U.S. Based Banks Complacency Toward Identity Theft
Solutions Causing a National Security Threat
U.S.
Banks are already to late to make the required
security upgrades required by the FFIEC.
(PRWEB) September 6, 2006 -- The single largest
national security threat is a terrorist attack
on our banking system. An attack aimed simultaneously
at millions of username and passwords within banking
would shut down our banking system. This would
ripple out into the free world almost instantly
shutting down banks worldwide. Credit/debit cards,
checks, calls to the bank, would not work for
at least a matter of days causing tremendous hardship
and ripple effect from no gas to "I simply
have to take this baby food." Anarchy would
reign and people would fight and people would
die. After that millions would not trust banks
or our banking system and we would revert to a
cash based society causing irreparable harm to
our entire way of life. People would revert to
keeping cash under the mattress and we would be
back in the great depression era of 1929. "Simply
put, easy to accomplish with the current single
factor security (user name and password) at banks
online for any terrorist organization, even from
a cave in Pakistan." says Paul Gerstenberger,
a cyber security expert with Authenticol Systems
of Boulder, Colorado. Banks in this country and
even our government are not taking this threat
seriously enough and the wheels of bureaucracy
are putting us at an extreme level of vulnerability.
$50 Billion Dollars per year being lost to Identity
Theft according to the FTC and increasing by double
digits each year. This huge yearly loss is going
directly to International terrorism and Organized
crime. What makes us believe they could not hit
us all at once?? Banks are allowing it to happen
rather than comply with Federal regulations to
greatly increase online banking security by the
end of 2006. Not a single bank has complied..why.because
they would quite simply rather not change anything
for the consumer..not even to increase security.not
even to stop terrorists from getting our money.
The simple fact is that when identity theft strikes,
banks simply write it off to the consumer and
the taxpayer through insurance and the FDIC.
CBS Evening news reported on August 23rd that
"Foreign banks adopt stricter security requirements
but U.S. Banks resist. "
Internet banking is a convenient way to conduct
banking transactions. Today most international
based banks have been proactive in implementing
higher security for their customers including
the implementation of multi-factor security systems.
The question is why have US based banks resisted
implementing available technologies to protect
the US consumer. The FFIEC that regulates the
FDIC insured banks has mandated that all US based
banks implement higher security before the year's
end which is 120 days away. The letter entitled
Authentication in an Internet Banking Environment
states that banks must implement a security technology
to all their consumers that use online banking
and must meet certain issues as described within.
With only 120 days left, the guidelines can not
now be met by any US bank before years end.
Current solutions that have been implemented by
a few banks are not compliant with federal regulations
such as SITEKEY with Bank of America. The solution
has been riddled with problems and blatantly does
not meet federal regulations set forth by the
FFIEC by using personal information to authenticate
such as mothers maiden name. It also does not
meet the definition of multi-factor security,
mutual authentication and customer education.
A huge vulnerability was recently exposed by Sestus
data corp.
Another example is CitiGroup's implementation
of One Time Password tokens for their high net
worth customers. This technology is highly impractical
for use on a wide customer basis and still does
not answer the primary problem of phishing as
evidenced by a number of breaches. FFIEC regulations
require that all online users be protected. One
Time Passwords also do not meet the definition
of multi-factor security.
The underlying vulnerability to consumers is that
they cannot tell whether a bank site is real or
fake (phishing). The guidance is written to address
this issues that ultimately assumes correctly
that single factor security ie. Username and password
credentials are extremely vulnerable.
Authenticol Systems of Boulder Colorado seems
to have the only solution that meets the FFIEC
guidance and properly addresses the primary issue
of phishing as well as could be implemented to
a large number of U.S. banks before the end of
the year. This monumental task is actually possible
with the C.O.B.R.A. (Commercial Online Banking
Restricted Access) Toolbar solution because it
requires almost no bank side integration and is
inexpensive to implement system wide. "It
is the world's first real mutual authentication
system" says a company spokesperson.
The C.O.B.R.A. system actually exceeds the FFIEC
regulations because it not only protects users
at the banking site but also beyond. The system
properly defeats both phishing and pharming and
meets the criteria for ease of use, consumer education
and is a control that properly mitigates the risk
of banking transactions online. This solution
is currently available to U.S. banks and while
several large ones (Citigroup and J.P. Morgan
Chase) are currently looking at adopting the system
it seems as though the bureaucratic red tape is
dragging on and as it does more and more Americans
are put at risk.
The FFIEC, ABA, NCUA, FDIC and many other banking
organization have ignored the call to implement
higher security by not just Authenticol but other
security venders as well. A progress report conference
participated in by the FFIEC and ABA resulted
in only 30 out of over 35,000 working towards
compliancy.
The big question is still why are banks continuing
to be complacent and continuing to put us at risk?
One possibility is simply that banks profit on
identity theft as well by advertising internal
"perceived" security solutions to gain
customers from other banks. These systems advertise
security while only delivering insurance or calls
to your credit agency and are not really protecting
customers previous to an identity theft at all.
According to a study done by EDS corp. of Plano
Texas 38% of Americans would switch banks for
a "perceived" increase in security which
gives banks have a good reason to drag their feet
when it comes to a real security solution.
This country seems to only allow change "after"
a crisis, such as was the case with airline security
after 9/11. Let's hope we are not too late already!
AUTHENTICOL SYSTEMS
Contact: Paul Gerstenberger
Phone: 303-245-0001
Website: www.authenticol.com