Financial Institutions Need a Can-Do Attitude

 “Don’t mistake activity with achievement.”
– John Wooden, former UCLA basketball coach and 10-time NCAA Basketball Champion

Target, Neiman Marcus and Michaels recently compromised sensitive customer data to hackers, joining Facebook, Gmail, Twitter, and Yahoo!. And those are the ones made public.

Financial institutions (FIs) aren’t safe either: Global Payments (processor for Visa and MasterCard), Bank of America, Citibank, JP Morgan, and Fidelity National Information Services all suffered data breaches recently. Hundreds of millions of dollars stolen and boatloads of personal data exposed to criminals.

Companies, especially FIs, are not doing enough to safeguard sensitive information. FIs scramble to buttress their systems to thwart attacks, while criminals easily elude the safeguards.

If you shop online your information could already be on a hacker’s hard drive, waiting to be bundled and sold to another criminal, making you vulnerable to identity theft and other crimes.

The protection plans offered by credit card companies and FIs do provide additional protection. But, if it isn’t enough, why would consumers pay for safeguards that should be provided automatically? The “safeguards” aren’t really all that safe, in truth.

EMV (Eurocard, MasterCard, Visa) (covered on this blog) would be a step in the right direction, erecting additional layers of protection between FIs and hackers. EMV has been adopted by most of the world, but not in the U.S.

EMV replaces the magnetic strip on cards with a microchip used for authentication, encrypting the information during the transaction, making it more difficult for thieves and card skimmers to steal. Security is further bolstered when used with a PIN or signature. However, it is by no means a panacea.

Retina scans and fingerprints could also thwart criminals. Those systems require expensive investment in hardware and new software to support them. FIs and their customers should implement anything that makes it more difficult for hackers.

Dual-factor authentication (2FA) is another, more feasible, option. It adds another level to the standard password login. The FI would send a code via text message to your mobile phone, which then is entered by the user to execute the transaction.

Ninety-one percent of Americans already have a mobile phone, according to Pew Research. Convenience alone makes 2FA via text message a logical solution.

Sending out text message codes would require investment in software, but the cost is meager compared to implementing a scanner or other hardware solution. Twitter, Google and Facebook already support 2FA as an option at login. It should be made mandatory.

2FA has been around for decades but never took hold. If a mobile phone was compromised, it would carry frightening ramifications. And, transactions are susceptible to Trojan horses, Man-in-the-Middle attacks, and other malware. In fact, all computers are vulnerable to these types of attacks.

Tokens like RSA’s SecurID, 1Password, Toopher, YubiKey and the like that provide one-time passwords have weak points as well, which can serve as gateways for criminals. If breached, could expose every one of the user’s passwords, all at once. Not good and hardly safe.

So what’s the answer?

Disappointingly there isn’t one that ensures total protection in all situations. Hackers are clever and will continue to exploit weaknesses in any, and every, system.

2FA is easy to implement with current technology and is a formidable additional security layer.

Coach Wooden said, “Do not let what you cannot do interfere with what you can do.” FIs need to heed this advice.

About David Sutton: David has a BA in economics and a MS in business journalism, and his articles have appeared on and in the Boston Business Journal. David has had a bank account since he was three.

Security: What It Takes to Lead the Way

You say Target, we say EMV—how’s that for a conversation-starter?

The recent mass hack of retail giant Target—it’s estimated that more than 100 million consumers’ information might have been compromised—has generated considerable attention, as does every data breach that cuts to the bone. Expect to see the usual hand-wringing and calls for newer and more effective procedures, and with good reason. It’s entirely fair to ask why and how a multimillion dollar security network of the kind Target surely has could be brought to its knees—allegedly—by a software tool created by a teenager, written in a common scripting language and widely available on underground sites for barely $2,000.

That’s why we should expect to be hearing a lot more about EMV. For the record, the acronym represents Europay, MasterCard and Visa, and it first saw life as a joint effort between those conglomerates to enable greater security and interoperability in chip-based payment cards. The specification covers everything from POS terminals to ATMs, meaning every store and bank simultaneously. The standard is now defined and managed independently, and Integrated Circuit (IC) or chip cards based on it are being rolled out throughout the world. The chip and related software ensures that each customer’s account number and other details are essentially invisible. The suggestion here, and it would be label the potential benefit any differently, is that it would help contain the damage wrought by the Target hack.

