Financial institutions have been battling cybercriminals for decades. A constantly evolving network of bad actors continues to identify and exploit vulnerabilities to perpetrate fraud. Traditional prevention approaches are a necessary first line of defense but are far from bullet-proof. And so criminal organizations continue to make millions.
The weakest link in this network continues to be the customer. Despite a relentless education campaign, banking customers remain either unwilling or unable to practice safe computing. And when losses occur, customers believe that regardless of their inability – or unwillingness – to implement secure online banking practices, the bank will reimburse their account for the entire loss. It often makes more sense for the bank to reimburse a small loss than dedicate the time and effort needed to deny the claim and potentially incur negative publicity. Meanwhile, assuaged by this false sense of security, consumers have little incentive to change their behavior.
In a recent case involving Choice Escrow Land Title LLC and BancorpSouth, the court sided with the bank regarding a $440,000 loss associated with the theft of the company’s online banking credentials and subsequent fraudulent wires. The ruling was based on the fact that Choice Escrow previously declined to use a process recommended by the bank, requiring two employees to approve wire transfers. However, in two separate, highly publicized cases involving Comerica and People’s United Bank, the courts ruled in favor of the customer in both cases.
There is no guarantee a court will rule in favor of the bank – regardless of the degree to which the customer failed to protect themselves.
Consumer Education Will Only Take You So Far
Financial institutions have long embraced customer education as an effective fraud prevention tool. Unfortunately, so long as consumers are indemnified from loss, these types of educational messages will likely fall upon deaf ears.
The FBI and the American Bankers Association (ABA) recommend designating a separate computer solely for online banking activities (i.e., no emailing or Internet browsing) to prevent online fraud. But limiting banking to one computer is neither convenient nor realistic for the vast majority of consumers. And this challenge only grows as customers increasingly leverage banking applications on their mobile devices.
When given the choice, customers will routinely opt for the “path of least resistance” when conducting business online. And this applies not just to banking, but to anyone who deals with customers, partners or employees online. The more complex the process, the less likely the customer will be to comply. Attempting to shift too much of the compliance burden to the end user will be met with resistance, and ultimately rejection. The last thing a company wants to do is make their online channel so unappealing to their customers that they leave in droves.
Unless customers are provided with a minimally invasive approach to secure their online activity, they will continue to engage in careless behavior that leaves them exposed to bad actors.
Achilles Heel of Online Fraud
To date, fraud prevention technology has overlooked the primary point of failure – the customer’s computer. Extending fraud prevention to the customer’s device through a secure browsing platform can dramatically reduce fraud-related losses. Such a browser creates a protected connection to the financial institution’s website. Since transactions can only take place via the personal browser and a secure proxy server, any malware that exists on the user’s computer is “blind” to the exchange of customer information.
Using this approach, the exchange of critical information in the transaction takes place at the server level, instead of at the user’s machine. A secure personal browser also thwarts more sophisticated tactics such as pharming, man-in-the-middle (MITM) and man-in-the-browser (MITB) attacks. The browser turns the user’s computer into a dedicated machine for online banking that isolates critical data from the cybercriminal’s prying electronic eyes. Such an approach is effective, yet does not place an excessive or unrealistic compliance burden on the customer.
Financial institutions have little choice but to be on the bleeding edge of security best practices. In addition to adopting traditional fraud prevention technologies, including the detection and prevention of suspicious log-ins, transaction anomaly detection and real-time monitoring of account activity, banks are now realizing they must take security to the last line – the consumer herself.
Any organization that houses sensitive financial data and wants to stay ahead of the latest cybercriminal methodologies should follow the lead of these organizations, to learn how they might apply these security best practices to their own customers and corporate security posture.