As if we needed yet another one, the cyber attacks that hit six major U.S. banks in September are a wake-up call.
Customers at Wells Fargo, Chase, Bank of America, U.S. Bank, PNC and Citigroup found online connections erratic and sometimes account information unavailable. While funds were safe, anxiety was high – not the feeling banks want to cultivate among clients. The financial service’s “sector threat level” was still perched at the “high” ranking, even in early October, according to FS-ISAC, the Financial Services Information Sharing and Analysis Center .
“The internet offers us tremendous promise for benefits to our society, in terms of innovation and ability to share information and ideas,” said Suzanne E. Spaulding, Deputy Under Secretary for the National Protection and Programs Directorate for the U.S. Department of Homeland Security during the SIFMA Cybersecurity Symposium in New York earlier this month. “But we can only realize the ultimate potential of that tremendous benefit from the Internet if we have appropriate cyber security.”
Financial services firms, of course, face a difficult choice. The options to beef up internet security – which everyone says they are for without reservation – can sometimes run up against the desire to create “convenience” for the customer; account access anytime, anywhere, on any device; easy navigation on website among different accounts and personal information; allowing personal finance tracking sites access to bank, brokerage and loan accounts with ease.
Financial advisors and reps of course can face attacks even from even consumer sites, such as an email portal. A threat doesn’t have to be a potential attack aimed solely at their custody or clearing firm, or their platform, to damage either them or the client. In the past year, 46% of adults who use online platforms or products fell victim to a cybercrime; global costs in conjunction with these attacks reached $110 billion, according to security software maker Symantec’s annual Cybercrime Report .
In reaction, more consumer sites, including those popular with independent FAs like Gmail and DropBox, are now encouraging users to use a security measure called “two-factor authentication” that strengthens the protection of their data on these platforms. Adoption has been slow, however, because of the convenience factor.
“If I surveyed the consumer masses of Gmail and Dropbox users, my guess is not a whole lot are using this,” says Eric Ahlm, research director of the security team at Gartner, Inc. “As far as two-factor authentication being used as a good thing, there is an educational barrier.”
To help understand two-factor authentication, consider this: One-factor authentication is normally what people consider their password. You type a code into a box, giving you access to data, email or accounts. But now many financial institutions, from Visa to PayPal, are using a two-factor authentication; Once you enter a password, there’s another barrier. Sometimes this is a code sent to a mobile device — which changes as often as you log-in. In these scenarios, users would need both their password and cell phones stolen to be in danger of being hacked.
E-Trade adopted the security process with high net worth clients as part of a trial project in Atlanta and saw deposits grow because clients felt more secure, Ahlm said. And with good reason: Two-factor authentication makes it much harder for someone to hack your account.
Yet financial service firms walk the tightrope between customer convenience and tight security. The move to two-factor authentication is slow in part because of concern that users would not tolerate delayed access to their data.
“There’s an impact to the user experience,” says Ahlm. “How does the user engage with the device (or the page)? Over one second? Twenty seconds? Do they need two hands? One hand? Can it be done while walking? Unless they see a big benefit, they’re going to choose single-factor.”
One positive outcome from a reluctance to subject customers to any inconvenience when accessing accounts? Cyber security teams will have their future employment assured.