Of course, when something is a global standard, that doesn’t mean it covers every market—there are always exceptions. And in the case of EMV, there’s a big one: The USA. Many regions across the pond have embraced the new technology, but magnetic-stripe cards, which are far more vulnerable to data theft of the kind we saw at Target, remain the norm on these shores. Credit card companies, who are among those hardest hit by data theft at market-facing outlets like banks and stores, have been stepping up pressure on their partners to adopt the EMV specification and introduce IC cards. But it’s probably not going to happen for a while.

There’s a good reason for this, or perhaps 8 billion reasons. That’s the dollar figure attached to the estimated cost of a full-on conversion to EMV technology adoption.

The simple truth is that through sheer size and economic heft, the U.S. is the world’s largest market for just any product it embraces. That gives it enormous standalone power—it’s why, for example, music stars who sell out globally barely make a dent on the charts here, or the World Cup can be the biggest sporting event while remaining a second-tier event for American consumers. The U.S. plays by its own rules, because it can.

It’s also worth noting that while credit card companies are rightly concerned about data fraud and consumers have reason to fear identity theft, the retail industry can make the case that the cost of conversion to the EMV spec, despite the benefits, isn’t justified by the potential prevention of fraud, (losses from this type of attack has been estimated in the $1 billion a year range.) Besides, federal statutes protect consumers from having to pay for purchases made fraudulently with their credit and debit cards.

Most importantly, it’s always premature to see any technology as a panacea. Protecting financial information is an ongoing struggle, a non-stop effort to stay ahead of the bad guys. Whatever measures we put in place, sophisticated cybercriminals will find a way to circumvent. However, the fact that credit card fraud rates in America, previously among the lowest anywhere, have doubled since IC cards began proliferating in Europe is cause for concern.

Whatever the merits of the argument, the current interest in EMV makes for a case study in market leadership. The fact that the U.S. retail and banking economies are so massive and complex should not automatically be a reason for them to be technologically behind the curve. We always need to be doing better. The EMV specification is one option that seems to provide enhanced security, but that’s it—one option. Being the biggest, and arguably the best, means it’s our responsibility to lead the way identifying, developing and implementing many more.

What We’re Reading: Video Support, Mobile Security, Self-Service Technology

Below are interesting stories the staff has been reading over the past week. What have you been reading? Let us know in the comments section below or Tweet @bankingdotcom.

  • First Look: Why Banks Should Copy Amazon’s Mayday Video Support

American Banker

The days of scanning user manuals to figure how to make a gadget or app work are finally evolving into more intuitive experiences and better support options to help puzzled customers out — including video. Financial intuitions eager for customers to resolve their own mobile banking issues could emulate the feature in their smartphone and tablet apps. “Banks could probably make dozens of excuses for not adding the functionality, but obviously visionaries like Bezos [Amazon's CEO] believe enough in improving the customer experience to lead the charge,” says Jim Marous, senior vice president of corporate development at New Control and author of the Bank Marketing Blog. “This will be a foundational requirement eventually for banking, I believe. It is just a matter of when a bank will step in front and offer the capability.”

Read more  

  • Mobile Security Case Study

Bank Info Security

As bank employees rely more on mobile devices to get their work done, ensuring secure file-sharing is a top priority. James Gordon of Needham Bank in Massachusetts shares his security strategy. “We were an early adopter of the iOS platform. We’ve been on the frontlines for deployment of those devices,” including accommodating the use of personally owned devices, says Gordon, who manages IT for the $1.2 billion bank. “We are having more discussions about how to use iPads for more than just an e-mail. And as that shift started to happen, we researched a number of different solutions.”

Read more 

  • Adoption of Self-Service Technology Expected to Ramp Up In 2014

Credit Union Journal

When it comes to technology, don’t expect any game-changing innovations in the next year. Instead, credit unions should expect to see increasing functionalities within technologies that already exist, including an emphasis on self-service channels. Robert Reh, a member of the executive committee for the CUNA Technology Council, told Credit Union Journal that the move toward increased self-service may ultimately be the defining technology trend of 2014. “That’s something [consumers are] already accustomed to with other retail establishments,” said Reh.

Read more 

  • My 2014 Wishlist for Digital Financial Services

Net Banker

1. Gmail-like priority inbox/feed for my financial transactions. 2. Hybrid loans that blend bank financing, P2P, and friends & family funds (blog post coming soon). 3. No login option for mobile access to my primary bank accounts (Chase, BofA, US Bank, Capital One, Wells).  4. No more telephone calls (and cryptic voicemails) from the fraud department at my credit card issuers. Instead, replaced with two-way text messaging (thanks Citibank and Discover for adopting this practice in late 2013). 5. Fraud insurance on my business banking accounts paid for as a percent of assets (eg. $5+ per month per $50,000 covered with a $5,000 deductible).

