Keeping Online Banking Safe:
Why Banks Need Geolocation and Other New Techniques Right Now
by Marie Alexander
If John Dillinger were robbing banks today, he wouldn't be waving a gun to do it. He'd be clicking a computer mouse.
About ten thousand times a year in the US, an old-fashioned bank robber hands a teller a note and flees with the loot. The total take is about $75 million - much of which is recovered, since well over half of all bank robbers are caught, but virtual bank robbery is another story. Gartner reports that nearly two million U.S. checking accounts were remotely breached last year with losses totaling $2.4 billion - 34 times the losses from real-world heists, and few of these e-criminals are apprehended. Dillinger today would take one look at the risk/reward scenario and dump his machine gun and getaway car in favor of a laptop and a phone.
About 35 million US households currently bank online, and Online Banking Report and other analysts project that number to top 50 million within five years. That's a target-rich environment for virtual robbers, who sometimes operate by swiping the account number and information directly from a paper check as it flows from merchant to bank, but the crime wave that's rocking the financial services world is phishing.
Phishers use falsified e-mails and bogus websites to dupe users into surrendering personal data that can be used to steal their identities and access their accounts. The e-mails, which appear to come from trusted companies, steer recipients to startlingly realistic replicas of well-known websites, where they are solicited for credit card and bank account numbers, passwords and social security numbers.
Phishing has grown explosively. MessageLabs, a UK security company, saw phishing attacks increase by 16,000 times in just 14 months - from 279 attacks in September 2003, to 4.5 million in November 2004. The Anti-Phishing Working Group, a consortium of major companies, says attacks are increasing at the staggering rate of 38% a month, and the number of new phishing sites topped 1700 in December alone, when 55 major brands were "hijacked" by phishers. Among those targeted were customers of Citibank, Wells Fargo, SunTrust and even the FDIC. MasterCard's TowerGroup estimates global phishing losses at $140 million, and others peg the number even higher.
Gartner says 57 million Americans received phishing e-mails from mid-2003 to mid-2004, with 19% being lured to the phony site and 3% actually surrendering personal data. Back in the early days of phishing (last year), phishers often gave themselves away with ungrammatical or misspelled e-mails, but many of the messages today are considerably more sophisticated - and many users aren't.
Phishing isn't the only threat out there, of course - e-criminals have executed credit card, account and application fraud schemes against online banks worldwide. Stolen identity data is used online to open fraudulent credit card accounts that can be quickly "maxed out" with purchases and cash advances. Falsified online loan and mortgage applications have been used to generate millions in bad loans that will never be repaid.
Americans banking online expect their accounts to be kept safe even if their identities are stolen. In a recent Unisys survey, 78% of respondents held their banks responsible for preventing fraud, and half said they would change banks if a competitor offered stronger protections. Banks have no choice - they must become more security-conscious, because lost money and lost customers aren't the only consequences of virtual robbery. E-crime increases the costs of liability, security, detection and investigation.
Most banks are still facing these 21st -century threats with 20th-century measures like usernames, encrypted passwords and account numbers. Unfortunately, these measures don't work as well as they once did because personal information has become so vulnerable to theft. The online fraud scoring and authentication engines currently in place at many banks now require updating to keep up with the changing trends on the Internet, and not doing so could be very, very costly.
"Online banks are facing a crisis today," says industry consultant Jim Bruene, an expert on online banking. "They're losing credibility because their customers don't believe they're doing everything possible to protect their accounts from fraud. Trust is the the watchword for the banking industry, and once that trust is lost, customers simply walk away."
So what must banks do now? First, they must change their own security protocols to specifically counter the fraudsters. Second, they must educate their customers. Third, they must embrace new technology.
The first two steps are mostly common-sense measures - waiting periods and payment limits for new customers, advanced authentication for sensitive transactions like funds transfers, periodic password changes and non-obvious usernames and passwords, and single-use disposable passwords for travelers. Banks can require users to verify account ownership in a variety of ways, and can lock out users after a certain number of failed password attempts.
Banks are also warming to the concept of customer education - providing security, privacy and phishing prevention information on the website and in newsletters - and establishing customer trust programs that include fraud protection guarantees, third-party fraud insurance and fraud resolution services.
The industry, however, hasn't rapidly embraced new technologies, and the tools used by the fraudsters have outpaced bank controls. Again, common sense dictates some of the technical measures available - for example, disabling the auto-complete features of Internet Explorer and other browsers, or requiring users to type the entire username and password, but there are also new, cost-effective technology tools that should be in every bank's online security arsenal. Prominent among those tools is geolocation, the web geography technology that determines the true geographic location of the online customer at the moment he clicks into the website - the country, state or even city.
That's important because the inherent geographic anonymity of the Internet is one of the online criminal's best weapons to avoid detection - the targeted institution doesn't know where in the world the user really is when accessing an account or submitting an online credit application, and if the user's actual location differs from the address on the account, the risk of fraud increases exponentially. Fraudsters easily hide the fact that they are accessing US websites from foreign countries, for example, and about half of all phishing comes from overseas - organized crime rings in South America, Eastern Europe and Africa have launched coordinated attacks. The US government believes some of these attempts may even be linked to terrorist groups.
In real-world banking, geographic information helps prevent fraud - out-of-state checks are scrutinized more closely, and a mailed-in credit application may be flagged if the listed address doesn't match the postmark. Geolocation technology provides the same real-time information to the e-banking process, which is critical when the online visitor is clicking in from a known overseas fraud hot spot, like Nigeria. State-level data can be equally valuable - a recent LexisNexis customer study found that fraud rates were 15 times higher for transactions in which the user was located in a different state than the customer's billing address.
Knowing the user's location allows the bank's website to apply additional authentication measures when needed. A user attempting to access an account from a mismatched or unknown location can be asked for additional information before being granted entry - protecting the account even if a phisher has stolen the account number and password. An online credit applicant's true location can be compared to the address provided, and mismatches investigated, before the card or loan check is issued.
It works. A major US credit issuer reduced its fraud rate for credit applications 12% in the first 90 days after deploying geolocation to flag overseas transactions. One major online retailer cut its fraud losses 15% by simply blocking orders from 15 overseas fraud hot spots, and another reduced credit card chargebacks by over $100,000 a month with country-level geolocation.
Geolocation isn't the only technology solution that e-bankers should be deploying. Virtual keypad technology requires the customer to enter the account number on an onscreen numerical grid by pointing and clicking, a more secure method than typing the number on a keyboard. And e-mail watermarking, a pattern of bits invisibly inserted into an e-mail message, is a valuable technique for personal authentication.
What all of these solutions - technological, behavioral and educational - have in common is necessity. Online financial services enterprises are under relentless assault from web criminals around the world, and the priceless faith of their customers is at stake. The industry must adopt and deploy best-of-breed security measures right now - or watch America turn its collective back on e-banking.
Marie Alexander is President and CEO of Quova, Inc., an international provider of web geography services and geolocation technologies. firstname.lastname@example.org,http://www.quova.com.
First published on BankersOnline.com 4/25/05