default?
What made the matter worse was that the drawing account was a transactional mortgage, so that a significantly larger balance was available for withdrawal than a typical consumer transactional current account. When I enquired, I was told I could not disable this feature.
Reducing the daily limit from $50,000 to $5000 was my only way of reducing my risk. What percentage of customers in a typical retail bank would need this kind of service enabled by default?
The landscape has changed since 2003. Identity theft-related payment fraud due to phishing, keystroke loggers, and other attack vectors has increased significantly; financial institutions have had to act. Banking regulators in several countries now mandate the use of two-factor authentication for high-risk transactions, and some regulators now require this control to be in place at login to protect consumer privacy as well as account integrity.
Payment fraud loss is not the only driver behind increased security controls for internet banking in these markets. Fraud loss is a big concern for which many banks will assume liability, but declining consumer confidence and the potential for reduced channel usage also represents a big part of the picture.
Customers are increasingly looking for online banking options to complement the range of existing channels available. Research tells us that they want a mix of channels, each servicing a particular requirement. Our customers gain a competitive advantage by going online through cost savings, convenience and transaction immediacy.
Cost savings gained by both bank and customer through increased usage of the online channel in preference to traditional proximity channels such as branch, ATM and remote channels, such as fax, interactive voice response, and call centre, are significant. With most organisations focusing on reducing operating cost, the message for everyone is simple: go online, or perish.
Implementing stronger controls for internet banking is in large part due to customer assurance primarily to increase online usage, and to a lesser degree, while still very important, fraud loss. (see Revived e-fears resurrect biometric false starters)
Since 2003, the Monetary Authority of Singapore has encouraged its member banks to adopt two-factor authentication for internet banking; mandating it for login since 2006.
In late 2004 the Hong Kong Monetary Authority and the Hong Kong banking industry agreed that two-factor authentication should be used for high-risk transactions. This trend was then followed by the American Federal Financial Institutions Examination Council, through issued guidance on authentication for internet banking in late 2005.
Implementing two-factor authentication in the online banking channel is the first of several steps that need to be taken to reduce payment fraud risk. While regulatory compliance triggered the initial decision to implement two-factor authentication, for Standard Chartered Bank the approach has always been risk-based.
Implementing two-factor authentication was a business enabler: online addition of beneficiaries was now possible, where our risk assessment prior to two-factor recommended against such functionality.
We carried out an objective selection process at Standard Chartered that considered regulatory compliance, “voice of customer”, cost, and risk. Cost versus residual risk is a well-established litmus test when considering what control will best manage a particular risk.
We compared predicted control effectiveness of each mechanism over time against its projected capital and operational cost within the same period and came up with a set of cost-feasible solutions. In parallel, focus groups were set up to get feedback on usability of the short list, and, ultimately, one-time PIN via SMS was selected as the preferred solution.
This was preferred because it also gave us the ability to implicitly notify the customer what they were authorising, which other solutions failed to achieve. For example, if I added a payee I might get an SMS such as: “Your one-time PIN to add payee John Smith with ACME Bank Acct. #1234 5678 1234 is 398475.”
Such a solution will ensure that not only is the customer present for the transaction, but that they know the details of the transaction at the point which it is authorised by them. The up-front capital cost was small, and the total cost of implementation over three years was on par with hardware tokens. But the major advantage of SMS was the ability to adapt quickly to a changing threat horizon without the risk of wasting the investment.
But two-factor authentication is not a panacea for payment fraud. The nature of the threats (ie the fraudster) is different: fraudsters don’t just concentrate on one attack at a time; they make their own balanced risk decision and will choose one or more attack routes depending on their own appetite for risk. Every two-factor solution has its own weaknesses that can be exploited if that is the only option left for a fraudster.
This is precisely why point solutions increasingly don’t work. For example, just because a fraudster doesn’t try to carry out fraud through phone banking doesn’t make it secure. It could be simply that doing it through phone banking could represent greater risk to them. So you fix internet banking, maybe they’ll attack phone banking – at least that’s what they’ll target if that’s the next easiest target.
