Home > Uncategorized > Consumer Education Is No Longer Enough to Fight Phishing

Consumer Education Is No Longer Enough to Fight Phishing

In Thursday’s Bank Info Security newsletter, Linda McGlasson writes about the need for more consumer education and awareness as the primary strategy a bank should employ against phishing and malware.  I don’t want to in any way criticize the efforts that have been made to date regarding the education of consumers and individuals about malware and phishing attacks. It’s a good start. However, we are fighting a losing battle. When you have such people as FBI director Robert Mueller ending his personal use of online banking after he got burned when thought he could tell the difference between a genuine e-mail and a phishing attack, this should be a giant signal that we have reached the end of our ability to fight this war through consumer education.

Banks have generally innovated and provided reasonably good security concerning the use of websites for online banking. However, this technology continues to depend on the static password and shared secrets for authentication security. In an age when a significant proportion of PCs have been infected by malware, including key loggers, this is a demonstrably inappropriate strategy for banks to take.

Banks need to improve the customer experience so that use of a bank’s website involves less marketing and more assistance. If I think that the next window is geared toward selling me a product I do not want nor have time to consider, I am likely to click any button that will get me past it. The use of a tiny “no thanks” button hidden somewhere on the window plainly demonstrates that banks think marketing is more important than security. And indeed it may be. Banks expect consumers to shoulder a disproportionate burden for resolving fraudulent use of accounts and what banks are spending themselves on security is a tiny rounding error compared to what they are earning as a result of fraud. How about devoting half of the $35 billion banks make each year on overdraft fees to new anti-fraud initiatives?

Next, banks should adopt a much more aggressive and industrial-strength approach to attacking those who misuse the Internet to propagate malware and fraud. Decoy accounts should be used to isolate and provide early warning on fraudulent activity. Aggressive forensic investigation should be used to track back to those responsible for malware and fraud. Aggressive and uncompromising use of cease-and-desist orders against all who prosper or encourage the use of malware and fraud must be pursued by the banking industry.

As anyone who has ever experienced fraudulent use of their bank account knows, banks tend to adopt a rather negative attitude toward customers who identify fraud. The attitude is very much that of “we’ll investigate and come to our own conclusion about whether or not these transactions are legitimate.” Banks need to recognize that their customers are the ones who discover fraud, and who bear the greatest burden for the resolution of fraud. Bank customers are banks’ greatest assets in fighting fraud. Why do banks persist in acting as though customers are somehow responsible for fraud? Yes, they may have allowed a sophisticated malware attack to infect their PC leading to fraudulent use of online banking credentials – but if the FBI Director himself gets fooled, doesn’t that show that consumers may be doing all they can do? Criminals are responsible for fraud, not consumers who’ve been fooled.

Statistics about this are hard to come by, however I have a suspicion that banks are benefiting from fraudulent activity way more than they would care to admit. For example, I recently had $3500 of fraudulent airline tickets charged my account. Thankfully, bank security flagged this on the day the charges were processed and sent me an email which I received on my Blackberry. The following day, I went into my bank to resolve the matter. I was overdrawn and needed to have the fraudulent charges and the $175 of overdraft fees reversed. The manager who helped me had me speak by phone with the bank’s fraud office to get this accomplished. Reversing transactions were put through that took effect on the following business day (a Monday :-)) on a temporary basis until a permanent resolution could be approved by the bank. For this business day the bank had use of my funds and the net effect on its balance sheet was to overstate the bank’s cash position by $3500 until the funds availability was restored in my account. The bank knew it was fraud but waited a day to restore my balance. I could not use this money. Multiply this by the thousands (millions?) of transactions that succeed in a similar way against bank customers every day, and you have a rather significant bit of dirty laundry to add to the already significant pile already accumulated next to the banks’ washer in the basement. In short, this incident — together with such things as overdraft fee abuse — illustrates that there is a significant moral hazard involved in banks handling of fraud related to their accounts.

This article depends on the premise that widespread use of online banking is a significant positive for the banking industry. I believe this to be true. Banks have achieved significant productivity benefits from implementation of electronic banking measures of all types. But if consumers develop the perception that banks don’t care enough about phishing and malware to really work hard to stop it, then the electronic banking revolution will fade before it reaches its full potential. One thing banks have learned over the decades is that customer perception about banks is very hard to change. And for their part, banks are rather clumsy in their own approaches to developing and managing their brands. If consumers believe that banks are content to let fraud take place and leave customers to pick up the pieces, that could turn into a huge negative that could take years for banks to reverse.

Hiding from the reality of organized phishing and malware attacks by pretending that all is well will not be productive. In the current climate of significant mismanagement of risk by banks (sub-prime mortgages, credit default swaps, etc. – dare I say wrongdoing?) banks should realize that the same old “safety and soundness” message they offer regarding handling of fraud creates a real cognitive dissonance among consumers. The notion that banks play the market like they’re in Vegas, then accept taxpayer bailouts, then pay themselves millions while they place a hold on your money as they “investigate possible fraud” should be killed with a stake through the heart by all banks who care about keeping their deposit base.

Banks should be known as the primary fighters against phishing, malware, and fraud that are out there causing consumers to think twice about using electronic banking services. When consumers are facing financial pressures like never before, banks should be their friend and advocate in fighting fraud, taking much more of a “we’re on your side” attitude. I would argue that if one half of the unneeded and unwanted marketing messages I receive from banks were converted to helpful and empowering messages about information security that would be a good start to improving our chances in the war against phishing, malware and fraud. Perhaps banks should offer a bounty to consumers who identify a fraudulent transaction on their online banking statement. I’d like to see more headlines about banks cooperating with authorities, filing criminal and civil complaints against individuals and organized crime who are engaged in criminal activities. Only when banks, together with the credit card companies, take the lead in this war will we stand any chance of stemming the tide of phishing, fraud and malware.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.