Financial Institutions Need a Can-Do Attitude

 “Don’t mistake activity with achievement.”
– John Wooden, former UCLA basketball coach and 10-time NCAA Basketball Champion

Target, Neiman Marcus and Michaels recently compromised sensitive customer data to hackers, joining Facebook, Gmail, Twitter, and Yahoo!. And those are the ones made public.

Financial institutions (FIs) aren’t safe either: Global Payments (processor for Visa and MasterCard), Bank of America, Citibank, JP Morgan, and Fidelity National Information Services all suffered data breaches recently. Hundreds of millions of dollars stolen and boatloads of personal data exposed to criminals.

Companies, especially FIs, are not doing enough to safeguard sensitive information. FIs scramble to buttress their systems to thwart attacks, while criminals easily elude the safeguards.

If you shop online your information could already be on a hacker’s hard drive, waiting to be bundled and sold to another criminal, making you vulnerable to identity theft and other crimes.

The protection plans offered by credit card companies and FIs do provide additional protection. But, if it isn’t enough, why would consumers pay for safeguards that should be provided automatically? The “safeguards” aren’t really all that safe, in truth.

EMV (Eurocard, MasterCard, Visa) (covered on this blog) would be a step in the right direction, erecting additional layers of protection between FIs and hackers. EMV has been adopted by most of the world, but not in the U.S.

EMV replaces the magnetic strip on cards with a microchip used for authentication, encrypting the information during the transaction, making it more difficult for thieves and card skimmers to steal. Security is further bolstered when used with a PIN or signature. However, it is by no means a panacea.

Retina scans and fingerprints could also thwart criminals. Those systems require expensive investment in hardware and new software to support them. FIs and their customers should implement anything that makes it more difficult for hackers.

Dual-factor authentication (2FA) is another, more feasible, option. It adds another level to the standard password login. The FI would send a code via text message to your mobile phone, which then is entered by the user to execute the transaction.

Ninety-one percent of Americans already have a mobile phone, according to Pew Research. Convenience alone makes 2FA via text message a logical solution.

Sending out text message codes would require investment in software, but the cost is meager compared to implementing a scanner or other hardware solution. Twitter, Google and Facebook already support 2FA as an option at login. It should be made mandatory.

2FA has been around for decades but never took hold. If a mobile phone was compromised, it would carry frightening ramifications. And, transactions are susceptible to Trojan horses, Man-in-the-Middle attacks, and other malware. In fact, all computers are vulnerable to these types of attacks.

Tokens like RSA’s SecurID, 1Password, Toopher, YubiKey and the like that provide one-time passwords have weak points as well, which can serve as gateways for criminals. If breached, could expose every one of the user’s passwords, all at once. Not good and hardly safe.

So what’s the answer?

Disappointingly there isn’t one that ensures total protection in all situations. Hackers are clever and will continue to exploit weaknesses in any, and every, system.

2FA is easy to implement with current technology and is a formidable additional security layer.

Coach Wooden said, “Do not let what you cannot do interfere with what you can do.” FIs need to heed this advice.

About David Sutton: David has a BA in economics and a MS in business journalism, and his articles have appeared on Forbes.com and in the Boston Business Journal. David has had a bank account since he was three.

What We’re Reading: Corporate Mobile Banking, Security, Mobile Gift Cards

Below are interesting stories the Banking.com staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom.

 

  • Websites that adapt on the fly

ABA Banking Journal

The days of online banking being limited to desktop computers are over. Modern consumers are increasingly interacting with their banks using mobile devices such as tablets and smartphones. Understanding the popularity and value of on-the-go banking services, a handful of financial companies are beginning to introduce websites with “responsive design” to optimize their digital resources across the online and mobile channels.

Read more

 

  • Microsoft Joins FIDO Alliance Security Standards Group

American Banker

The FIDO Alliance, a consortium of vendors promoting authentication standards that includes Google, PayPal, Lenovo, BlackBerry and Nok Nok Labs, announced a major new member today: Microsoft. The Mountain View, Calif.-based FIDO Alliance (FIDO is short for Fast IDentity Online) is creating a protocol that will let applications, browsers and servers speak the same language for authentication. This could become a universally accepted alternative to passwords, which are considered by most to be too easy to game and too hard to remember.

Read more 

 

  • Corporate Mobile Banking? Not So Fast

Bank Systems & Technology

Capital One research suggests security concerns are delaying many business customers’ adoption of mobile for corporate banking, while there is growing interest in commercial cards and self-service capabilities. Fewer than half — 48% — of the finance professionals surveyed by Capital One at the recent Association for Financial Professionals (AFP) Annual Conference said their companies have plans to implement new treasury management tools and/or services this year. Those plans include implementation of corporate mobile banking for a relatively small portion — 12% — of the 68% of responding firms that do not already offer the service, according to Capital One.

Read more

 

  • Weak Security In Most Mobile Banking Apps

Dark Reading

Security experts this month tested 275 Apple iOS- and Android-based mobile banking apps from 50 major financial institutions, 50 large regional banks, and 50 large U.S. credit unions. Overall, they found that eight out of 10 apps were improperly configured and not built using best practices software development. Among the big-name banks whose mobile apps were tested by security firm Praetorian include Bank of America, Citigroup, Wells Fargo, Goldman Sachs, Morgan Stanley, Capital One Financial, and Suntrust Banks.

Read more 

 

  • Putting the Pieces in Place: LifeLock and Lemon Wallet

Javelin Strategy & Research Blog

At first glance, LifeLock’s $42.6 million acquisition of Lemon may not seem to fit quite right.  To some it may appear that LifeLock is buying access to Lemon Wallet’s user base, but an app with 3.6 million downloads does not justify that kind of investment on its own.  As for LifeLock getting into the mobile payments game, the last thing the market needs is another also-ran.   Fortunately, all is not as it seems because LifeLock may have actually found a way to avoid the rampant customer turnover which has been plaguing the identity protection industry.

Read more 

 

  • Bank Opportunity #307: Online/Mobile Gift Cards

Net Banker

Regardless of the form factor, a favorite holiday gift is money. Some people like to give crisp 20s, the hand-written check still has a certain charm (as long as the recipient has mobile deposit capture), but the biggest growth area has been the plastic gift card. Banks should have owned this trend, at least in the United States. Those 100,000 branches would have been good distribution points, a place that you trust far more than the express checkout lane at Safeway. Financial institution still have an opportunity to be major players in digital gift car distribution, especially mobile.

Read more 

 

  • Banks shouldn’t use text messages for two-factor authentication

PC World

A widely used security feature intended to protect access to online bank accounts is becoming increasingly ineffective, as cybercriminals develop advanced malicious software for Android devices, according to a report released Wednesday. Many banks offer their customers two-factor authentication, which involves sending an SMS message with a code that’s entered into a Web-based form.

Read more