A recent U.S.A Today article reports that Citibank (C) and Bank of America Corp. (BAC) rank third and seventh respectively among the top 10 most frequently attacked banks in the world.
There is growing concern over identity theft and cyber-security. Particularly when about 80% of U.S. households do at least some of their banking over the internet.
But is it safe?
According to Joe Stewart, senior threat researcher at SecureWorks, “Cybercriminals can steal credentials for thousands of accounts at a time with very little effort,” he says. “They have access to more accounts than they could possibly ever use, and most of those are personal accounts.”
That’s where banks are looking for their customers to help.
“It is paramount that our customers know how to protect themselves,” says Bank of America spokeswoman Tara Burke. “We recommend that customers always protect their passwords, ensure the bank has up-to-date contact information and review their accounts on a regular basis.”
Which is not to say banks are doing nothing.
Many banks, including Citi and Bank of America use a variety of security systems to help protect their customers’ accounts. The most common remains “knowledge-based authentication” questions. Such questions, derived from data amassed by the big three credit bureaus, Experian, Equifax and TransUnion and by data aggregators LexisNexis and Axiom, ask about obscure personal details such as the name of one’s mortgage holder or father-in-law, a previous address, even the color of one’s car.
“The questions are going to get more difficult over time,” Johnson says. “The threat is real, and (banks) are providing the tools to help customers protect themselves.”
Litan, the Gartner banking security analyst, says banks need to move away from technologies that rely on common Web browsers, which is where banking Trojans thrive. Handheld optical readers, a more advanced technology, are available from Gemalto and Cronto. These devices must be used to take a picture of a visual cryptogram — a secure image produced by the bank — as part of authorizing any cash transfers.
Mandatory use of a verification device that operates separately from the browser would enable banks to ensure “secure transactions no matter what is on the customer’s PC,” says Paul Beverly, executive vice president at Gemalto.
But Litan says banks are a long way from even thinking about widely distributing such devices to consumers.
“They don’t want to get into the business” of providing hardware to customers, she says.
Banking and security experts say the only thing that will change the banking industry’s current approach is widespread consumer backlash.