September 21, 2005 12:55 PM PDT

EDS: Banks should shape up on security

Banks must improve security practices or risk losing some customers, IT services company EDS said this week.

The remarks follow a survey conducted for the company finding that almost a third of North American consumers would close all accounts and move to another bank if their personal data were compromised.

Another 10 percent of respondents said they would move just some accounts to another bank, and 55 percent said they would stop banking until the crisis were resolved.

"The results of this survey accurately reflect a common theme we are seeing in the industry," Jean-Louis Bravard, global leader of financial services at EDS, said in a statement Monday. The survey results were published that day.

"The act of protecting consumers' personal information is not only imperative to meet compliance standards but is essential in a financial institution's ability to attract and retain a solid customer base," he added. "Financial providers must rise to security challenges, or they risk losing their customers."

The survey of 1,424 people in North America, conducted by Ipsos Reid, found consumers recognized several risks associated with online banking. These included identity theft (81 percent), fraud (59 percent) and insufficient encryption of sensitive data (48 percent).

When asked what banks should do to improve security, 83 percent of respondents said they should obtain permission before releasing customer information to third-party companies.

Eighty percent of consumers cited convenience as the primary reason for online banking.

Dan Ilett of Silicon.com reported from London.

24 comments

Join the conversation!
Add your comment
Come on! Would you give your CC number to a cashier you don't know?!
Those same people who say they wouldn't continue working with a bank if they feel the encryption is not good enough or whatever will gladly hand over their credit card number and all the info needed to charge it to a clerk in a road-side motel, or to a cashier or gas station attendant. Or pay over the phone by giving their CC number + info to some unknown person that might make a copy of all the info and sell it over the net.

I had about ten thousand dollars charged to my CC by a website I don't know (that is registered by a company in Hong Kong according to whois). The first question the Credit company security people asked was if I made online purchases. Of course I did. And all those websites I chacked and I trust at least as much as my bank's website. On the other hand I handed my CC to many people I do not entirely trust like gas station attendants in rural places. Most probably the breach of security was in one of those.

Anyway, the whole concept of giving a small amount of data that can be then used by anyone to charge the credit card is flawed. It might have worked in the past. The risks were small enough to be insured. But with the free flow of info on the internet organized crime can now make big business out of mass theft of CC info used to make a lot small charges. Eventually insuring credit card fraud would become unprofitable and the business model would collapse.

The it SHOULD be done is that the info handed over to a merchant so that the merchant can charge an account should not be universal, but rather should be usable only by that merchant (and preferably only for that one deal). So credit cards would eventually need to be replaced by small gadgets that are provided a code representing one transaction, and produce a code that allows the charge to be made for that deal (a hash made by the customer's paying device using the merchant's code, the sum to be paid, and the customer's card number). This kind of info would be useless for anything but completing one deal.
Posted by hadaso (468 comments )
Reply Link Flag
Come on! Would you give your CC number to a cashier you don't know?!
Those same people who say they wouldn't continue working with a bank if they feel the encryption is not good enough or whatever will gladly hand over their credit card number and all the info needed to charge it to a clerk in a road-side motel, or to a cashier or gas station attendant. Or pay over the phone by giving their CC number + info to some unknown person that might make a copy of all the info and sell it over the net.

I had about ten thousand dollars charged to my CC by a website I don't know (that is registered by a company in Hong Kong according to whois). The first question the Credit company security people asked was if I made online purchases. Of course I did. And all those websites I chacked and I trust at least as much as my bank's website. On the other hand I handed my CC to many people I do not entirely trust like gas station attendants in rural places. Most probably the breach of security was in one of those.

Anyway, the whole concept of giving a small amount of data that can be then used by anyone to charge the credit card is flawed. It might have worked in the past. The risks were small enough to be insured. But with the free flow of info on the internet organized crime can now make big business out of mass theft of CC info used to make a lot small charges. Eventually insuring credit card fraud would become unprofitable and the business model would collapse.

