By Brian McGinley
I want to continue our discussion on the 28 percent reduction in identity fraud as detailed in the recently released identity fraud report by . The old saying of “Dig your well before you’re thirsty” is good advice at this point in time for consumers and businesses. If we, in fact, have a brief lull from high levels of fraud, let’s use the time and opportunity wisely to continue to train the troops and strengthen our positions. It is not the time to relax or lose focus on what is still a very real problem. Fraud and identity theft will be back—and in a big way—if we don’t collectively raise our game.
Fraud is creative and continuously seeks the point of least resistance. We believe that many of the protective measures businesses are investing in have a positive impact, but two things happen when we raise the bar:
1) We challenge and teach crooks to get better in order to defeat our protection measures.
2) We displace the criminal activity to weaker targets, which is evident since many small to mid-size financial institutions are experiencing more sophisticated criminal attacks such as unauthorized online banking, and wire fraud, resulting in large losses and litigation.
Fraud continues to get more sophisticated and complex. It is becoming more difficult to identify, prevent and remediate existing and emerging threats to our information and financial accounts. Criminals are using highly technical exploits of software and hardware vulnerabilities, including malware, cross-channel infiltration and criminal data exfiltration from businesses and individuals. Paired with the mining of public data, social networks and person-to-person file sharing mechanisms, the fraudsters are defeating many of the measures designed to protect our accounts and data.
Identity-related fraud is an escalating and progressive conflict with no end in sight. Criminals are successful at defeating our primary line of protection—“customer authentication”—whether it is at the store, the ATM, online banking websites, or other venues such as PayPal, Facebook and email. Criminals are successfully collecting the information and credentials needed to beat the current customer authentication requirements and technology. The industry responds to these threats with measures like “Out of Wallet” () challenge questions and “Out of Band” () passwords, which are commonly used by financial institutions and other business entities as the “next gen” security to defeat crooks. Meanwhile, the criminals who have compromised access credentials such as user ID and static passwords are able to, within months, respond with new techniques to beat OOW and OOB.
The bottom line: When it comes to customer authentication, we have to get collectively better and do it quickly. The financial services community has typically been slow to respond to the authentication crisis due in part to their belief that if account access is not easy for the consumer, there will be stifled product and service uptake and use. Simply put, the bad guys are getting into the authenticated space with alarming frequency by beating the existing controls, and the financial institutions are running out of levers to pull. It’s time for a frank discussion with our consumers. Unless we require these institutions to use more advanced customer authentication techniques like tokens and non-static passwords, the financial accounts—for consumers and businesses—are at escalating risk of compromise.
With nearly 30 years of experience in risk management, security, loss management and compliance within financial institutions, Brian has held senior positions at Wachovia Corp. and Citigroup. He served as board chairman of the Financial Services Roundtable/BITS Identity Theft Assistance Center.