Getting Beyond The Threat Du Jour
You've read all the headlines about online security and data breaches, but have you gotten the real story?
Digital Insight doesn't believe so.
"I have some personal concerns related to some of the sensational reports," said Scott Mackelprang, VP-security and compliance with Calabasas, Calif.-based Digital Insight. "Sixty-nine percent of ID theft takes place off-line, and the most common way the information is stolen is losing your wallet or having your mail stolen. There is a little bit of sensationalism in the media."
He noted, for instance, that just 1.7% of fraud has been through phishing, in which scammers claim to be a consumer's financial institution and request that they resubmit their username and password, ironically, to help increase safety. In fact, said Mackelprang, the losses experienced by online banking users who are scammed are just 20% the size of non-online banking users who are the victims of fraud.
The issue of identity theft and online security is one close to the heart of Digital Insight, one of the primary-and earliest-providers of online banking solutions to financial institutions, and especially credit unions. Several well-reported data breaches at banks, including misplaced data back-up tapes, the emergence of e-mail scams, phishing and even pharming, have combined to throw cold water on the pace at which consumers are embracing online transactions.
The Federal Financial Institutions Examination Council had proposed some very specific steps for vendors to take before backpedaling on those plans, and other government agencies have also responded to both the reality and the perceptions related to online security, the most recent being requirements for multi-factor authentication.
Far from being unhappy over government involvement, Mackelprang said he is happy to see the government forcing all providers to embrace greater security, as it can only help speed consumer confidence.
What Consumers Are Saying
He cited a September, 2004 study by Forrester Research that probed the barriers to online banking acceptance. Forty-four percent agreed with the statement, "I'm worried about data security;" 43% said they were worried about privacy. Just 7% said it seems "too complicated."
Mackelprang spoke with The Credit Union Journal during the Bank Administration Institute's Retail Delivery Show, at which there were dozens of solutions on display related to online security. Digital Insight's strategy has been an enterprise-wide, multi-level effort it calls "Deep Defense" that is aimed at addressing the multitude of vendors and partners with which any credit union must contract in offering online banking: the providers of Bill Payment, funds transfer, lending, secure chat, online statements, check imaging, the core processor, and more.
It's a process, said Mackelprang, that requires addressing all those points within a network of automated solutions that interact with each other. 'These are the kinds of things that don't get examined."
Digital Insight describes Deep Defense as "systems, partnerships, operations and architecture meant to prevent, detect, correct and report fraud."
"Having an anti-phishing solution isn't the whole story," said Mackelprang. "It may be some really mundane things, but we at Digital Insight want the whole industry to take a step back and look at all the aspects and with a layered defense. We've designed this around the notion that someone is going to get around one level of defense, but when they do there's going to be another level of defense. Deep Defense is much broader than just the threat du jour. It's not just ID theft and phishing. If you focus so narrowly on the one little thing you miss the big picture."
Digital Insight's bigger picture, according to Mackelprang, has been a business model in which it builds partnerships with other providers, hence its development of the Deep Defense. During 2004 it increased its business partnerships by 10%, he said.
"We've taken overt and distinct steps to firm up our validation steps and our trust model," he said.
'A Bit Too Reactive'
The "threat du jour" that Mackelprang referenced is also reflective of the type of inquiries Digital Insight gets from credit unions during big trade shows such as the BAI Retail Delivery Show. He said most of the clients and potential clients that visit with the company during the show reference "what they've read most recently and what's on their mind. It's almost a bit too reactive. You have to have a strategic goal on the horizon and look at this holistically. It's all about an all-encompassing sphere."
While the name "Deep Defense" is new, Mackelprang said it's actually a solution set that Digitial Insight has been developing in various forms for 10 years. Its goal with clients is to get them to recognize the threat of today will not be the threat of tomorrow, he said. Most recently it has developed, through a partnership with TriCipher, a multi-factor authentication method that brings multiple levels of security and prevention.
"Cookies will do a good job (of security), but at some point that will not be good enough and a lot of vendors will run out of steam," he said. "Credit unions have built security around cookies, but we fully expect cookies will run out of steam in a year or two. When that changes it could be a very disruptive technology."
Tricipher, he said, goes to "the next level." That next level involves varying levels of encryption credentials. "We're going to make it so the end-user can decide," he said.
Assumption Theft Will Occur
"Our focus is not so much around people having their credentials stolen, but if stolen (the thief) still can't use it. We assume it will be stolen."
The newest security measures recognize when the end-using member is logging in from a different computer than they typically use (end-users can establish several trusted PCs) or even from a different location. Someone traveling, for instance, may be asked several challenge questions above their password to authenticate their identity. A one-time passkey may also be e-mailed to their account.
"Our security posture is a security set," said Mackelprang. "We're not an online security provider. What we're building is an authentication framework that you can snap in to different authentication technologies.
Digital Insight is currently in discussions with providers of biometric technologies as a potential future piece of that framework. "We're looking at some really cool anti-fraud applications," Mackelprang said. "We're not done by a long shot."