Even as they increase corporate efficiency, Internet banking and e-commerce are heaping additional burdens on the financial services industry. As a result, security has become the number one spending priority for many companies.
You’ve seen the worrisome stories. Viruses and worms literally spreading “doom”through global computer networks; spam clogging personal and corporate email systems; and identity theft, aided by the Web, robbing financial institutions, merchants and their customers.
“We need to be able to refute those headlines and say, ‘Hey look, this is how we’re addressing security,’” says Robert Blackburn, director, cash management, in the global transaction services unit of Citigroup.
Many bankers and corporate executives grappling with the harrowing security issues of the present day share Blackburn’s view. Security is a hotter topic than ever before for financial institutions, retailers, other corporations and the technology and software providers trying to help them cope with the threats.
The scale of the interest generated by Internet fraud was clear at the annual information technology conference hosted by RSA Security in San Francisco in late February, which drew 10,000 attendees—a 20% jump over the preceding year. The need for better security management was the major theme of the confab.
“I think there’s concern about security but not enough action.A lot of people are talking about it, but they haven’t figured out what solutions to put forward,” says Tom Miltonberger, senior vice president of product development at Quova, a Mountain View, California- based firm that sells technology services that allow online businesses to pinpoint the location of their Web site visitors to prevent fraud and comply with regulatory requirements.
Anonymity Aids Internet Criminals
All these crimes are flourishing in large part because the Internet allows the hackers and the fraudsters on the whole to remain anonymous while doing the deed. The speed and efficiency of the medium also plays a significant role. Statistics help tell the story. In 2004, malicious code—viruses, worms and Trojan horses— will cost the worldwide economy $35 billion, according to the Radicati Group, a Palo Alto, California-based technology research firm.
The major technology companies are responding to the hacker threats largely by introducing new versions of their software and hardware products that work better with other security management products.The dominant theme is integration of intrusion detection systems, firewalls, anti-virus programs and authentication technologies to get a single view of network security.
Then there’s the matter of online fraud.A recent study by the Internet Fraud Prevention Advisory Council, a consortium of online merchants, merchant acquirers, credit card associations and credit card issuers, estimated that the occurrence of online fraud, as a percentage of business revenues, might be as much as 40 times higher than for face-to-face transactions offline.
One scary financial crime made efficient by the Web and rapidly expanding is identity theft.The number of identity theft cases jumped 40% in 2003, according to the US Federal Trade Commission. The crime is expected to have cost consumers, businesses and governments $221 billion in losses worldwide last year, according to the Boston-based research firm Aberdeen Group. Those losses could increase almost tenfold within two years to reach as much as $2 trillion by the end of 2005.
Identity theft can take several forms. Perpetrators can use the Internet to hack into businesses’ servers and databases to steal client and account information. That can then be used to create new accounts, in customers’ names, that can be emptied out. Of course, the perpetrators can simply steal from the existing accounts they tapped into. Firewalls and encryption are the common methods to stop this form of attack.
Another identity theft scheme rapidly gathering steam is called “pfishing.”The fraudsters pretend to be well-known legitimate businesses such as banks or brokerage firms by setting up Web sites using those companies’ names and logos. They then email customers of those firms, encouraging them to give out key personal, financial and account data.That data can be used to take over their identities for the purposes of applying for credit cards, loans and mortgages.
“What we’ve seen recently is that identity theft has gained a lot of celebrity,” says Tracy Stover, director, client development, in the commercial card services group at Citigroup. She says that the bank has had some cases of corporate customers who became identity theft victims on their personal accounts. In those cases, the bank works with the client and the major credit bureaus to repair their damaged credit records so that they can obtain loans and financing in the future.
However, bank customers are not immune to theft attempts when they are at work.Turner says Citigroup’s commercial card services group recently received calls from some (fewer than 50) upset corporate customers saying they received emails at work from people claiming to be the bank and asking for account information. “What’s made people a little more nervous is that pfishing was happening on their corporate email,” says Stover.“I think people get a false sense of security with corporate email.We all have firewalls so they automatically assume the email is legitimate.”
Identity theft is a crime that often is difficult or timeconsuming to detect, allowing fraudsters plenty of time to do a lot of damage. Like their colleagues the computer hackers, online fraudsters are generally relentless and innovative in pursuing new techniques, technologies and ingenious new schemes.One of these innovations is the automatic credit- or debit-card number generator. These programs, which can easily be found on the Internet, automatically generate thousands of 14- or 16- digit card numbers.
The thief then submits a large number of transactions to test out the number sequences and see if they get a match. However, these attacks are fairly easy to detect and can be blocked with lockout and refusal systems that limit transactions to a set number, or block purchases because of a lack of billing and address information, according to security and fraud experts.
Software maps location of Internet users
As cyber-criminals become ever more sophisticated, it may seem that heading off fraudulent transactions is almost impossible. Software from companies such as Quova can help, though.
Tiny Transactions, Huge Hauls
Another area that is facing increasing attacks is the Automated Clearing House (ACH) network. Fraudsters are submitting small transactions across the system that can reap large amounts if they succeed in initiating automatic debits against thousands or millions of company checking accounts.“Clients can set up a debit block to stop any ACH transactions from debiting the account. We advocate that all of our clients put a block on their account when it is used for any sort of checking going out of it,” says Citigroup’s Blackburn.The bank also tells its corporate cash management customers to reconcile their accounts daily. “Make sure you recognize them and the persons who made them,” he says.
Fraud has become a big concern as use of the ACH system has greatly expanded with consumers’ use of debit cards to make Internet purchases.
The system used to be primarily the province of businesses as a way of paying their employees, vendors and suppliers.
Another major problem in Internet commerce is the overwhelming amount of spam, or junk email, increasingly dominating the email servers of most companies. Spam will account for 52% of all email by the end of this year and will cost $41.6 billion in financial losses, more than double the amount in 2003, according to the Radicati Group. The losses stem mostly from increased IT infrastructure costs for bigger servers and more administrators.
• Identity theft is expected to have cost consumers, businesses and governments $221 billion in losses worldwide last year. Losses could reach $2 trillion by the end of 2005.
The Real Cost of Spam
“The volume of email you’re dealing with is enormous because of all the garbage you don’t want.Your infrastructure is blown way out of proportion because of the spam,” says Sara Radicati, CEO of the Radicati Group. She estimates that companies spend an average of $49 per user mailbox per year in additional administration costs directly caused by the deluge of spam they’re facing. Those costs don’t include the loss of worker productivity in having to wade through and delete spam.
Spam is also a security threat because many of the messages carry computer viruses with them.The email pfishing schemes that have become prevalent over the past year often originate in spam messages. Companies typically combat spam with filters, but they are of limited effectiveness. “The filters let a lot through,” says Radicati, who estimates that 17% of spam still gets through the filters.
Technology companies are now proposing and devising a number of hardware and software solutions that try to verify the access rights of the email sender. For example, Microsoft is proposing a caller-ID system for email.
“There’s no magic bullet. It’s a complex problem, and the solutions will be expensive,” says Radicati. ■
• By Adam Rombel