Every week, it seems, another big company announces that it has lost thousands or millions of sensitive records on American consumers. Morgan Stanley. Sony. Cord Blood Registry.
Ever wonder why American consumers keep getting hit by data breaches? It's because we’re the lowest-hanging fruit for thieves, says Adam Dolby, director of electronic banking at Gemalto, an electronic security company.
“With the rest of the world hardening their targets, the U.S. becomes the weakest link,” Dolby says. “You can always tell when you’re the weakest link because you’re getting targeted.”
The biggest vulnerabilities involve our bank accounts, says Dolby. Countries as diverse as Germany, South Korea, the United Kingdom and Singapore all have taken serious measures to lock down consumers’ bank information. In Germany, consumers must swipe their cards against a scanner machine to obtain a password to access their bank accounts online. The password is good only for that transaction, and only for a limited time.
Other banks are experimenting with a plug-in Zip drive that only allows customers to visit certain bank-related websites. The drives also generate new access codes every time consumers log into their accounts.
“It's still web-based convenience, but you know for sure it has no viruses,” Dolby says.
In many other countries, banks are required to implement such strict access controls. Here in the U.S., banks have no such rules. Bank of America is one of the few banks here to implement similar controls voluntarily. Before logging into their accounts, BofA customers receive one-time-only passwords via texts sent to their phones.
Such extra steps are necessary, Dolby says, because banks and consumers now must assume that their computers are already thoroughly compromised by hackers—that fraudsters are already in our machines, looking over our shoulders, looking for information they can steal that will lead them to cash.
That's whyit's important to use other kinds of devices to send account access information that changes all the time. The hackers may be able to compromise one system pretty easily, but the chances that they’ll be able to invade two or more systems simultaneously are very low.
“Four years ago, we thought that all we have to do is protect the front door. Well, hackers have shown a pretty legitimate ability to get in the front door,” Dolby says. “So now you have to assume that you’ve already been compromised. So how do we protect the jewels in the vault?”
New Rules Show How Far Behind We Really Are
The new rules laid out this month by the Federal Financial Institutions Examination Council (FFIEC) are a first step toward making our data more secure, Dolby says. As we covered on July 8, the council soon will require banks to require different layers of identity authentication before consumers can access their accounts online.
That means no more of the current system, which checks the username and password entered by consumers against data collected by cookies placed by banks on your computer. Hackers have so thoroughly corrupted those cookies that they are now completely unreliable, Jeff Kopchik, senior policy analyst in the FDIC’s risk management division, told us.
Instead, all banks in the U.S. soon will have to switch to a system similar to BofA’s, in which online passwords change constantly and are good for only short periods of time. Many banks have resisted such rules, fearing consumer backlash at the inconvenience.
But they could see the added security measures as an opportunity instead, Dolby says. Sending texts or social media messages to help consumers sign up for their accounts opens up a new, consistent method of communication with their customers, which is something that all companies want these days. The login information could be embedded in messages that also offer links to Facebook sites, surveys, interactive games, and other features that could help banks better understand their customers and build stronger consumer relationships.
“We have to get to the point where people don’t just see it as an inconvenience,” Dolby says. “It's like getting into your car. You need keys. You can’t just get in and drive. The same with Internet banking.”
And don’t expect this to be the last round of rules from the FFIEC aimed at improving the security of online banking, Dolby says. As hackers become better organized and better capitalized, they will figure out faster and faster ways to corrupt new security measures. That will be especially true here in the U.S., where most banks will still remain years behind their international competitors.
The new rules are “a step in the right direction,” Dolby says. “But it underscores that how far behind we really are. That means the attacks are not going to let up until we get serious cyber-security.”