The it SHOULD be done is that the info handed over to a merchant so that the merchant can charge an account should not be universal, but rather should be usable only by that merchant (and preferably only for that one deal). So credit cards would eventually need to be replaced by small gadgets that are provided a code representing one transaction, and produce a code that allows the charge to be made for that deal (a hash made by the customer's paying device using the merchant's code, the sum to be paid, and the customer's card number). This kind of info would be useless for anything but completing one deal.
Posted by hadaso (468 comments )
Reply Link Flag
Come on! Would you give your CC number to a cashier you don't know?!
Those same people who say they wouldn't continue working with a bank if they feel the encryption is not good enough or whatever will gladly hand over their credit card number and all the info needed to charge it to a clerk in a road-side motel, or to a cashier or gas station attendant. Or pay over the phone by giving their CC number + info to some unknown person that might make a copy of all the info and sell it over the net.

I had about ten thousand dollars charged to my CC by a website I don't know (that is registered by a company in Hong Kong according to whois). The first question the Credit company security people asked was if I made online purchases. Of course I did. And all those websites I chacked and I trust at least as much as my bank's website. On the other hand I handed my CC to many people I do not entirely trust like gas station attendants in rural places. Most probably the breach of security was in one of those.

Anyway, the whole concept of giving a small amount of data that can be then used by anyone to charge the credit card is flawed. It might have worked in the past. The risks were small enough to be insured. But with the free flow of info on the internet organized crime can now make big business out of mass theft of CC info used to make a lot small charges. Eventually insuring credit card fraud would become unprofitable and the business model would collapse.

The it SHOULD be done is that the info handed over to a merchant so that the merchant can charge an account should not be universal, but rather should be usable only by that merchant (and preferably only for that one deal). So credit cards would eventually need to be replaced by small gadgets that are provided a code representing one transaction, and produce a code that allows the charge to be made for that deal (a hash made by the customer's paying device using the merchant's code, the sum to be paid, and the customer's card number). This kind of info would be useless for anything but completing one deal.
Posted by hadaso (468 comments )
Reply Link Flag
Heads firmly buried in the sand
I indulge the practice of trying to forward "phishing" emails to the banks they spoof, figuring the banks should be interested in having them to dissect and use to go after the bad guys. Wrong! All of the banks I've looked up so far go to great lengths not to have email addresses listed on their web sites that material could be forwarded to, and more than half make the silly suggestion of making complaints to the FBI or FTC instead of them. Banks don't get it, have their heads firmly buried in the sand, and will do nothing to protect themselves from these threats until they are bitten raw by the cybercrooks.
Posted by Razzl (1318 comments )
Reply Link Flag
Heads firmly buried in the sand
I indulge the practice of trying to forward "phishing" emails to the banks they spoof, figuring the banks should be interested in having them to dissect and use to go after the bad guys. Wrong! All of the banks I've looked up so far go to great lengths not to have email addresses listed on their web sites that material could be forwarded to, and more than half make the silly suggestion of making complaints to the FBI or FTC instead of them. Banks don't get it, have their heads firmly buried in the sand, and will do nothing to protect themselves from these threats until they are bitten raw by the cybercrooks.
Posted by Razzl (1318 comments )
Reply Link Flag
Heads firmly buried in the sand
I indulge the practice of trying to forward "phishing" emails to the banks they spoof, figuring the banks should be interested in having them to dissect and use to go after the bad guys. Wrong! All of the banks I've looked up so far go to great lengths not to have email addresses listed on their web sites that material could be forwarded to, and more than half make the silly suggestion of making complaints to the FBI or FTC instead of them. Banks don't get it, have their heads firmly buried in the sand, and will do nothing to protect themselves from these threats until they are bitten raw by the cybercrooks.
Posted by Razzl (1318 comments )
Reply Link Flag
American IT and national security
MUST reading for those who care about the future of American IT and our national security: <a class="jive-link-external" href="http://www.alexanderbell.us/Initiative/IT.htm" target="_newWindow">http://www.alexanderbell.us/Initiative/IT.htm</a>
Posted by 207796398873175208235380528963 (53 comments )
Reply Link Flag
American IT and national security
MUST reading for those who care about the future of American IT and our national security: <a class="jive-link-external" href="http://www.alexanderbell.us/Initiative/IT.htm" target="_newWindow">http://www.alexanderbell.us/Initiative/IT.htm</a>
Posted by 207796398873175208235380528963 (53 comments )
Reply Link Flag
American IT and national security
MUST reading for those who care about the future of American IT and our national security: <a class="jive-link-external" href="http://www.alexanderbell.us/Initiative/IT.htm" target="_newWindow">http://www.alexanderbell.us/Initiative/IT.htm</a>
Posted by 207796398873175208235380528963 (53 comments )
Reply Link Flag
Why would they bother!
Cynically, as in any financial institution, when you disect the balance sheet, losses from por lending practices, far exceeds the value of funds lost from frauds and forgeries! Beside why bother spending money to upgrade levels of existing insecurity, when you can pad everyones' bank fees and charges to compensate a/ for bad landing b/ for fraud! On this basis, most if not all banks exploit their customers by paying below market interest rates on credit funds held, and then turn arround and charge better than 150% of the real costs and charges whilst maintaining the cheapest systems possible. They don't care, as these fees and charges together with interest on you hard earned cash, more than amply compensates for these frauds!
Posted by heystoopid (691 comments )
Reply Link Flag
Because its our money...
The banks make trillions on our floats and the name of the game is security. Why do they have marble floors, columns and vaults if a 13 year old from Russia can steal all my cash.

