Banks working to stop customers from taking their business “offline”
By James A. Quin
In 2006, Canadians experienced almost 8,000 individual identity theft incidents. The estimated collective value of these incidents was greater than $16 million. Though the number of individual incidents is at the lowest level it has been in five years, the more than $2,000 cost per incident is the highest ever recorded and indicates that identity theft is as significant a threat in Canada as it is in the U.S. and other parts of the world.
Unfortunately for financial institutions, the identity theft problem is driving clients off line in droves. According to various industry surveys, 14 per cent of clients no longer pay bills online, 4 per cent no longer use Internet banking at all and the growth rate of online banking is predicted to drop from 7 per cent currently to 4 per cent by 2010. For financial institutions that are increasingly committed to online banking, these numbers are more than troubling.
To combat this trend, banks and trust companies need to find a way to increase customer confidence. Given that phishing attacks are one of the primary threat vectors, eliminating them is the best ways to restore confidence. While financial institutions cannot eliminate phishing threats; they can however help clients limit the effectiveness of those threats. The primary method of minimizing phishing threats is through browser tool bars.
A variety of these tools exist from providers such as McAfee (with its SiteAdvisor tool) and Netcraft (Netcraft Toolbar). Certain browsers go one step further, including anti-phishing capabilities natively. Examples include Microsoft’s latest version of Internet Explorer (IE7) as well as the more niche Opera browser.
Unfortunately, as useful as these tools are, they do not address the problem. While banks may be in a position to recommend the use of such a tool, their use cannot be mandated since the financial institutions control neither the devices that are connecting to their websites not the users of those devices. A secondary solution makes use of two-factor authentication. In a twist though, where such solutions generally focus on having users prove their validity to a website, in this circumstance, the site proves its validity to the user.
The largest implementation occurred in 2005 when Bank of America implemented PassMark’s SiteKey solution. Passmark has since been acquired by RSA, but the product is still available. With this tool, clients pre-select an image that the bank associates with their account. Upon login, the image is displayed, verifying to the user that the site is valid and not a copycat being used for phishing purposes. This solution appears less than perfect however as help desk calls are reported to have sky-rocketed since the implementation. A third solution was recently announced by Symantec that, in theory, should address these concerns.
As an addendum to its commercially available Norton Confidential product, the company is releasing a version called Online Edition. This solution works much like a standard browser-bar plug-in, but is distributed by the bank itself and so can be made a mandatory part of the online experience. Norton Confidential Online Edition (NCOE) includes traditional anti-phishing capabilities but couples them with anti-crimeware functions allowing it to block key-loggers, screen-scrapers and other password stealing tools.
The cost of NCOE is borne by the bank itself rather than its clients and licenses cost between 50 cents and four dollars depending on the number purchased and the membership level the bank selects. That membership is in Symantec’s Secure Internet Banking Alliance (SIBA) and is currently mandatory for access to NCOE licences. In addition to joining a forum of industry and community partners and gaining access to NCOE licences, membership in SIBA brings other benefits. At Gold level membership, financial institutions are provided weekly intelligence reports. Platinum level membership steps up to on-demand intelligence reports and includes an annual Security Assessment.
SIBA membership is divided into two tiers based on whether the institution has more (Tier 1) or less than (Tier 2) one million clients. Annual costs range from a low of $20,000 for Tier 2 Gold membership to a high of $100,000 for Tier 1 Platinum membership.
SIBA is open and accepting clients now, though Symantec is currently limiting membership until the endeavour gets fully off the ground. NCOE licenses are not yet generally offered, though are in beta and, according to Symantec contacts, are due to be available soon. Identity Theft is a real problem that appears only to be growing in magnitude.
If financial institutions want to stem the tide of consumers going offline, they need to offer solutions that demonstrate site validity to clients. A variety of solutions exist, but the forthcoming Secure Internet Banking Alliance and the Norton Confidential Online Edition licenses it makes available may be the most attractive.