Last week’s FSA report on Data Security in Financial Fraud criticized UK banks and financial services for failing to effectively identify and mitigate security risks surrounding the security of customer data. However, much of the subsequent commentary has focused on the criticism which covered only one aspect of the problem – the danger of information being lost by the banks, either physically misplaced or through a lack of security of their data networks. The FSA report shows quite accurately how banks should work to prevent this. In particular, it talks about a multi-layered approach to security.
Tim Thompson, Managing Director of 41st Parameter UK & EMEA, argues that the FSA report is a good beginning, but does not go far enough to protect the customer.
A bank’s responsibility for multi-layered security is not limited to inside the bank. Data can be phished from other sources and banks have a duty to protect the integrity of their clients’ data. Many banks are already responding to the gravity of this risk by adopting a wider multi-layered approach to protecting customer data by working with their partners to take data security to the ‘point of transaction’.
Whatever the approach of the fraudster, there must always be another barrier in the way. For example, beyond the initial firewall, additional password and encryption barriers, combined with real-time tracking capabilities, can identify devices that were initially refused admission to a site but have changed their identity to try and gain access. Studies have shown that it takes fraudsters a matter of minutes to do this.
Here, Client Device Identification (CDI) is an extremely valuable anti-fraud tool that helps identify suspicious transactions by capturing and identifying device characteristics during the login process. It adds new layers and strength to a company’s security without changing the user’s behavior, without leaving tags on the device and without ‘showing your hand’ to the fraudsters.
Banks can put every procedure in place to stop identity theft taking place, however fraudsters are continually innovating to render new anti-fraud systems redundant. Sadly this is the reality of the industry and if data loss does occur, then banks have to play a significant role in ensuring that the data cannot be used if it ends up in the hands of fraudsters.