Read more

  • Target card breach and what to do: Our view

USA Today

Credit and debit card fraud hit $11.3 billion in losses worldwide last year. The U.S. industry is migrating to these “EMV” cards, but it has moved slowly. Put stronger protections on debit cards. When thieves hacked into credit and debit card data of as many as 40 million Target customers over the holidays, the breach rattled nerves and roiled Christmas shopping. But the truth is, if you shopped at Target between Nov. 27 and Dec. 15 while thieves were hacking data, you’re unlikely to lose a dime. Federal law and industry practices protect virtually all customers from any liability for fraudulent charges.

Read more

  • The Data Product Era Begins in Financial Services

WSJ Blog: CIO Journal

Technology, data, and analytics have transformed other industries, such as retail, publishing, and entertainment. Computers have already revolutionized the transactional side of financial services. Now it appears they will also be adding higher forms of value in that industry as well. It’s going to be fun to watch.

Read more

Security: On Top of the Christmas Wishlist

To security professionals in the financial services industry, every new data breach—with the high-profile coverage it generates—must seem like another knife in the back. All those resources dedicated to the area, all that time spent securing the infrastructure, never seem to be enough. Despite all the effort, some anonymous hackers somewhere are able to brazenly infiltrate the system and steal the account information of potentially millions of holiday shoppers. The Grinch was never this bad.

With the most recent debacle, the company squarely taking the hit in the court of public opinion is Target. But of course, it’s not just the retailer that’s going to suffer. The most recent information we have is that between November 27 and December 15, all consumers who swiped their credit cards at a Target store in the U.S.—perhaps as many as 40 million—had their information compromised. That includes names, both debit and credit card numbers, expiration dates and even the three-digit security codes on the back. As hacks go, this one is big, and of course it took more than just some petty thieves to get the job done. Reports indicate that a sophisticated network of cyber criminals coordinated their activities to uncover the treasure trove of private information. While no one can be sure how big the ne6twork is, it seems their haul could be in the hundreds of millions. As a result, it will end up affecting not just Target and its customers but also the credit card providers, IT companies and industry security specialists.

Christmas Ornamnet

But there are other repercussions too. While the industry has every right to be proud of the progress made in the adoption of many new technologies, each bringing about major changes in user behavior, the painful truth is that we could be doing much better. One big reason why we haven’t is security, and each high-profile data breach like this one sets back the conversation.

Take mobile banking. The speed with which this field has progressed is nothing short of astonishing—it’s gone from fantasy outlier to mainstream adoption virtually overnight, with thousands of custom apps emerging and finding an audience in record time. But most of the action is on the consumer side; corporations are still taking it slow.

We all know how mobile capabilities have obliterated the line with between personal and business data—sensitive information now resides next to video games and personal calendars on every knowledge worker’s phone and tablet. But with banking, it’s a different story. To be sure, there are other many factors to consider. For example, the average CFO has a lot more information to deal with than the average user, and the tiny screens we love on our smartphones can be a problem.

Yet the biggest issue by far is security. New research from Capital One shines a spotlight on this unfortunate issue. In its survey of financial services professionals, only a small number of the firms those firms that haven’t yet implemented corporate mobile banking plan to do so anytime soon. Fully 66% cited security challenges as the main concern.

On a very different but unrelated front, news emerged recently that the two-factor authentication feature designed to protect online bank accounts has been greatly compromised. The practice, which entails sending an SMS message with a code that quickly expires, has been threatened by new malicious software for Android devices. In fact, there are already numerous malware suites to defeat one-time passcodes, and experts urge institutions and individuals alike not to rely on them.

On the face of it, swiping a credit card while buying a Christmas gift, implementing mobile banking at large corporations and getting a test message with a code don’t have much to do with each other. But underlying each technological advance and the behavioral change it induces is the need for security.

The reality is that people will continue to use credit cards while shopping, just as corporations will inevitably overcome their justifiable skittishness and implement mobile banking—the benefits are just too great. But how fast those practices evolve depends on how secure we can make them. Looking ahead to 2014, it would be nice to end the year without having the Christmas spirit spoiled by concerns about financial information being compromised.

*Image courtesy of  digitalart -