SAN FRANCISCO -- Criminals are exploiting a combination of channels -- the Web, phone, mail, and brick-and-mortar -- creating challenges in tracking fraud and authenticating customers, financial services executives said Thursday in a panel discussion at the RSA Conference 2008.
"It's a little game of whack a mole," said Ian McGowan, vice president of IT at Bank of the West.
In some cases, a thief will collect customer information online and use it to phone in a banking transaction. Other times, a fraudster might phone a call center and use social engineering to reset a user's credentials and then go online, panel members said.
Cynthia Bohman, manager of cyberfraud risk and corporate security at Discover Financial Services, said criminals are opportunists who use whichever channel they can to make inroads. Sometimes, a seemingly minor transaction such as an address change made over the phone can be part of a larger fraud pattern, she said.
But adding additional authentication to thwart fraud can be tricky; customers don't necessarily want to go through a lot of hassle to do their banking, panelists said.
Some customers want high-level security while others expect it to be transparent and don't want to be bothered, Bohman said. "You have to look at what customers are willing to do to balance security with access," she said.
Bohman said her company uses shared secret questions at its call centers and depending on the level of risk associated with a transaction, will ask additional questions. But it chose not to use out of band authentication – contacting a customer about a transaction through another channel -- because surveys showed customers didn't want it.
Authentication tokens help provide the visible security some customers want, said Andy Wen, director of security architecture at E*Trade Financial. "If you're at a financial institution, you need to see what's appropriate for your customer base," he said, adding that the company looks at new types of authentication.
McGowan said his firm is looking to add text messaging to alert customers of high-risk transactions to its online banking system.
"We're taking a broad look at our security strategy," he said.
Panelists said they're looking at the risks new channels such as mobile banking might bring. However, McGowan noted that they're actually easier to tackle: "With new channels, it's much easier to bake in security…The challenge is going back to traditional channels and retrofitting them."
Looking ahead, panelists said they don't see the problem of multi-channel fraud going away anytime soon.
"I see this problem getting more complex because we'll want to server our customers in more ways… which means the attack surface is larger," Wen said.