Fraudsters Are Starting to Score Successes Against Online Banking

Most banks report that their online-banking and bill-pay channels are experiencing no or only modest increases in fraud, according to a new survey from Boston-based research firm Aite Group LLC. But that's no reason to rest easy, says the researcher who oversaw the survey. Aite surveyed 21 of the top 100 financial institutions by telephone and e-mail in March. While the majority reported no increases in fraud in their online banking channels, 39% reported “2” or “3” on a scale of 1 to 5, with 1 being no increase in losses and 5 being a significant increase. “It's not like hell is breaking loose, but the pressure is mounting,” says Gwenn Bézard, research director at Boston-based Aite. Though online banking hasn't suffered some of the attacks that online stock-trading sites have recently, the modest increases still show that “fraudsters are slowly but steadily gaining ground,” he says. Fraudsters are spending much of their time trying to get around new authentication regulations that federal banking regulators recently imposed on online banking sites. The vast majority, 71%, of financial institutions remain most concerned with so-called social engineering, or types of fraud such as phishing in which consumers are duped into giving out sensitive information online. Some 65% are concerned or very concerned about technology used to commit fraud, such as malware, Trojan horses, and the like, according to the Aite survey. These concerns are driving technology decisions at banks and credit unions. And while technology that stops fraud when existing customers go online is of high interest to financial executives, technology to verify identities and thwart fraud during the account-opening process is garnering more attention, according to Bézard. Sixty-two percent of respondents indicated they are likely or definitely likely to replace or install an ID-verification solution during the new-account-opening process in the next 24 months. Online account-opening fraud presents a host of difficulties for banks. Flags include an Internet Protocol address that indicates, for example, that the computer an applicant is using is in Brazil, even though he reports a physical address in Arizona. Another is multiple new-account applications from the same computer in a short period of time. A number of vendors are trying to tailor their various user-authentication products to the account-opening process, Bézard says. Possibly the most effective technology, public key infrastructure, or PKI, which encrypts data, has not caught on because it requires consumers to install a separate software on their personal computers. One of the most effective non-PKI solutions so far, according to Bézard, has come from Scottsdale, Ariz.-based The 41st Parameter, whose technology uses hundreds of algorithms to flag suspect computers (Digital Transactions News, July 12, 2006). EMC Corp.'s RSA Security division also has introduced technology to address account-opening fraud and related security issues, he says. Second to new-account fraud as the planned target of security-technology spending by the surveyed financial institutions in the next two years is stronger user authentication, with 57% of respondents likely or definitely likely to buy such systems. Next in the likely or definitely likely categories were fraud-detection and transaction-monitoring systems at 52%; stronger site authentication, 43%; and usage of a shared fraud-control network, 24%.