Peyman Mestchian, Managing Partner at Chartis, oversees research strategy, key commercial relationships, and advisory services. His special area of interest and research is the application of information technology to risk management, and he is an established thought-leader and writer on the subject.
No one needs to be told to lock their door when they leave the house; this is common sense we take for granted. No one needs to be told not to leave valuables unsecured at the gym or their bike unlocked outside. Yet even those of us who like to think of ourselves as tech-savvy make basic security errors online.
The recent activities of the Syrian Electronic Army have put Internet security back in the spotlight and demonstrated that technology and hacking techniques have outpaced automatic common sense. When major new organizations like the New York Times, the BBC, and even the standard-bearers of the digital revolution, like Twitter, fall victim to simple phishing attacks, it is clear that no-one is invulnerable to hacking.
For banks, cybercrime poses an increasing risk and portion of their anti-financial crime activities. Hackers are becoming more sophisticated, often using more specific spear-phishing attacks, alongside Trojans, bots, and malware. Fraudsters are also matching multi-channel security measures with multi-channel attacks, with malware targeted at smartphones and ‘social engineering’ attacks over telephones to persuade victims to give out their details.
At the same time, technology has become more accessible and is often a customer’s main point of contact with their bank. More customers bank primarily or even exclusively online, on a tablet, or through their mobile phone. The speed and convenience of these channels has attracted customers who have grown used to the interactivity and simplicity of mobile and tablet.
Although these customers would seem to be the epitome of the modern, connected, and tech-savvy consumer, many remain naïve about the threats to their online accounts. Many fail to change their passwords or install anti-virus software, let alone implement more advanced security features such as two-step verification. These customers do not want to give up easy access, but at the same time, they want to be protected from threats in cyberspace.
Banks need to understand that their customers want protection, but without having to become experts in Internet security or going through elaborate online identity authentication protocols. This means that banks should take the lead to protect their customers from themselves.
A robust anti-cybercrime division is a crucial part of any financial crime management department for banks. This should be well-funded and well-staffed with researchers and investigators and should have education and communication roles to encourage customers to protect their accounts.
Reliance only on device and browser authentication and identity authentication protocols could potentially leave banks vulnerable. Banks should also focus on prevention and on areas where they have control through in-session analysis and a multi-channel, anti-fraud framework.
Anti-cybercrime technology can be used by banks to protect their customers can be used by banks to protect their customers. Malware and Trojan detection can be used to shut down access to an account and navigation and behavior analysis can measure behavior against previous activity to see if a fraudster is using the account. This can defend customers against device or browser compromise through man-in-the-middle or man-in-the-browser attacks.
Combining and coordinating these layers with the bank’s phone channels and call centers is also a crucial aspect of combating fraud. In addition to appropriate training, access to anti-cybercrime alerts and on-screen pushes can help call-center staff to thwart social engineering attacks and detect fraud attempts.
Many customers are not yet ready to protect their accounts in the online age. Banks that can offer secure Internet, tablet, and mobile banking will be providing their customers with a vital and attractive service, as well as protecting themselves from losses. This can act as a key selling point and differentiator for banks and can help to attract new customers. As banking increasingly moves online, the impetus is on banks to stay one step ahead of the hackers.