A panel of regulators in the US are drafting plans to force banks to protect their customers better from a surge in online account fraud.
According to a report in the Financial Times, a panel with representatives from the FDIC, the Federal Reserve System and other agencies is reacting to the rapid evolution of malicious computer programs designed to drain accounts. Among its plans is to require financial institutions to contact customers through means beside the internet, following European banks actions in placing calls to clients' mobile phones to ensure that they intend to transfer money.
Speaking to SC Magazine about the proposals, IronKey CEO David Jevans believed that with everyone involved and responsible for securing customer assets talking about how to stop fraud is a good thing.
Jevans said: “However, actions do speak louder than words. Those institutions that can move ahead will be winners. They'll build their businesses with their customers of today and win the business of those who are concerned, or even worse, already burned by fraud.”
Asked whether the formation of the panel is a little too much too late, or if it is better to act before the problem gets any worse, he said: “Combating fraud is nothing new. Whether being taken by shell game scam artists or a multi-billion pound Ponzi scheme, fraud is nothing new. With the bulk of financial transactions now performed online it's only natural for fraudsters to turn their attention to online fraud.
“Staying ahead of fraud is something that always has to be done. Otherwise, you're already a victim. So focusing the attention of everyone involved in banking, from regulators, institutions and customers, is a step in the right direction. What's critically important is not to just look backwards but ahead to how criminals will steal money. That's the way to stay safe.”
The FT report also claimed that banks were warned in 2005 not to rely merely on usernames and static passwords, which has led to US institutions adopting two-factor authentication for big depositors. However directives from the FDIC and others have allowed banks to skip that step if they had multiple layers of security checks to flag suspicious money movement.
Jevans commented that while various forms of two-factor authentication have been great tools in combating fraud, today's criminals are already able to get around the use of more than one authentication mechanism.
He said: “If a criminal can take over your browser, or even worse your computer, entering another passcode or secret into your browser is only opening up your accounts for criminals to steal from.
“So two-factor authentication, like any single information security technology, is not a cure at all. It is part of the solution, just like virtualisation, trusted network connections, online usage policies and many other anti-fraud technologies. It is not just about technology – policies and business practices are part of the mix as well. Putting all eggs in one basket, whether it's an investment strategy or combating fraud, is not a recipe for success. Staying ahead of fraud is not a one-time activity. It's non-stop.”