October 9, 2009
Authored by: Bryan Cave Leighton Paisner
As new capabilities evolve through technology, so do new opportunities for hackers and thieves to compromise a customer’s data. These technologies stand as a major threat to a bank’s customers. In addition to general concerns of reputation and customer loyalty, banks should not forget they have certain expectations of helping keep customers informed about threats to online security and protective steps that can be taken.
One malware program that chillingly shows how far these programs have come (and is recently getting significant press for this) involves literally stealing money from a customer’s account under his or her nose. Once downloaded, the program first takes the customer’s login information for internet banking. After stealing the customer’s password, this program begins transferring money from the account to the thief’s account – a scheme which has been done before. The catch is the program also intercepts the code coming from the bank and manipulates it. That means, when the customer refreshes or relaunches his or her account page, the numbers remain the same. So, to the customer, his or her account looks untouched. All the while, until the customer logs on to an uninfected machine or realizes something is fishy (be it because none of his or her recent transactions start appearing or his or her debit card starts getting declined), the cyberthief can escape and cover his or her tracks. Just like crime in the real world, the longer the thief has to flee, the tougher he or she is to catch. Therefore, given the nature of this program, prevention is the only effective solution.
Obligations to Customers
Unfortunately, cymbercrime will be an ever-evolving threat. As criminals’ capabilities improve, though, consumers must take stronger steps to ensure their data (and money!) is protected. It is important for a bank to ensure security within its internal systems. But, regulatory agencies have made clear they will look to a bank’s customer education efforts to ensure they are setting forth at least some modicum of information. For example, the FFIEC (the governmental arm who helps ensure consistent guiding principles for regulatory bodies such as the OCC, FDIC, FRB and OTS) has set forth specific guidance mandating that customer awareness and educational efforts be part of a bank’s operations (See http://www.ffiec.gov/pdf/authentication_guidance.pdf). In its statement, the FFIEC states, “Financial institutions should evaluate their consumer education efforts to determine if additional steps are necessary. Management should implement a customer awareness program and periodically evaluate its effectiveness.”
Overall, banks have put forth a strong effort regarding the education of its customers on internet security. As Robert D. Lee, Senior Technology Specialist for the FDIC said in a 2005 article, “Financial institutions offering Internet banking products have generally done a good job of providing security-related information on their Web sites to both educate customers about the threats and instruct them on how to report suspected fraud. Providing educational materials to customers that explain how to recognize phishing e-mails and describe how to secure personal computers against viruses and Internet schemes continues to be an important bank activity. Customer education adds value to banks’ information security efforts, but banks still must address the risks of compromised access credentials.” But, banks cannot become lax in their efforts. As new threats emerge, additional information and steps must be taken so customers can anticipate and avoid these risks. These efforts should help keep customers on top of both general developments in the types of viruses and other malicious programs that are being discovered as well as specific information about individual malicious programs which may require special attention.