Is banking security based on single point of failure?
Security measures taken to protect people’s bank accounts and credit cards are getting more and more sophisticated. But the protection mostly takes place in the electronic world which means that once the bad guys are behind the fences they can play around as they wish. Electronic signature, authentication keys and of course your username and password are all kept electronically and very often too easy to access. All are being misused, often because the bad guys know how to disguise while people with little technical knowledge can easily be fooled.
It seems that no country in the world has made it illegal to create a website that is meant for scamming or fraudulent activities, but if it is meant for deceiving customer to think the website is that of competitor then we have countless verdicts that the owner must take it off the Internet. Why is that?
The most common way to get people to give up their security codes or PINs is through websites that imitate a legitimate the website of an organization. It does not matter if the organization has stated somewhere in the fine print that the customer should never provide such information, people do that because they think is a legitimate request. (And don’t forget that organizations sometimes ask for such information in direct communication.)
So why are such fraudulent websites being created and the hosting service is ok with that? But perhaps the main question is: Why is the user made responsible for being deceived but not the bank or any other organization that claim they have built so complicated security system that it cannot be breached when it is quite easily breached?
Many years ago, the credit card companies monitored where cards were used. This would prevent the misuse of the cards as at that time the card had to be physically present. So, if a card was used in two geolocation that were too far from each other for the cardholder to travel from one to the other in the time between the two transactions, the second transaction would be denied, and the card closed. The cardholder would even get a phone call from the bank or the card company asking about the transfers.
Today, the banks trust their security systems blindly and blame everything that goes wrong on the customer. It has nothing to do with the fact that their system is too narrow minded in the protection and the protection realize actually on a single security factor that is not available to most hackers. It has a single point of failure. (Did you know that the log files on your Windows computer keep track of a lot of your web activities? The username used and the amount of money you were transferring can be found in clear text in some of these logs. Yes, clear text. And from the day you started to use the computer! I assume it is the same with the mobile.)
Sophisticated security systems are as good as the weakest link. And here the weakest link is not the user, but how absolute trust is given to the user when inside the fences. The security perimeters are very well guarded, but when inside you can steal everything you desire and while the functionality of the security measure is to only open the doors for those that provide the correct electronic authentication information, very little or nothing is done to prevent you from leaving with what was stolen. Of course, you need a PIN, but when you are in, you can simply look it up using the same authentication information that got you in.
Perhaps the banks have to go back to the time when monitoring of user activities was the best way to prevent fraud. As this would only be used for monitoring purpose and to stop unusual activities, it could be done on pseudoidentities or masked identities to comply with privacy laws and regulations. Unusually high amount of transfer would be flagged and even stopped with the instructions to the account owner to contact the bank. Same would be for credit card transactions without the card being presented that are out of the ordinary, like expensive car parts for somebody that has never bought car parts, multiple transactions in a short time that would out of character for the user, etc.
Which ever method would be used, the time of freely roaming around after having breach the perimeters is over. Organizations have to put their focus on internal defences in addition to perimeter defences. The risk assessments need to cover this ‘insider’ risk. That somebody has with social engineering or other methods infiltrated the security system and is now carrying the crown jewels to their car. As it is, the security system used to protect customers money in banks are not as efficient as they need to be. They might be multi-layer but still the culprits are infiltrating them much too easily. Customers are more vulnerable for fraud and loosing their money while trusting the banks for it, than when good old fashion bank robberies were staged. The more the banks trust on electronic solutions, the more vulnerable they seem to come. Perhaps it is time to get to the drawing board and review or redesign the defences!