Online Banking Needs Stronger Security

April 28, 2005
Email-based "phishing" attacks, used by criminals to convince individuals to reveal confidential information, are rapidly morphing into more insidious forms of online fraud, a research report warns.

The report from TowerGroup finds that advanced approaches to online fraud -- using methods like spyware, browser hijacking and remote administration tools -- pose a significant and fast-growing threat to consumer confidence in the online banking channel.

In the face of this fraud evolution, the practice of requiring a username and password as the sole means of online customer authentication is rapidly becoming outdated.

"The US financial services industry is continuing to build effective defenses against phishing, with consumer education playing a critical role," said George Tubin, senior analyst in the Delivery Channels practice at TowerGroup and author of the research.

"However, these existing defenses do little to protect financial institutions or their customers from fraud methods that don't require the consumer to manually serve up personal or account data. Because emerging fraud techniques could potentially lead to higher levels of compromised personal data, it becomes imperative for the financial services community to enhance the rigors of online security and customer authentication," Tubin said.

Highlights of the research include:

• Many desktop computers are highly vulnerable to attacks from malicious software, which can be downloaded to a PC without the consumer's knowledge. Using these "malware" payloads, fraudsters can gain access to personal information through a variety of methods -- from logging an individual's keystrokes on the computer when they sign in to their online banking site, to remotely taking control of the user's entire PC.

• "Single-factor" authentication, typically a username plus password, remains the most widespread approach for accessing online banking sites. While easy to use and administer, it cannot combat more advanced forms of fraud. As usernames and passwords become the weak link, the traditional single-factor approach will become an entirely deficient means of online banking authentication.

• "Two-factor" authentication offers a vast improvement in security. One example involves providing consumers with a hardware "token" that generates a random number to be entered along with his or her password. However, most large consumer banks have been fearful that convenience-oriented consumers will reject the additional burden of physical tokens, or will be overwhelmed by devices from multiple institutions.

"Stronger authentication technology is the most effective weapon in combating the rising tide of consumer data theft," said Tubin.

But selecting the right path to better authentication is complex and expensive, he said.

"The real difficulty is quantifying the potential negative impact on consumer convenience and confidence when faced with multiple online authentication requirements."

TowerGroup, based in Needham, Massachusetts, an advisory research and consulting firm focused on the global financial services industry.