997509

Is banking online safer than banking on the corner?

by Rob Rachwald

image of coins and computer keyboard Banking online has become increasingly pervasive and is becoming more and more common. But has it reached a point where its actually safer than going to your local branch?

The risks of banking online are numerous

Hackers have global reach - if you're doing offline banking in Birmingham, you only need to be worried about bad guys in Birmingham, for instance the customers and employees present in your local branch. If you're banking online, anyone in the world could attack you and your assets.
Automation - in the physical world attackers are limited by their ability to manipulate physical items like making an extra copy of your account number. In the online world attackers are essentially unlimited in the resources they can bring to bear.
Online security is opaque to the end user. People who aren't particularly tech savvy have a tough time differentiating between good online security practices and bad online security practices. Security in the physical world is much more intuitive for most people - keep your chequebook in a safe place or don't let someone peek when you are entering your PIN.

Outrunning the Bears

Most large retail banks are doing an exemplary job of securing their online banking applications. Over time, banks have come to understand the basic principle of software security: you can't be perfect, but you do need to be better. Since hackers will always seek out the easiest targets banking applications need to be strong enough so that a hacker will want to move onto someone else. This idea is best explained with an analogy: If you encounter a bear in the woods while hiking, you don't need to run faster than the bear. Just run faster than your fellow hikers.

Online banking has grown dramatically indicating that security concerns common a decade ago have been alleviated. Consider:

Strong user growth
- Online banking in the US grew to 44 million consumers in 2006. In fact, growth in online banking customers at the top 10 online banks surpasses overall Internet growth. And this growth is taking place in an industry where consumer security sensitivity is very high. A 2006 study by the Ponemon Institute showed that 34 percent of customers would change their bank after one breach, and 45 percent would leave after two breaches.
- In the UK, online banking usage has grown 50 percent since 2005.4 In addition, over half of people surveyed (57 percent) said they used Internet banking more often this year than last, with just one in ten (11 percent) stating that they never manage their money online. In Finland, only 10 to 15 percent of all banking transactions are now done over-the-counter.
Less hacking
- A 2006 Gartner survey showed only 8 percent of banks reported external hacks against their systems. By contrast, according to the Web Application Security Forum, 2006 was the worst year for Web application hacking in history.
Stronger consumer perception
- US consumer perception of online banking security has improved. In a recent survey of consumers, 68 percent of respondents believe that their financial institutions' websites are more secure.
New forms of attack required
- Since direct hacks against banking systems became very difficult, cyber criminals have resorted to phishing consumers with falsified emails. Today, 60 percent of banks report suffering from phishing attacks. Indeed, the number of phishing attacks has soared more than 800 percent recently, and hit a record figure of 1,484 in April 2006. While phishing schemes are a major problem today, they pale in comparison to the potential impact of the breach of core systems. If the banking infrastructure or software applications are compromised, then every account is vulnerable. Phishing, conversely, forces the adversary to follow the slow, painful process of compromising accounts one at a time.
Weaker banks targeted
- Gartner reports that the majority of hacking attempts were targeted against smaller banks with less solid application security. The same report indicates that phishing attacks also disproportionately target smaller banks, as large banks tend to have more security resources to combat attacks.

Can someone argue that online banking is safer?

The first issue: what is the root cause of financial fraud? According to the 2007 Javelin online banking security report (PDF), more than three-quarters of fraud actually comes from offline factors. As the chart below highlights, physical means of exposing personal information are the most common. Online methods, such as spyware or phishing, accounted for significantly fewer breaches. The leading factors are under the consumers control: lost or stolen wallets, credit cards, checkbooks or friends and family.

chart showing likely perpetrators of online banking fraud

The second issue: self-detection. If consumers can detect someone sucking money out of their account, then the fraud amount is usually the smaller. As the fraud survey noted, almost half of fraud discovery continues to be done by consumers which as a group average quicker times to discovery and lower fraud amounts. If consumers can spot incorrect activity faster then there is less fraud. The Javelin report also highlights that if a consumer uses electronic monitoring, the average time to detect a problem is 22 days whereas it's only 12 days longer if you receive a monthly statement via snail mail.

The third issue: fraud size. According to Credit Union.coop, the median online fraud is $195 (Ł100). For offline fraud, according to Javelin, the average consumer fraud cost is $422 (Ł215), more than double the online average.

What the numbers don't tell you

image of credit card and computer keyboard A short history of online banking might be useful. The first bank in the world to offer online banking was Wells Fargo in 1995 and it sparked a mad rush to get onto the Internet by both competitors such as Bank of America and upstarts like e-Trade. In the early days, security took a back seat to release dates. The flurry of negative headlines from this period illustrated the consequences of putting security on the backburner. While the banks were down, they weren't out. As Intel's Andy Grove said, "A fundamental rule in technology says that whatever can be done will be done." So what did they do?

The banks realized something basic: if the banking infrastructure or software applications are compromised, then every account would be compromised. Or, "It's the application, stupid."

The strategy of locking down the applications paid off as evidenced, ironically, by the rise of phishing. Since direct hacks against banking systems became very difficult, cyber criminals resorted to phishing consumers with dubious emails. While phishing schemes are a growing, major problem today, they pale in comparison to the potential impact of the breach of core systems. And here's the paradox that most people miss: phishing forces the hacker to follow the slow, painful process of compromising accounts one at a time.

Could online banking be like flying? Statistically, it's safer but it's just psychologically scarier?

About the Author:
Rob Rachwald is Director Product Marketing at Fortify Software. The company is exhibiting at Infosecurity Europe 2008, Europe's number one dedicated Information security event. Now in its 13th year, the show continues to provide an unrivalled education programme, new products & services, over 300 exhibitors and 11,700 visitors from every segment of the industry. Held on the 22nd - 24th April 2008 in the Grand Hall, Olympia, this is a must attend event for all professionals involved in Information Security. www.infosec.co.uk

Send a comment about this article to editor@itwales.com.

Menu: Home, Services, Events, Features, Interviews, Profiles, Reviews, News, Resources, Press