It is the social contract. I give you my money and you hire sufficient security and insurance to hold my money or why bother.

These debit card giants, little though it be known, are bank syndicates and why should they escape what my credit union or bank does.

In fact since the security is there mandated by other nations and now by the US through the FFIEC, they should be leaders in stopping crime and not admitting oh there is nothing we can do.


Then give me my money back and let us consumers support whoever can do it right. This year it is either put up or shut up. That is what I think. Ciao now.
Posted by Iohagh (54 comments )
Link Flag
I know banks don't care but guess what I do and its my money.
They don't care. OK you are right they don't but know what I do care and its my money.

Look at this as a business. There are only two realities. Customers and profits. If we customers could license the technology directly and they are not bright enough to protect my money, guess what I am.

I will research and research and find where everyone is going to be in a year after FFIEC guidelines and you know what I will be there this year while everyone else is crying about we cannot do anything.

In England my Mummy and Grams are part of that movement that forced the UK to modernize its system years before the US and the US has the technology and patents on this granted 3 years ago.

I am tired of Canards, lies appearing as truth and advertisements saying we guarantee your credit but not your debit assets in small print. I give up on them but I haven't given up on me.

Sorry for the rant. That's what I think. Ciao now.
Posted by Iohagh (54 comments )
Link Flag
Why would they bother!
Cynically, as in any financial institution, when you disect the balance sheet, losses from por lending practices, far exceeds the value of funds lost from frauds and forgeries! Beside why bother spending money to upgrade levels of existing insecurity, when you can pad everyones' bank fees and charges to compensate a/ for bad landing b/ for fraud! On this basis, most if not all banks exploit their customers by paying below market interest rates on credit funds held, and then turn arround and charge better than 150% of the real costs and charges whilst maintaining the cheapest systems possible. They don't care, as these fees and charges together with interest on you hard earned cash, more than amply compensates for these frauds!
Posted by heystoopid (691 comments )
Reply Link Flag
Because its our money...
The banks make trillions on our floats and the name of the game is security. Why do they have marble floors, columns and vaults if a 13 year old from Russia can steal all my cash.

It is the social contract. I give you my money and you hire sufficient security and insurance to hold my money or why bother.

