Security on the Web -- What are the Key Issues for Major Banks?
The age of digital technology -- email, Web-driven high-speed communication and information, online commerce, and more -- has been in place now for several years, and has been touted as a "revolutionary" technological breakthrough, and for good reason: This technology presents enormous new business opportunities. For example, by moving the key element of marketing and sales from local and regional strategies onto the global stage, and by providing dramatically improved customer convenience, the Web offers medium, small and large companies -- including banks -- unlimited growth potential.
That having been said, there are problems associated with online services, in particular online banking services, and security is at the top of the list of these issues. Some of the most serious security issues associated with Web-banking keep customers away from this technology, in fear of money being stolen and privacy taken away.
But indeed, there are solutions, in many cases, for banks that employ the latest security-related technologies; there are several successful strategies banks have embarked upon in regard to security for their customers who chose to use online services.
The Internet's History: Before there could be online banking, of course there needed to be an Internet, and a World Wide Web. The story of the Internet begins shortly after the Soviets jolted the American scientific community by successfully launching the satellite Sputnik, in October, 1957. President Dwight Eisenhower quickly established the Advanced Research Projects Agency (ARPA) within the defense department, to bring together the best scientific minds in an attempt to counter the Soviets' technological breakthrough (not necessarily, as some reports have suggested, to ward off a nuclear attack). According to the Web site www.ibiblio.org (Internet Pioneers, 2004), the ARPA launched the ARPANET, later to become a computer-linked network for scientists and military experts.
From those early origins of the Internet development, Bob Metcalf (in 1973) invented Ethernet, and the mouse shortly thereafter was the brainchild of Douglas Englebart, leading up to 1974, when Vint Cerf ("the father of the Internet") wrote "a new protocol, TCP (Transmission Control Protocol), which was the catalyst to allow "various networks to connect into a true 'internet'," the article explains.
The World Wide Web (WWW) was founded in 1990, by Tim Berners-Lee, and by December, 1998, 26.2% of American households had the Internet hooked up for frequent use, according to the Department of Commerce (Petry, 2000).
As of today, there are approximately 185 million Americans with Internet access, and world-wide, an estimated 934 million individuals are online (http://www.clickz.com), according to Jupiterimages data gleaned from the Computer Industry Almanac.
Meanwhile, with this huge army of Internet users in place and believing in the power of cyberspace -- and most of them needing banking services of one kind or another -- the banking industry has been hustling to offer secure services since around 1995. The Royal Bank of Canada (RBC) reports that "The first national computer banking service in Canada, PC Banking, was rolled out ... In late 1996" (www.rbc.com 2004).
Now that nearly all banks offer services such as online bill payment, account management, loan applications and more, there are serious security breaches being reported, and while some customers are victims of online theft, other customers, justifiably, are extremely nervous. This paper will report on the various ways in which personal bank accounts -- and banks per se -- are being compromised by thieves. And, this paper will offer solutions for customers and banks when it comes to safety and security online, and to the protection of customer privacy.
Online Banking: The Problems, the Concerns, and the Possible Solutions
A very recent article from News Factor Network (Arnfield, 2005), published in Yahoo! News, provides some overall perspective on the present and future safety and security of online banking services. In the article, the high-visibility U.S. anti-virus company, McAfee, through its emergency response team, Avert, reports that around "50 new viruses -- of varying risk assessments -- were discovered every day during the first half of 2004."
Moreover, in 2004, the article continues, "the rise in viruses, worms, phishing, adware [advertising-supported software that infects computers] and vulnerability exploitation has surpassed what was noted in 2003," according to Avert's VP, Vincent Gulloto. These vulnerabilities are partly due, Gulloto asserts, to "a general lack of awareness in regard to adware ... " as well as hackers taking advantage of "a general lack of consumer awareness" regarding Internet attacks.
Meanwhile, an article in the American Banker reports on the results of a recent Federal Deposit Insurance Corporation (FDIC) survey, which found that "an estimated 1.98 million U.S. adult Internet users experienced an unauthorized transfer from their checking account ... " (Bergman 2004) in a 1-year period ending April, 2004. The survey also found that "unauthorized access to checking accounts was the fastest-growing ... " of the five types of consumer fraud Americans experienced in 2004.
Given these very recent data, the key question for today's banking institution and banking consumer should be: "How secure are your online banking services?" After careful research and analysis of the issues involved, the honest answer, in many cases, will be, "not very secure at all"; notwithstanding the fact that banks are trying their best to convince consumers that online banking is secure, the news is not good.
It is indeed surprising -- and disheartening -- to research the literature and learn that banks are very vulnerable to Internet crime, despite their slick marketing efforts to assure consumers that online accounts are safe. Moreover, it appears that every time the banking industry believes it has licked a particular security breach, the hackers and thieves out there in cyberspace devise another tool to beat the latest stopgap security measure employed by banks. And unless banks can stay ahead of these crafty scammers, consumers -- who had been expected to flock to online banking services in droves -- may be content to actually drive down to the bank to make their transactions and deposits, and to pay their bills the old-fashioned way: by "snail mail" or in person.
There is a great deal of literature available as back up to the position taken in the two preceding paragraphs. To wit, according to research conducted by the publication, The Banker (Skinner, 2004), " ... 57 million adults in the U.S. received a fraudulent email as of May 2004" connected with their online banking services, and the trends clearly show that unscrupulous Web thieves are getting "more and more sophisticated."
Those "fraudulent" emails are part of an online con game called "phishing," which is basically an email received which announces that "your account will be suspended unless you click here now," Skinner writes. An unsuspecting, unsophisticated consumer immediately clicks into "what looks like the bank's website," enters his login, password and his security settings "without realizing that all the details" are funneled into a hacker's computer -- and funds may well soon be stolen as a result.
Using information provided by the Anti-Phishing Working Group (APWG), Skinner writes that phishing attacks increased "50% a month" in the first half of 2004, with the principal targets being "banks, eBay, and PayPal." The phishing attacks are adding up to a staggering loss of $1.2 billion a year in Web-related fraud, Skinner concludes.
Where did the term "phishing" come from? There is a good explanation in the APWG's Web site (http://www.antiphishing.org): phishing comes from the "analogy that Internet scammers are using email lures to 'fish' for passwords and financial data" from the millions of Internet users around the globe. The term actually was launched in 1996, the APWG explains, by hackers who ripped off AOL dial-up account users back when the enthusiasm over having email technology tended to blind the new user to the danger posed by crooks who were lurking in the "alleyways" of cyberspace.
'Ph" is commonly used by hackers, APWG's site points out, as a replacement for "f" -- and "is a nod to the original form of hacking, known as 'phreaking', which was coined by the first hacker, John Draper (AKA, 'Captain Crunch')." (Draper reportedly invented hacking by breaking into telephone systems electronically in the early 1970s.)
Hackers became so adept at their trade that by 1997, "phish" were "actually being traded" as a form of hacker currency, the APWG report continues. Hackers would "routinely" trade ten "working AOL phish" for some form of hacking software they needed to continue their unscrupulous careers.
Another tool in the hands of the hackers and thieves is "script injection" -- which is a system where hackers insert "text frames in the official Web sites of banks," Skinner explains. The customer at home logged onto a laptop believes that the official details and designs on the bank's Web page on the computer screen are real -- when in fact some of that data have been inserted into the bank's Web pages by groups like "Gangs 'R' Us." Hence, the links available take…