“Don’t mistake activity with achievement.”
— John Wooden, former UCLA basketball coach and 10-time NCAA Basketball Champion
Financial institutions (FIs) aren’t safe either: Global Payments (processor for Visa and MasterCard), Bank of America, Citibank, JP Morgan, and Fidelity National Information Services all suffered data breaches recently. Hundreds of millions of dollars stolen and boatloads of personal data exposed to criminals.
Companies, especially FIs, are not doing enough to safeguard sensitive information. FIs scramble to buttress their systems to thwart attacks, while criminals easily elude the safeguards.
If you shop online your information could already be on a hacker’s hard drive, waiting to be bundled and sold to another criminal, making you vulnerable to identity theft and other crimes.
The protection plans offered by credit card companies and FIs do provide additional protection. But, it isn’t enough, and why would consumers pay for safeguards that should be provided automatically? Especially when the “safeguards” aren’t really all that safe.
EMV (Eurocard, MasterCard, Visa) (covered on this blog) would be a step in the right direction, erecting additional layers of protection between FIs and hackers. EMV has been adopted by most of the world, but not in the U.S.
EMV replaces the magnetic strip on cards with a microchip used for authentication and encrypts the information during the transaction, making it more difficult for thieves and card skimmers to steal. Security is further bolstered when used with a PIN or signature. It is by no means a panacea.
Retina scans and fingerprints could also thwart criminals. Those systems require expensive investment in hardware and new software to support them. FIs and their customers should implement anything that makes it more difficult for hackers.
Dual-factor authentication (2FA) is another, more feasible, option. It adds another level to the standard password login. The FI would send a code via text message to one’s mobile phone, which then is entered by the user to execute the transaction.
Ninety-one percent of Americans already have a mobile phone, according to Pew Research. Convenience alone makes 2FA via text message a logical solution.
Sending out text message codes would require investment in software, but the cost would be meager compared to implementing a scanner or other hardware solution. Twitter, Google and Facebook already support 2FA as an option at login. It should be made mandatory.
2FA has been around for decades but never took hold. If a mobile phone was compromised though, it would carry frightening ramifications. And transactions are still susceptible to Trojan horses, Man-in-the-Middle attacks, and other malware. In fact, all computers are vulnerable to these types of attacks.
Tokens like RSA’s SecurID, 1Password, Toopher, YubiKey and the like that provide one-time passwords have weak points as well, which can serve as gateways for criminals. If breached, they would expose all users’ passwords at once. Not good, and hardly safe.
So what’s the answer?
Disappointingly there isn’t one that ensures total protection in all situations. Hackers are clever and will continue to exploit weaknesses in any, and every, system.
2FA is easy to implement with current technology and is a formidable additional security layer.
Coach Wooden said, “Do not let what you cannot do interfere with what you can do.” FIs need to heed this advice.
About David Sutton: David has a BA in economics and a MS in business journalism, and his articles have appeared on Forbes.com and in the Boston Business Journal. David has had a bank account since he was three.