Man-in-the-middle attacks and other assaults on the browser are becoming more common and pose a challenge to the whole banking industry, says Joe Bernik, chief information security officer at Cincinnati-based Fifth Third Bank.
His bank has taken action by piloting a security solution for corporate clients that "locks down" the online banking session between the customer's PC and the bank. The rationale at the bank was simple, he says. If the Fifth Third really wants to be a "trusted advisor" it can't just make the online channel available, it needs to help secure that channel by responding to threats.
This philosophy aligns Fifth Third closer to European and Canadian banks-many of which offer security solutions to retail and business customers-than to U.S. banks, which have been generally reluctant to require or even recommend security features that touch the customer's desktop.
U.S. banks fret that desktop security features could inconvenience the customer and hurt the online experience. But they also fear liability-that by recommending a security feature for clients, the bank will be held legally responsible if any security-related losses occur.
"U.S. banks are very wary about getting involved in the customer's desktop. They're looking for things the customer can do without them," says Avivah Litan, a vp at Gartner, who has extensively researched and reported on Web financial services security issues.
Mickey Boodaei, CEO of Trusteer, which offers a desktop browser security plug in, estimates that European banks are as much as 18 months ahead of the U.S. in terms of technology adoption because, as a group, European banks were faster to offer many online transaction services to customers prone to fraud.
About 50 banks worldwide have made the Trusteer solution available to customers including ING, Royal Bank of Scotland, NatWest, Santander and HSBC. In the U.K. alone there have been five million downloads. When in use, the software warns customers if they are at risk of responding to a phishing attack, prevents Trojans from capturing their details, and inhibits any interference with online communications between the customer and the bank.
Another approach to browser security comes from IBM. Unlike Trusteer's pure software solution, IBM involves a hardware device that plugs into the customer's PC. In February IBM won its first client-UBS-for its ZTIC device (Zone Trusted Information Channel.)
UBS will offer ZTIC to its 100,000 corporate clients at no cost and will charge its 650,000 retail clients $65. The device attaches to the computer via a USB cable. During an online banking transaction, in conjunction with a smart card, ZTIC bypasses the Web browser and makes a direct SSL connection with the bank. IBM researcher Dr. Michael Baenstch explains that the ZTIC device connects directly to the UBS server and the bank constantly monitors and decides when to activate the ZTIC to warn the customer when malicious activity may be occurring.
Litan of Gartner says: "It's significant that IBM finally got a bank customer. It's really expensive, but it's very effective."
While European banks still lead the way, Boodaei of Trusteer predicts that the U.S. banks will catch up soon as more transaction services are offered and fraud increases. The FDIC reported last month that online fraud spiked to $120 million in the third quarter of 2009.
"It's going to change in the U.S. because of the level of fraud activity. By the end of the year some big banks will be rolling out solutions," Boodaei predicts.
Jacob Jegher, a senior banking analyst at Celent, says banking customers may soon have to accept another security step when banking online, whether they want to or not. "Banks should require it. I don't like optional security."
But Litan is not so sure that a wave of browser security is coming soon. She puts the chances at slightly better than 50 percent that one of the largest U.S. banks will roll out browser security. And the reasons are the same as they have been: fear of inconveniencing the customer by creating too many online guardrails and exposing themselves to potential litigation.
"I just talked to a banker who said 'If we start protecting the customers, we're tinkering with the desktop and we're responsible,'" she says, a prospect that clearly made him nervous.
Marc DeCastro, research manager, consumer banking and credit at IDC Financial Insights, suggests most banks are looking for a major adopter to push more of the industry to get on board with extra security measures.
"No one wants to be first out the gate. It will take a Bank of America or Wells Fargo to roll this out and then all the others will follow," DeCastro says.
Of course, Fifth Third is not a small player. With $100 billion in assets it's one of the country's largest regionals. But whether its decision to offer Trusteer to commercial customers will compel Bank of America or Wells Fargo to follow suit remains to be seen.
"Historically firms have looked to secure the perimeter, and we've done a great job of that," Bernik says. "But hackers attack the weakest point and that is the customer and the browser through phishing and malware. With an evolving threat, there needs to be evolving technology. But there is no silver bullet."