Internet banking as we know it, the kind that happens when a user launches a browser, and goes through even a decent approximation of layered security on a bank's Website, is dead, made untenable by the massive fraud now draining hundreds of millions from corporate accounts. The Internet and the browser may have been the greatest consumer technology innovation of the last quarter century, but for regulators, bankers and their customers, it's time to move on.
Don't take my word for it. In August, the FS/ISAC warned members of a massive up tick in wire fraud against commercial accounts, saying commercial customers should "carry out all online banking activity from a standalone, hardened, and locked down computer from which e-mail and Web browsing is not possible."
Gartner's Avivah Litan, banking's resident security expert with connections at the country's largest banks and security vendors, says, "Nothing that goes through the browser can be relied upon."
If we accept these pronouncements at face value, it's time for regulators to step up and compel banks to ensure the security of online accounts. The Federal Financial Institutions Examining Council's 2005 "Guidance for Authentication in an Internet Banking Environment" didn't go far enough then, and it falls negligently short now.
It's true that federal banking regulators are in upheaval given varied reform agendas; and that data security breaches like Heartland Payment Systems and TJX can be traced to failures of individual business owners. Further, several court cases allege banks are at fault: In Shames-Yeakel v. Citizens Bank the bank only used usernames and passwords to protect its online HELOC accounts. And in Western Beaver School District v. ESB Bank, the school alleges the bank allowed more than $700,000 in outbound wire transfers, an amount that should have raised red flags - especially the roughly $200,000 lost after the school alerted the bank to the potential fraud!
Despite these institutional lapses, ultimate responsibility for these breaches and associated losses resides with regulators. Their ambiguous and technically inadequate security requirements and "slaps on the wrist" for non-compliance have created an environment which encourages minimal investment in online security.
Despite banks' talk about security being reputational, for many it's an ROI calculation (as it should be from a strict financial perspective). Regulations currently omit bank responsibility for the massive losses felt by business account holders.
The FFIEC should immediately update its guidance on authentication. It's outdated, and even the two-factor authentication and tokens decried as too expensive in 2005, aren't enough from a technology perspective. The next version should be more proscriptive, with sharp teeth to level the playing field by holding all banks to the highest standards.