Banks are investing in some innovative technologies to protect customer data, but they are failing to tap one very important resource — customers themselves.
The time has come to engage consumers in a dialogue about the reality that bank security is a shared responsibility. The business case to do so is overwhelming. Internet-borne attacks, including phishing, continue unabated and are expected to grow with the adoption of online mobile banking. Banks' interests in product innovation, brand reputation and, increasingly it appears, litigation, mean they cannot risk customer complacency about security.
Some customers will always assume they are protected and never "get it" about security. They will continue to use weak passwords (many people still use 'password' as their password), fail to update their anti-virus software and fall for scams. Their banks will absorb their fraud losses. Banks are also often held accountable for their business clients' lax security practices. For example, when an employee leaves a business and takes along his or her online credentials, the business may never tell its bank that the person is now an ex-employee, so the credentials may be used for nefarious purposes, producing a fraud loss.
There is evidence, however, that for every lax customer there may be another one — or even two, as more people feel comfortable transacting online — who recognizes that additional layers of authentication mean stronger security. These early adopters may be our greatest allies and a key to reducing fraud losses. These are the customers that recognize the value of password strength requirements, for example.
The proposal is this: Create a stratified system of security under which customers can opt in to additional layers of security. Such a system may inspire the more complacent consumers to question their choice of one-step authentication and opt in to a more secure alternative. It also addresses banks' concerns that additional layers of authentication discourage customers from transacting online or buying products and services.
The success of such a system depends on banks' ability to persuade customers that additional layers of security do not diminish their privacy. The details of how best to accomplishment this is best left to the lawyers, but it is up to senior management to show leadership and the advantages of empowering customers with real-world security solutions.
At the same time, financial services companies must continue to invest in technological innovation. This includes behavior monitoring, a practice that credit card issuers are successfully using to detect fraud, as well as biometric solutions. There may even come a time when consumers use stand-alone devices for discreet activities like e-commerce and e-mail, which lack traditional operating systems and other software that have become so vulnerable to attack.
We underestimate some customers when we assume they are all unwilling to take the extra steps needed to protect themselves. Consumers are accustomed to buying various levels of insurance to protect themselves. The time may have arrived to offer them security-level choices pertaining to the wired world we now live in.