These debit card giants, little though it be known, are bank syndicates and why should they escape what my credit union or bank does.

In fact since the security is there mandated by other nations and now by the US through the FFIEC, they should be leaders in stopping crime and not admitting oh there is nothing we can do.


Then give me my money back and let us consumers support whoever can do it right. This year it is either put up or shut up. That is what I think. Ciao now.
Posted by Iohagh (54 comments )
Link Flag
I know banks don't care but guess what I do and its my money.
They don't care. OK you are right they don't but know what I do care and its my money.

Look at this as a business. There are only two realities. Customers and profits. If we customers could license the technology directly and they are not bright enough to protect my money, guess what I am.

I will research and research and find where everyone is going to be in a year after FFIEC guidelines and you know what I will be there this year while everyone else is crying about we cannot do anything.

In England my Mummy and Grams are part of that movement that forced the UK to modernize its system years before the US and the US has the technology and patents on this granted 3 years ago.

I am tired of Canards, lies appearing as truth and advertisements saying we guarantee your credit but not your debit assets in small print. I give up on them but I haven't given up on me.

Sorry for the rant. That's what I think. Ciao now.
Posted by Iohagh (54 comments )
Link Flag
Why would they bother!
Cynically, as in any financial institution, when you disect the balance sheet, losses from por lending practices, far exceeds the value of funds lost from frauds and forgeries! Beside why bother spending money to upgrade levels of existing insecurity, when you can pad everyones' bank fees and charges to compensate a/ for bad landing b/ for fraud! On this basis, most if not all banks exploit their customers by paying below market interest rates on credit funds held, and then turn arround and charge better than 150% of the real costs and charges whilst maintaining the cheapest systems possible. They don't care, as these fees and charges together with interest on you hard earned cash, more than amply compensates for these frauds!
Posted by heystoopid (691 comments )
Reply Link Flag
Because its our money...
The banks make trillions on our floats and the name of the game is security. Why do they have marble floors, columns and vaults if a 13 year old from Russia can steal all my cash.

It is the social contract. I give you my money and you hire sufficient security and insurance to hold my money or why bother.

These debit card giants, little though it be known, are bank syndicates and why should they escape what my credit union or bank does.

In fact since the security is there mandated by other nations and now by the US through the FFIEC, they should be leaders in stopping crime and not admitting oh there is nothing we can do.


Then give me my money back and let us consumers support whoever can do it right. This year it is either put up or shut up. That is what I think. Ciao now.
Posted by Iohagh (54 comments )
Link Flag
I know banks don't care but guess what I do and its my money.
They don't care. OK you are right they don't but know what I do care and its my money.

Look at this as a business. There are only two realities. Customers and profits. If we customers could license the technology directly and they are not bright enough to protect my money, guess what I am.

I will research and research and find where everyone is going to be in a year after FFIEC guidelines and you know what I will be there this year while everyone else is crying about we cannot do anything.

In England my Mummy and Grams are part of that movement that forced the UK to modernize its system years before the US and the US has the technology and patents on this granted 3 years ago.

I am tired of Canards, lies appearing as truth and advertisements saying we guarantee your credit but not your debit assets in small print. I give up on them but I haven't given up on me.

Sorry for the rant. That's what I think. Ciao now.
Posted by Iohagh (54 comments )
Link Flag
Which Banks are Vulnerable
It's very easy to write a story and say "Banks are at Risk for Losing yourMoney". What is much more credible and helpful is to name the Banks! If people know who the banks that are at risk, they can then pressure the individual banks to clean up their act or leave and go to a bank that is more careful with their depositors funds.
Posted by (11 comments )
Reply Link Flag
Which Banks are Vulnerable
It's very easy to write a story and say "Banks are at Risk for Losing yourMoney". What is much more credible and helpful is to name the Banks! If people know who the banks that are at risk, they can then pressure the individual banks to clean up their act or leave and go to a bank that is more careful with their depositors funds.
Posted by (11 comments )
Reply Link Flag
Which Banks are Vulnerable
It's very easy to write a story and say "Banks are at Risk for Losing yourMoney". What is much more credible and helpful is to name the Banks! If people know who the banks that are at risk, they can then pressure the individual banks to clean up their act or leave and go to a bank that is more careful with their depositors funds.
Posted by (11 comments )
Reply Link Flag
If Visa and MasterCard admit to failure then all banks are at risk too
If Visa and MasterCard admit to failure then all banks are at risk too

