A plethora of high-profile data breaches and concerns about identity theft have put the banking industry on high alert. To secure their information assets, banks must implement a cross-channel, multilayered approach that extends beyond technology.
NALNEESH GAUR, Manager, Financial Services Practice, DiamondCluster Int. (Chicago)
JOHN CARLSON, Senior Director, BITS (Washington, D.C.)
T. KENDALL "KEN" HUNT, Chairman and CEO, VASCO Data Security (Oakbrook Terrace, Ill.)
RAN NUSSBACHER, Business Development Manager, Viisage (Billerica, Mass.)
Q: What lessons have banks learned from recent data breaches?
Nalneesh Gaur, DiamondCluster International: The Anti-Phishing Working Group recently reported that financial services continues to be the most targeted industry sector, growing to 89.3 percent of all attacks in December 2005. Banks have responded by improving customer awareness, improving fraud detection and implementing site takedown services. Other incidents such as stolen laptops and lost tapes also received the media's attention. Most of these incidents resulted in a public relations nightmare for the banks. Nevertheless, banks responded by encrypting backup tapes and prohibiting their staffs from storing customer information on workstations.
John Carlson, BITS: There's a continued focus on improving the controls that financial institutions have internally and with third-party providers, retailers and other organizations that can be a source of data breaches. There's also an increased focus on consumer education on things related to protecting customers from fraud, such as phishing and identity theft. Financial institutions are providing customers with information on steps the financial institution and the customer can take to protect themselves and to deal with identity theft.
Ken Hunt, VASCO: The biggest lesson that we have learned over the past 18 months is that the problem and threats are real. And, unfortunately, once a breach occurs to an organization, the resources used to rectify the situation are significant and substantial. Financial institutions that have already deployed proven security are far less reactive and are methodically and efficiently expanding their usage into new customer segments (e.g., small business and corporate log-in). Financial institutions that were slow to react to a proven security solution over the past 12 months and are doing so to adhere to the FFIEC [Federal Financial Institutions Examination Council] guidelines and/or to protect themselves from fraud are doing so at an aggressive pace. This has used up significant resources. The message is clear: The banks that are reacting to the guidelines and looking to implement the quickest and easiest solutions are merely prolonging the inevitable.
Ran Nussbacher, Viisage: The main lesson is that identity fraud has become "industrialized" - a large-scale professional operation. Therefore, banks can expect to see an increasing amount of stolen and fabricated identities used to establish new accounts, hijack existing ones and perform fraudulent transactions. Moreover, banks must understand that customer data obtained from data breaches and phishing attacks is not limited in its use to the online banking channel. Rather, customer data also is used to create fraudulent identity documents, which are then used at the branch, where the majority of fraud is still committed. Thus, a cross-channel, multilayered approach to identity risk management is needed to successfully prevent identity fraud.
Q: What are banks doing to address identity management challenges?
Gaur, DiamondCluster: Banks must take a holistic view of security and identity solutions to provide preventative, detective and corrective measures over all channels. As a detective measure, banks use sophisticated behavior and risk-based fraud detection solutions to verify suspicious transactions. As a preventative measure, some large banks are developing multichannel authentication strategies for their customers. As a corrective measure, banks have devised policies to rehabilitate their customers after an impact.
Carlson, BITS: Many of our member companies are participating in the Identity Theft Assistance Center, an organization that helps customers affected by identity theft deal with other financial institutions, credit bureaus and others in order to mitigate losses and restore the individual's good name. There are some efforts going on within the industry to share information about phishing attacks and as a means to refer information to law enforcement on the sources of those attacks.
Peggy Bresnick Kendler has been a writer for 30 years. She has worked as an editor, publicist and school district technology coordinator. During the past decade, Bresnick Kendler has worked for UBM TechWeb on special financialservices technology-centered ... View Full Bio