The focus on phishing scams may be distracting banks from more important security problems, a JPMorgan Chase & Co. executive says.
"I'm sick of hearing about phishing," said Richard A. Parry, the senior vice president in charge of risk management for fraud and remote channels at JPMorgan Chase. He spoke Thursday at a conference sponsored by Cyota Inc., which sells Internet anti-fraud products and services to financial companies.
By focusing on e-mail scams alone, Mr. Parry said, "you become completely blinded to the next risk, as you're preoccupied with what you perceive to be the current risk."
In phishing, criminals use e-mail to lure victims to fake bank Web sites where they may be tricked into revealing confidential personal information, such as online banking passwords.
The practice has grown significantly in the past year, but "I think phishing is last year's problem already," Mr. Parry said.
Phishing is just a new spin on older techniques, he said. It is "social engineering with a brilliant, efficient delivery channel; two or three years ago phishing was being done over the phone."
An approach that looks at protecting money rather than passwords will thwart more than just the threat of the day, Mr. Parry said. Banks should shift their focus from keeping information from criminals to making it harder for them to use it, he said.
"Your info's out there," Mr. Parry said. "I suggest you just get over it."
Current security approaches, many of which are geared toward protecting passwords or developing stronger passwords, protect only the front door, not the money locked behind it, he said - and there are many ways to get through those doors.
He asked his audience - many of whose members were Cyota customers - to consider ChoicePoint Inc., the Alpharetta, Ga., data broker that admitted in February that it had released personal data about 144,778 people to identity thieves. Though the company probably had strong security measures, he said, the criminals could obtain the information by simply signing up as customers and asking for it.
Once a criminal has obtained account details, Mr. Parry said, banks have only a short time to protect the customer. "The assumption on the Internet is that money is lost immediately, but that's not true," he said. "Funds don't leave the bank with a mouse click; they usually leave the next day."
Banks should "embrace a model that looks at the transaction coming in the door - not the money on the way out," he said.
This is even more vital, he said, when credit and deposit accounts are linked - for example, when a home equity line of credit can be accessed through a checking account - because access to credit makes the deposit accounts riskier.
Naftali Bennett, Cyota's chief executive, agreed that the phishers are often successful. "We have to assume that the bad guys will penetrate that authentication," he said. "It will happen."
As a result, he said, his company assumes that customers will eventually stop trusting computers, and that banks need to verify that those initiating transactions are really their customers.
Cyota will announce its newest approach to remote-access fraud on Wednesday. The product, named eSphinx, will monitor each log-in and transaction. It will be available in about six months, the company says.
Ninety-seven percent of online banking transactions are low-risk and do not need stronger authentication, Cyota says. To identify the remaining 3%, eSphinx looks at the computer's identifying traits, its location, and other factors, such as the dollar value of the online transaction, and can ask for further authentication by phone.
Not all of the doubtful 3% of transactions are initiated by criminals, Mr. Bennett said. "They're just of a higher-risk nature. People do travel to Ghana; it happens."
Three major card-issuing banks have tested eSphinx, he said. Future versions will also address phone banking and other remote-access channels.
Amit Yoran, a director at Cyota, warned of an emerging threat from viruses that plant key-logging programs on victims' computers. The programs quietly monitor what users are typing, such as banking passwords, and later transmit them to a criminal.
Mr. Yoran said that some key-logging programs were developed to break into banks with the best security measures. They therefore may record only what victims type when visiting Web sites with advanced encryption and authentication, he said.
Banks and vendors are fighting a constant battle to keep up with evolving threats, Mr. Yoran said, but they must also develop ways to protect consumers after their online banking passwords have been stolen.
Mr. Parry said banks should use stronger authentication systems to monitor individual transactions, rather than just login attempts.
He also said they should improve procedures for establishing accounts, to prevent identity thieves from doing so with another person's name. Because such crimes often go unnoticed for a long time, he said, they can cost consumers and banks more than takeovers of legitimate accounts, which get more attention.
Mr. Parry asked his audience of about 40 people who had ever been a victim of such new-account fraud. One woman raised her hand. He said that a similar query at a recent speech to more than 250 people yielded two affirmative answers, while two-thirds of that group said they had been victims of account takeover-style crimes.
The responses may mean that victims of the new-account fraud are unaware of it, and that the banks are ignoring it while fighting account takeovers, Mr. Parry said. But "none of us is served by screwing this up," he said.
