Monday, April 2, 2012

More Comments Regarding Online Security

As a follow up to last week's post about the risk of hacking attacks on Internet gaming sites, I felt it useful to expand on this topic. The customer remains the weakest link, in two main areas. First, poor password composition. An article in the March 24, 2012 edition of The Economist provides insight into just how lightly most people take password security. Almost 1 percent of a particular web site's users had selected 12345 or 123456 as their password. Others used a single letter (only takes 26 guesses) or a readily identifiable name, word, or phrase. Second, failure to maintain a secure environment on their personal computers, smart phones, and tablet devices. Recently, a customer fell victim to a scam while shopping on-line. Due to a lack of current virus protection, the customer had unknowingly been infected with a program which was watching her on-line activity. When she entered her card number to complete a transaction on a legitimate site, the rogue program produced a “pop-up” window with some VERY clever language, similar to this: “We are working with your bank to improve on-line security. Please re-enter your credit card number, expiration date, and CVV code” unfortunately, the customer did just that, and the information was gathered by a criminal who began using the card for other purchases.

Regardless of the source of, or the reason for, a particular breach, banks are generally held responsible for losses customers incur (even in the face of overwhelming evidence as to the customers' culpability) Banks must fight a battle on two fronts: Ongoing education of customers regarding safeguarding their private data is essential. At least a few will heed this advice, and act accordingly. Getting customers to keep virus protection up to date is even harder. Some banks have begun offering free access to virus protection as a part of online services. Even doing this, the software is useless if customers don't keep it up to date, so education and reminders must continue.

Second, invest in as much anti-fraud technology as you can to identify and block criminal activity, whether from debit or credit cards, ACH, or wire transfers. Since banks are ultimately held accountable for these losses, anything you can spend now to reduce your exposure is warranted . . . .to a point, of course.

Finally, remain alert. When you see evidence of one or two card fraud issues, be alert for many more, as these may in fact be “testing” transactions to verify account information and balances before larger transactions are attempted. Involve your EFT and core provider as soon as you feel there is any issue.