U.S. Banks Short-Change Authentication, Security Experts See Channel Opportunity

When it comes to online banking and information security, Europe is decades ahead of the security provided by banks in the United States, according to Roel Schouwenberg, a founding member of the Anti-Malware Testing Standards Organization (AMTSO).

“When you look at banks in the United States, all you have to do to log on is to provide a username and a password, or maybe you'll have a secret question if you log on with a new computer for the first time,” said Schouwenberg. “But those kinds of things can easily be phished, and the security in place won’t even stop slightly sophisticated malware.”

Schouwenberg, who is also a senior anti-virus researcher at Kaspersky Labs, points to the use of tokens like SecureID or enhanced mobile authentication as two reasons why the European banks are ahead of their U.S-based counterparts.

[Related: Kaspersky Summit Rising Risk ]

“Hardware tokens are pretty effective,” he said. “They provide each customer with a unique token that is linked to their account, and then the customer needs to enter some number presented on the banking website, so there is a challenge and a response happening. This will vary from session to session and involves a cryptographic response. All of this fights phishing, and also your average piece of malware will likely be defeated because the challenge happens dynamically.”

Other examples include moving ATM cards and credit cards away from the magnetic strip, in favor of cryptographic EMV chips, which are more difficult to skim, nearly impossible to clone and include a pin code that beefs up security. This strategy has become increasingly prevalent in Europe, and Schouwenberg says many businesses in his native Netherlands no longer accept cards with magnetic strips.

Schouwenberg added that this situation is not only perfect for hackers and malware providers. It also presents a solid opportunity for channel partners to differentiate themselves by coming to the table with stronger online security offerings.

“Doing this sort of thing would definitely save the banks money,” he said. “But the U.S. is much more service-oriented than Western Europe. So for the vast majority of financial institutions, the user experience is seen as more important than security. So it can be very hard to convince top management that security can be used as a competitive advantage, which is what happens in the Netherlands. But in the United States, financial organizations believe the majority of their customers would not accept multiple challenges. And this presumption is going to make the United States a skimming hotspot.”

NEXT: Security Experts Turn To The Channel For Solutions

Jim Porter, CEO of OPIMA Enterprises, a Philadelphia-based partner that works with community banks, echoes the point of view of Kaspersky's Schouwenberg.

“There is some concern, although I think it’s more likely to be an issue at the community bank level where the resource levels are lower,” said Porter. “And the primary concern does focus more on customer experience than on security. So if we were to discuss adding security features like SecureID, those discussions would probably not go very far.”

Porter added that the most immediate security improvements could be made through edge routing, but he says, in many cases, the banks don’t even want to invest at that level.

“What needs to happen is for the government, the American Bankers Association, and the major technology vendors to get together and work out solutions,” said Porter. “Without that kind of leadership, most of the banks are just trying to meet minimum requirements because that’s what looks best on the balance sheet. In Europe, the governments got involved and established a commitment to stronger security. But this is free enterprise. Everyone is on their own.”

Meanwhile, Kaspersky’s Schouwenberg continues to look to the partners: “I definitely think there is a huge opportunity here for the channel,” he said. “Security can definitely be a competitive advantage, and the partners need to be up-front in making that case. If I could find a bank that would give me the same level of security that I can find in Europe, I would definitely switch. When I log onto my account, I mostly have to hope for the best. That's not a good situation.”