In an interview by Tom Fields of Bank Info Security, Matthew Speare, SVP of IT for M&T Bank, talks about a painful truth regarding inflicting pain on cybercrooks who steal from banks: You’ll never be able to beat them. The best a bank can do is make it so painful for the bad guys to try to steal from your bank that they decide to “go down the street” and pick on a 98-pound weakling of a community bank that thinks “multi-factor authentication” means having a password stronger than your social security number.
Other participants in the interview are Christopher Paidhrin, the IT security compliance officer at PeaceHealth Southwest Medical Center, and Elayne Starkey, the CSO for the State of Delaware. Among the new authentication technologies that they discuss are “biomettics,” including iris scans, voice recognition, and fingerprint and palmprint identification techniques. Speare also discusses “soft” tokens as something his bank has experimented with as an alternative to the traditional “hard” tokens. Many of those technologies have been around for a number of years, and in the health care and governmental fields, appear to be gaining acceptance as part and parcel of daily life. That also seems to be the case with authentication technologies that are employed by bank personnel that do not directly impact bank customers.
Speare, however, discusses a problem with the use of such “cutting edge” authentication techniques by bank customers: “the end user experience.” He asserts that password-based authentication has become so ingrained in the minds of bank customers, even business customers, that adding additional requirements to the authentication process that slow down or otherwise impede the customer in the performance of banking transactions becomes an issue where bank marketing and customer relationship personnel begin to push back, as their customers squawk like we used to squawk to our mothers when we were little kids. “Why do I have to do this? None of the other kids’ mothers makes them do it!”
Here’s my not-so-novel suggestion: spend more time thinking about how to educate your customers as to the benefits of these new techniques and to “sell” them on those benefits, rather than to moan to bank security officers about customer resistance. You could even invite them to a free lunch or cocktail hour seminar at which your favorite lawyer and/or IT security expert could elevate their collective consciousness to a higher plane. Yes, this is more work than simply resisting change and increasing risk to both bank and customer, but we’re now well into the second decade of the twenty-first century, and the criminals are ahead of the banks and so far out ahead of the customers that they're in danger of actually lapping them, so maybe it’s time for everyone to at least try to power on up the sophistication curve. An added benefit is that you could use those sessions to fulfill your duty under the 2011 FFIEC Supplement to its Online Authentication Guidance to educate your customers about how to better protect themselves in a cruel online banking world.
What do you say?