Providing online bank customers with security software an imperfect cybercrime antidote
By Ellen Messmer, Network World
In online banking and payments, customers' PCs have become the Achilles' heel of the financial industry as cyber-crooks remotely take control of the computers to make unauthorized funds transfers, often to faraway places. The dilemma for banks boils down to this:
How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?
MY Answer: How about they provide something that IS owned by the bank (and uses existing bank rails) i.e.: Issue bank-owned PCI Certified PEDs...so they have a dedicated machine for online banking.
Banks are faced with the prospect that "customers own PCs that have been in the hands of Russian crime syndicates," says Jeff Theiler, senior vice president at Hancock Bank, which primarily operates along the Gulf Coast region. Like many other banks, Hancock finds itself getting more involved in helping customers defend their machines. <<read more>>
Editor's Note: Here's my response to Ellen's story (which was picked up by BusinessWeek today)...
Good morning Ellen: I enjoyed your article today on Network World and thought you might be interested in hearing that there is indeed a simple solution to the online banking problem to which you refer, specifically: "The dilemma for banks boils down to this: How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?"
Question: If you are 2000 miles from your bank, at 2:00 AM and need $200.00 what process is trusted to authenticate you and disperse the $200?Answer: You insert/swipe your "bank issued card" then enter your "bank issued PIN" into a "bank owned ATM" and voilla. In seconds, you get your $200. That same trusted process is what should be used to authenticate online banking sessions.
Did you know that in Europe, almost 30% of consumers use a card reader for online banking (see graphic above) In America that number is ZERO.
Cost? WAY Less than what banks are already dishing out for "useless giveways. (When I say "useless" I am simply implying that the promotions they run don't "solve the problem.") The purpose of these give
aways is to attract customers. Well guess what? The purpose of "typing" is to provide online banking credential "giveaways" to the hackers, keyloggers and/or phishermen.
Our device plugs into the USB port or smartphone and encrypts the cardholder data (including the Track 2 data) at the maghead using 3DES encryption. It then DUKPT encrypts the PIN for the only genuine end-to-end encryption.
The most important thing our device does is it "eliminates" typing "login" data into a box in a browser. That's the inherent problem. That's why (as you mention in your article) the Russian's get/got control of the PC's. (malware/phishing) Our PED eliminates the usage of inadequate and way obsolete "username/password" login...thus it eliminates phishing.
What do phishers phish phor? "Online Banking Credentials" AND "credit/debit card numbers. How do they get them? They fool people into thinking they are "typing" their card numbers/online banking authentication into a legitimate site when in fact it is not. That problem would be "eradicated" with our device.
Thus if all a banks customers securely login by doing what they do at an ATM, swipe their bank issued card, enter their bank issued PIN and do it on a bank issued PCI certified PIN Entry Device the problem created by "typing" would be eliminated by "swiping."I'd be happy to provide further insight as to why this is a "no-brainer" for banks to deploy.Kaspersky Labs (which provides software security) knows that hardware is required as their recent proclamation calling for "mass adoption of card readers" professes. Software helps but at the end of the day it is simply a band-aid.
The internet was NOT designed to conduct financial transactions. It's called a "browser" for a reason and between malware, keylogging and phishing, the only solution to the problem is to replicate what we do at ATM's and/or brick and mortar retailers. Swipe vs. Type. As I like to say on the company blog. "If someone is going to "Swipe" your card information online, shouldn't it be you?
Question: Why would banks want to fork out $18 to give their customer a PCI Certified PED?
Answer: Well besides the obvious (they would save the millions of dollars lost to phishing) online banking is destined to fail. Most everyone is aware that fraud is running at epidemic levels and that what banks report is only a fraction of the real losses. (see graphic on right)
Other benefits: In addition to providing "True Two-Factor Authentication (and NO, a username and password is NOT really 2FA) Our device also completely eliminates the threats and fraud losses/costs created by typing...AND there is a return on investment in the form of Interchange revenue every time the device is used for online shopping or P2P payments.
Related articles by Zemanta
