Last summer, I gave a talk about online banking:
http://www.aipsi.org/eventi/download/agenda_issa_rome_2007.pdf (PDF)
After the talk, a CSO from a major bank came up to me and said, "Great presentation, but you missed one key thing: banking online is safer than banking offline."
Seems counter intuitive. Doesnt it?
Banking online can be scary because:
1) Hackers have global reach, If you're doing offline banking in California, you only need to be worried about bad guys in California, for instance the customers and employees present in your local branch. If you're banking online, anyone in the world could attack you and your assets.
2) Automation - in the physical world attackers are limited by their ability to manipulate physical items like making an extra copy of your account number. In the online world attackers are essentially unlimited in the resources they can bring to bear.
3) Online security is opaque to the end user. People who aren't particularly tech savvy have a tough time differentiating between good online security practices and bad online security practices. Security in the physical world is much more intuitive for most people- keep your checkbook in a safe place or don't let someone peek when you are entering your PIN.
How can someone argue that online banking is safer?
The first issue: what is the root cause of financial fraud? According to the 2007 Javelin online banking security report (PDF), more than three-quarters of fraud actually comes from offline factors. As the chart below highlights, physical means of exposing personal information are the most common. Online methods, such as spyware or phishing, accounted for significantly fewer breaches. The leading factors are under the consumers control: lost or stolen wallets, credit cards, checkbooks or friends and family.
The second issue: self-detection. If consumers can detect someone sucking money out of their account, then the fraud amount is usually the smaller. As the fraud survey noted, almost half of fraud discovery continues to be done by consumers which as a group average quicker times to discovery and lower fraud amounts. If consumers can spot incorrect activity faster there' less fraud. The Javelin report also highlights that if a consumer uses electronic monitoring, the average time to detect a problem is 22 days whereas it's only 12 days longer if you receive a monthly statement via snail mail.
The third issue: fraud size. According to Credit Union.coop, the median online fraud is $195. For offline fraud, according to Javelin, the average consumer fraud cost is $422, nearly double the online average.
What the numbers don't tell you
A short history of online banking might be useful. The first bank in the world to offer online banking was Wells Fargo in 1995 and it sparked a mad rush to get onto the Internet by both competitors such as Bank of America and upstarts like e-Trade. In the early days, security took a back seat to release dates. The flurry of negative headlines from this period illustrated the consequences of putting security on the backburner. While the banks were down, they weren't out. As Andy Grove said, "A fundamental rule in technology says that whatever can be done will be done." So what did they do?
The banks realized something basic: if the banking infrastructure or software applications are compromised, then every account would be compromised. Or, "It's the application, stupid."
The strategy of locking down the applications paid off as evidenced, ironically, by the rise of phishing. Since direct hacks against banking systems became very difficult, cyber criminals resorted to phishing consumers with dubious emails. While phishing schemes are a growing, major problem today, they pale in comparison to the potential impact of the breach of core systems. And here's the paradox that most people miss: phishing forces the hacker to follow the slow, painful process of compromising accounts one at a time.
Could online banking be like flying? Statistically, it's safer but it's just psychologically scarier.
To learn more about how online banking became more secure, read Fortify's whitepaper.