When banking regulator Bank Negara Malaysia mandated line encryption and chip-based credit cards to combat wiretap devices that captured card data, fraud on card-present transactions in the country plunged. Fraudsters knew that opportunity to carry out fraud in Malaysia would be significantly reduced and shifted to Thailand, where fraud losses experienced a sharp increase. Meanwhile Malaysia saw a notable increase in the percentage of card-not-present and other related fraud.
Loss of identity reliability is the root of all electronic fraud. In 1999, Sun Microsystems’ chief executive, Scott McNealy, famously said: “You have zero privacy. Get over it.”
Organisations frequently use personal data, such as date of birth, national identity number, mother’s maiden name, etc, as a way of verifying our identity. Most of this data is not secret, and increasingly our personal data is being exposed online. Not just by organisations, which need to put better protection in place, but also by ourselves.
On top of this, when an unsuspecting customer gets an email purporting to be from their bank that asks them to plug their details into a site to verify identity, they believe it. Or used to.
Customer education has improved things slightly, and maybe customers won’t fall for that anymore. So the attackers have adapted, and now we have the online equivalent of dumpster diving. Criminals don’t need to live around the corner to dumpster dive anymore, nor do they need to get their hands dirty. The modern day equivalent of dumpster diving is malware that is installed onto your personal computer that allows the crooks to go through your personal data on it before it ever makes it to the dumpster. Often it can be as simple as stumbling across the wrong website; like turning down the wrong dark alleyway, it can cost you.
But is it possible in a global business world to solve the identity problem in a way that is acceptable to society and to individuals? There are some fundamental problems that not even banks, by themselves, can solve. Can regulators and governments help us solve them?
Organisations have tackled internet banking-related fraud in the past with a mentality best described by the following analogy: if you encounter a bear in the woods while hiking, you don’t need to run faster than the bear. Just run faster than your fellow hikers. Fraudsters attack the low-hanging fruit, and the theory is that as long as you’re more secure than the next guy, you should be okay.
This approach to managing electronic fraud risk is unworkable. There are too many point solutions which are invariably exploited and devalued as a result. What happens when we run out of credible point solutions?
Governments, law enforcement, clearing houses and card organisations such as Visa or MasterCard, financial institutions and utilities such as postal services or phone carriers must all start to work together to tackle misuse of personal identities.
The design fits into a larger payment security strategy that focuses on authorisation at the point of transaction – across all channels, and all products. A transaction can be anything: payment from your bank accounts; setting up a mail redirection at the post office; putting a call divert on your landline. With so many interdependencies between these organisations, to interact with customers that we all share, failure in identity management by one party can adversely affect all parties.
Better collaborative identity management is needed. A collaborative framework is needed that facilitates the sharing of timely data about transaction and identity-related fraud among a wider group. This will allow a faster response and it will eventually push the fraudsters out into the cold.
This is an alternative to the silver bullet, and will cost more and take more work. But silver bullets, while useful against werewolves, are useless against fraudsters. Until the verifiable identity problem can be solved, we must control the management of that data more closely within critical infrastructure. In the short term, we all must be more careful with personally identifiable information.
A collaborative way of providing personal data change management between organisations is necessary to identify potential frauds and will allow us to reuse many of the controls which may have lost some of their effectiveness.
For example, if I as a bank can find out from your phone provider that your mobile SIM card has been reissued by your phone provider recently, then this will help me make a more informed risk decision about the transaction I am about to carry out on your behalf; where we may have used a one-time passcode via SMS before, now I might call you instead at another number.
Cross-industry management of identity and identity change is a giant leap. It needs to be led by governments or their appointed regulators, but it also involves many sectors of industry, too. Whether this will happen is not clear yet: Who will take the lead? Will governments step up?
David Leach is risk adviser, consumer banking, in the Group Information Security section of Standard Chartered Bank in Singapore
News