Electronic Banking and Financial Transactions in Jeopardy
A little over a decade ago the option to conduct banking and financial transactions over the Internet started to become available to customers. Security experts cautioned that potentially serious security risks permeated such electronic transactions, but banks, merchants and their customers “took the plunge and drank the Kool Aid.” I do not have any statistics concerning the number of users who regularly use Internet-based banking and other financial transactions, but I am confident that it is extremely high. At the same time, naiveté concerning security risks in such transactions is also incredibly high.
Unfortunately, not everything that initially appears to be advantageous turns out to be as good as initial expectations. Fraud in banking and financial transactions has grown to the point that banks (especially banks in the U.S.) are increasingly waking up to the fact that something is dreadfully wrong. Security in these transactions needs to be tightened considerably. But there is a catch–improved security requires additional controls not only on the part of banks, but also on the part of customers and their computers. Improving security within a bank or other financial institution is generally not a draconian task. In contrast, customers are not usually all that computer-savvy, so additional security controls are likely to seriously inconvenience them, motivating them to investigate the possibility of moving their accounts to a bank that does not require as many controls.
I’ve mentioned in previous blog postings that responsibility for fraud-related losses is different in the U.S. from the way it is in Europe. In the U.S., banks and merchants absorb the loss when customers are defrauded, whereas in Europe, customers are generally not reimbursed. Faced with the possibility of losing hundreds if not thousands of Euros, Europeans tend to be more cautious concerning banking and other transactions. Additionally, they generally do not rail when additional controls that cause extra work on their part are required. Smart card-based credit cards are commonplace in Europe, as is two-factor authentication in financial transactions in numerous countries. In the U.S., however, relatively few of those who engage in Internet-based transactions have smart chip-embedded credit cards, nor do many of them use two-factor authentication.
The originators of electronic banking and similar transactions did not envision (nor should they have been expected to envision) the pervasiveness of security threats on the Internet today. Had they had any inkling that organized crime in countries such as Russia, the Ukraine, Belarus and Brazil would be so successful in perpetrating Internet-based fraud and also that powerful tools such as the financial Trojan Zeus would be so widespread and easy to obtain, they might have discontinued their efforts and moved on to something else.
This having been said, what can we do (if anything) to improve the security of electronic banking and electronic transactions in the U.S. and elsewhere? It is not likely that U.S. banks and merchants will require users to use increasingly stringent controls for reasons mentioned earlier in this blog entry. I am confident that instead U.S legislation that requires more security in banking and other financial transactions will be passed and go into effect. I do not believe that the federal government will just sit by idly as fraud-related loss figures grow to the point that they threaten to cripple the economy. Banks and electronic merchants will greatly benefit from the legislation–they will be able to tell their customers that any extra inconvenience in electronic transactions is not their fault, but rather the government’s fault.
Sometimes my predictions are right, and sometimes they are dreadfully wrong, so stay tuned. All I know is that when it comes to electronic transactions, we cannot keep going the way we are currently going. Something has to give. And, unfortunately, if and when users have to use more stringent security controls in banking and other transactions, the world of organized computer crime will invent new attacks that will keep them in the driver’s seat.