NEEDHAM, MA, April 26, 2005 - Email-based "phishing" attacks, used by criminals to convince individuals to reveal confidential information, are rapidly morphing into more insidious forms of online fraud.
New research from TowerGroup finds that advanced approaches to online fraud - using methods like spyware, browser hijacking and remote administration tools -pose a significant and fast-growing threat to consumer confidence in the online banking channel. In the face of this fraud evolution, the practice of requiring a username and password as the sole means of online customer authentication is becoming rapidly outdated.
"The US financial services industry is continuing to build effective defenses against phishing, with consumer education playing a critical role," said George Tubin, senior analyst in the Delivery Channels practice at TowerGroup and author of the research. "However, these existing defenses do little to protect financial institutions or their customers from fraud methods that don't require the consumer to manually serve up personal or account data.
Because emerging fraud techniques could potentially lead to higher levels of compromised personal data, it becomes imperative for the financial services community to enhance the rigors of online security and customer authentication."
Highlights of the research include:
- Many desktop computers are highly-vulnerable to attacks from malicious software, which can be downloaded to a PC without the consumer's knowledge.
Using these 'malware' payloads, fraudsters can gain access to personal information through a variety of methods - from logging an individual's keystrokes on the computer when they sign in to their online banking site, to remotely taking control of the user's entire PC.
- "Single-factor" authentication, typically a username plus password, remains the most widespread approach for accessing online banking sites. While easy to use and administer, it cannot combat more advanced forms of fraud. As usernames and passwords become the weak link, the traditional single-factor approach will become an entirely deficient means of online banking authentication.
- "Two-factor" authentication offers a vast improvement in security. One example involves providing consumers with a hardware "token" that generates a random number to be entered along with his or her password. However, most large consumer banks have been fearful that convenience-oriented consumers will reject the additional burden of physical tokens, or will be overwhelmed by devices from multiple institutions.
"Stronger authentication technology is the most effective weapon in combating the rising tide of consumer data theft," said Tubin. "Yet selecting the right path to better authentication is complex for any financial institution. Calculating the costs of implementing and administering stronger authentication against the savings from a reduction in direct consumer fraud losses is a relatively simple financial analysis. The real difficulty is quantifying the potential negative impact on consumer convenience and confidence when faced with multiple online authentication requirements."
Tubin added, "The ultimate objective should be increased consumer awareness of the need for higher levels of security, combined with lower-cost and more user-friendly authentication methods. This will allow banks to implement stronger security without driving convenience-minded users away from the channel."