Fighting Fraud: Banks Can't Afford to Wait
New Threats Can be Catalysts for Positive ChangeAs incidents of ACH and wire fraud increase, banking institutions say they can't afford to wait for the Federal Financial Institutions Examination Council to release updates to its 2005 online authentication guidance.
It's been more than four months since a draft of the FFIEC's update was inadvertently released by the National Credit Union Administration. And still, the industry waits. [See NCUA Disclosed FFIEC Draft.]
For Michael Wyffels, senior vice president and chief technology officer of Moline, Ill.-based QCR Holdings Inc., a $1.7 billion holding company that operates three banks, the waiting game has become too risky. "I'd like to make sure our recommendations fit with what the FFIEC is recommending," he says. "But the hackers seem to continue to find new ways to exploit vulnerabilities."
Recent wire fraud incidents originating in China prove account takeover, perpetrated by online attacks, continues to grow. [See New Wave of Wire Fraud Strikes Banks.]
In fact, online breaches, across the industry board, have put everyone on alert.
Online Breach Epidemic?
From RSA to Epsilon to Sony and now LastPass, online security controls are clearly showing their age and their vulnerability. The whole breach epidemic has led to growing "public jitters," according to the Unisys Security Index, which includes consumer survey results about perceived Internet security. [See Public Jitters Over IT Security on Rise.]In a recent interview with GovInfoSecurity.com Executive Editor Eric Chabrow, Unisys CISO Patricia Titus says online breaches are eating away at consumer trust. "What is the fallout from the Epsilon breach and Sony breach? Are people going to hold their breath and wait and see what happens, or are they going to proactively take action? Are the institutions actually going to help people understand what protections they could put in place themselves?" she asks.
It all points to the need for new technology. At least that's the way Terry Austin, CEO of Guardian Analytics, sees it. "The whole authentication and malware phenomenon is a cat-and-mouse game," Austin says. "Fighting malware with authentication is a losing battle."
The FFIEC recommends a layered approach, and that's a takeaway Wyffels is embracing. But it's not a catchall, Wyffels warns. Adequate fraud detection and prevention, especially in the online world, require persistent vigilance.
"We, as an institution, want to do as much as reasonably is possible to mitigate risks," he says. "Like everyone, we want to make good choices and sound investments. ... We just can't get comfortable, because things are changing all the time. I hope, as an industry, no one ever says they are comfortable."
Bin Laden's Death and AML Worries
No, we should never get too comfortable - a truth born from another leading story this week. The death of Osama bin Laden, says anti-money-laundering expert Kevin Sullivan, could cause disorder within the ranks of al-Qaeda, and that could lead to new efforts to funnel terrorists' funds through traditional banking channels."Any resulting disarray might create some new and/or unusual money movement that may be a red flag and draw the attention of the authorities," he says. "Now is the time to pay close attention to high-risk, terror-aligned countries to see if there is any account activity that could be the resulting fallout and potential power struggle created by the leadership vacuum from bin Laden's death."
As Sullivan rightly points out, banks should take bin Laden's death as an opportunity to check their systems and ensure their existing money-laundering and Bank Secrecy Act screenings are up to par. "We have not defeated terrorism yet," he says.
The same advice should be taken regarding the recent breaches. These incidents should be catalysts for change. Though online breaches are increasing, institutions should follow the example set by Wyffels and his team - don't get too comfortable.