I read on the news wires that Visa and MasterCard admit they are losing the battle to cyber scammers. Added to what is being admitted here we have to decide is e-commerce viable today.

The problem seems to be too little security was done too late and systems were designed around economies, logical for banks, without realizing the cost of security being spread out globally with different platforms all of which have different back doors for thieves to plant virus even inside the bank's systems.

However a unified global solution is on the table. Everyone needs the US Senate to authorize the Cybercrime Treaty the European Union put forward. Both Taiwan and Beijing signed it already. Hong Kong, Beijing, or Asia is where many of the servers doing the bad stuff comes from.

With this format, police can stop and track these cyber scammers down and shut them down permanently. Permanently is a loose term since robots or piracy of machines means they may be in Jersey while directing attacks in South Africa.

Then, consumers need to have mandated that not only the US Government as the Privacy Act states uses top authentication like Dept. of Commerce level 4 multi-factor authentication with offline swipe device but that the same top protection be given to consumers so that confidence in e-commerce comes back.

That is all I have to say.
Posted by (66 comments )
Reply Link Flag
If Visa and MasterCard admit to failure then all banks are at risk too
If Visa and MasterCard admit to failure then all banks are at risk too

I read on the news wires that Visa and MasterCard admit they are losing the battle to cyber scammers. Added to what is being admitted here we have to decide is e-commerce viable today.

The problem seems to be too little security was done too late and systems were designed around economies, logical for banks, without realizing the cost of security being spread out globally with different platforms all of which have different back doors for thieves to plant virus even inside the bank's systems.

However a unified global solution is on the table. Everyone needs the US Senate to authorize the Cybercrime Treaty the European Union put forward. Both Taiwan and Beijing signed it already. Hong Kong, Beijing, or Asia is where many of the servers doing the bad stuff comes from.

With this format, police can stop and track these cyber scammers down and shut them down permanently. Permanently is a loose term since robots or piracy of machines means they may be in Jersey while directing attacks in South Africa.

Then, consumers need to have mandated that not only the US Government as the Privacy Act states uses top authentication like Dept. of Commerce level 4 multi-factor authentication with offline swipe device but that the same top protection be given to consumers so that confidence in e-commerce comes back.

That is all I have to say.
Posted by (66 comments )
Reply Link Flag
If Visa and MasterCard admit to failure then all banks are at risk too
If Visa and MasterCard admit to failure then all banks are at risk too

I read on the news wires that Visa and MasterCard admit they are losing the battle to cyber scammers. Added to what is being admitted here we have to decide is e-commerce viable today.

The problem seems to be too little security was done too late and systems were designed around economies, logical for banks, without realizing the cost of security being spread out globally with different platforms all of which have different back doors for thieves to plant virus even inside the bank's systems.

However a unified global solution is on the table. Everyone needs the US Senate to authorize the Cybercrime Treaty the European Union put forward. Both Taiwan and Beijing signed it already. Hong Kong, Beijing, or Asia is where many of the servers doing the bad stuff comes from.

With this format, police can stop and track these cyber scammers down and shut them down permanently. Permanently is a loose term since robots or piracy of machines means they may be in Jersey while directing attacks in South Africa.

Then, consumers need to have mandated that not only the US Government as the Privacy Act states uses top authentication like Dept. of Commerce level 4 multi-factor authentication with offline swipe device but that the same top protection be given to consumers so that confidence in e-commerce comes back.

That is all I have to say.
Posted by (66 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.