The war against online fraud may not be winnable, according to several bankers and security technology vendors.
Speakers at two New York security conferences last week agreed that the protection measures banks have in place now probably will not be effective against new types of scams that are being developed, and that even though new anti-fraud techniques are being developed, criminals will find ways to defeat them.
“This is an arms race, and it’s never going to stop,” Justin Bonar, who manages sales and business development for the Redwood City, Calif., security software vendor PassMark Security Inc., said at a panel discussion at a conference hosted by the trade magazine publisher Digital ID World LLC.
Other members of the panel agreed with his assessment.
Michael Aisenberg, the director of policy for the Mountain View authentication technology vendor VeriSign Inc., said the financial services industry is “in an early stage of solving the problem, and I don’t think we’re doing a very good job yet.”
Jonathan Penn, a principal analyst with Forrester Research Inc., hosted a separate panel at a conference sponsored by the security vendor Entrust Inc. He said that online fraud methods are continuously evolving. The first step was phishing, in which criminals use e-mail to trick people into visiting Web sites that look like banking sites and ask for personal information that can be used for identity theft.
Phishing “is still a fairly effective and a fairly predominant form of attack,” despite widespread efforts to warn consumers never to reveal their personal information, he said.
Online scams are becoming more complex and harder to stop, Mr. Penn said. For example, criminals can now use a man-in-the-middle attack to send instructions to a bank’s computer after a customer has logged in.
Banks are starting to use new authentication techniques, which make things more difficult for the consumers. For example, Bank of America Corp. is rolling out software from PassMark that grants customers easy access to their accounts only when they are using a computer they have used before. E-Trade Financial Corp. offers its customers passcode-generating tokens from RSA Security Inc. of Bedford, Mass.
“If you happen to be a customer of Bank of America and E-Trade today, you’re going to have two very different processes to learn,” Jim Salters, the director of technology initiatives and project development for the Financial Services Technology Consortium, said during Mr. Penn’s panel.
But “fraud changes as the institutions defend themselves,” Mr. Salters said. Bankers and criminals are always trying to outsmart each other, and the battle between them is becoming “a stalemate.”
Both panels also discussed the guidelines issued last month by the Federal Financial Institutions Examination Council, which recommended that financial services companies strengthen their authentication measures for high-risk transactions.
“Institutions have been responding very positively to the guidance,” said Michael L. Jackson, the associate director for technology supervision with the Federal Deposit Insurance Corp., which is a member of the FFIEC.
He warned during Mr. Penn’s panel that fraud has long been perpetrated by insiders who gain access to customer data, and though this is still the case, many criminals now use the Internet to transfer funds out of a victim’s bank account.
Passwords alone are no longer adequate protection for online banking sites, Mr. Jackson said. The sites should use “some form of multifactor authentication.”
Mr. Aisenberg said the FFIEC guidelines are a step forward but will not be the last word.
“Ordering seat-belt use didn’t stop motor vehicle accidents, nor did it stop efforts to improve vehicle safety,” he said. The financial services industry is in a similar situation — institutions are scrambling to put the digital equivalent of seat belts in place today, but they still expect to add more protection in the future.
Susanna Montezemolo, a policy analyst with Consumers Union, said during Mr. Penn’s panel, “There is no 100% foolproof way to stop identity theft and the harms that come from it.”
However, banks and consumers should be using more tools than they regularly use now, she said. “What consumers really care about is that, in the end, their privacy is protected.”
