As the variety and complexity of online banking offerings increase, many offerings are also fast becoming targets for unauthorized activities, which exploit the nature of online banking services and the flaws in the systems that host the applications and platforms used to offer these services.
Each of the three areas of online banking offerings can be vulnerable to tampering. For example, a bank’s Web site can be hacked and contents on the Web sites modified, which means that the integrity of the Web sites as sources of information has been compromised. Fraudulent e-mails can be sent to bank customers, notifying them that their accounts have been compromised, which undermines a bank’s use of e-mail as a communications channel with its customers. Furthermore, many of these fake e-mails often provide links to spurious Web sites that look strikingly similar to the bank’s Web site. The intention of the phony Web site is to extract information from the bank’s customers so that the information can be used later to access their accounts or to commit other acts of identity theft.
A number of security breaches related to online banking have occurred since the late 1990s, when an increasing number of bank customers began to take advantage of such offerings from their banks. The most common information security breaches is associated with an e-mail fraud in which customers are requested to reactivate their online banking accounts and thus reveal sensitive personal and financial information. Cases of e-mail-related fraud have been on the rise. In 2003 alone, customers of Citibank, Wachovia bank, Bank of America, and Commonwealth Bank of Australia were targeted by e-mail scams. However, some of the online banking security breaches are the result of banks offering their services without fully testing their systems. For example, in 1999, X.com Bank, which is a division of First Western National Bank, unintentionally allowed its customers to transfer funds from any person’s account in the country into their online banking accounts as long as they had that person’s account number and routing number.
These security breaches are undermining the confidence of many bank customers in online banking services. According to a June 2003 report from Tower Group, concern about security is the number one factor that kept many bank customers offline. In addition, banks are also more concerned about information security breaches as online banking transactions have become more complex and involve increasingly higher account values. Although bank customers have always been concerned with confidentiality, even in the pre-electronic era, the advent of automated teller machines (ATMs), voice response units, and other self-activated technologies have perpetuated an increasing concern about the loss of financial wealth and the loss of identity. Of foremost notoriety and concern is the loss of identity, or “identity theft.”
Until recently this threat, or rather its urgency, was seldom emphasized. However, with the proliferation of e-commerce and the expansive electronic access and transmission of data prevalent today, the opportunity for theft of critical customer information (i.e., social security numbers) has become of paramount concern to customers. In addition, other sensitive information, such as account information, has also become a major concern, especially in light of the amount of online shopping and online business transactions occurring today. The final, and maybe the most obvious, events that have heightened customer concern over the protection of their information are the Y2K scare and, of course, 9/11. These two independent events alone have raised the attention level to its present state.
Banks, on the other hand, while sharing the concerns of customers, have a more expansive set of issues and focuses. As financial institutions, banks are considered fiduciaries with respect to their customers. As such, they are not only privy to a wide range of sensitive customer information, but also to information that is important to the functioning of the bank. In addition to expanding legal liability on the part of the board of directors for the protection of such information, banks also have an obligation to their shareholders to establish the controls and mechanisms which will protect client information. In this regard, banks’ information security concerns are far ranging, encompassing a large volume of both internal and external threats that have the potential to compromise their ability to protect customer information, and are an ongoing concern.
