Benjamin Ensor, a senior analyst at Forrester, said:
"Consumers' deep-seated security fears remain one of the biggest
barriers to on-line banking use in Europe, particularly in
countries like Italy, France, and the
UK
, where
two-factor online banking authentication is rare or unknown. The
more confidence net users have in security, the more likely they
are to bank on-line."
To understand how security fears affect internet users'
adoption of on-line banking, Forrester asked 22,907 Europeans how
concerned they are about the privacy and security of their personal
details in a range of situations.
Net users who worry about on-line security don't bank on-line,
according to the research. Just 30% of European internet users are
confident of the security of personal financial information, like
credit and debit card numbers, when used to make transactions
on-line. That matters, because net users who are confident of
on-line security are four-and-a-half times more likely to use
on-line banking than those who are not.
Forrester found that two-fifths of the European net users who
don't use on-line banking said the reason is because they worry
about security. Worse, security fears don't just keep some
consumers from signing up for on-line banking – they cause some
existing on-line banking users to stop.
Many consumers think on-line banking is less safe than paying
by card in a restaurant. The majority of consumers in Germany,
Spain, Italy, France, and the Netherlands are less concerned about
paying by card in a restaurant than about using online
banking.
And Forrester believes internet users won't overcome their
security fears without help from the banks. Banks can't rely on
governments or
ISPs to make the internet a
safe place to do business – and they can't rely on their customers
either, says the research firm.
Despite their security worries, many net users don't take
basic security precautions. So banks must both allay net users'
fears and take measures to compensate for their inaction. Banks
should look to educate net users about security precautions, says
Forrester, not let usability fears compromise security. Banks
should also, deploy or strengthen two-factor authentication
urgently, and collaborate rather than compete on security, it
suggests.
What is two-factor authentication?
To sign in to most on-line banks, a user is asked for
information that he knows, such as his user
ID
and
password, and sometimes his mother's maiden name. Many phishing
scams exploit this with relative ease: a phishing e-mail lures a
recipient to a web site that purports to be his bank's site, where
this information is requested. That information is then fed by
criminals into the genuine site of the victim's bank.
Two-factor authentication adds another layer of security: the
user is asked for something he knows as well as something he
possesses (such as a device that displays a unique password that
changes every minute); or something he is (using biometrics, such
as a fingerprint or iris scan). Such added security is rare in
consumer banking.
Limitations of two-factor
authentication
While two-factor authentication may handle basic phishing
attacks, the nature of the attacks has evolved. In a recent article
on the subject, security expert Bruce Schneier says two-factor
authentication simply won't defend against phishing.
Schneier, who founded Counterpane Internet Security, describes
the criminals' new toolbox – featuring Trojan attacks and
Man-in-the-Middle attacks. He concludes:
"I predict that banks and other financial institutions will
spend millions outfitting their users with two-factor
authentication tokens. Early adopters of this technology may very
well experience a significant drop in fraud for a while as
attackers move to easier targets, but in the end there will be a
negligible drop in the amount of fraud and identity theft."
"We already see smart Trojans and man-in-the-middle attacks
bypassing authentication technologies that, until recently, were
perceived as silver bullets", adds Uri Rivner,
VP International Marketing for Cyota, a
company that specialises in solutions to online fraud at financial
institutions. "Even if you come up with something that looks like a
silver bullet, you might find that it's pretty difficult to hit a
moving target".
And on-line fraud is indeed a rapidly moving target. Today's
on-line criminals have greater capabilities, technologies,
resources and motivation to conduct on-line fraud, resulting in
wave after wave of new, innovative on-line attacks. They tend to be
faster than the large financial organisations, not bound to
policies and procedures.
"If the threats are highly adaptive, you need to think about
building an adaptive defence mechanism", says Mr Rivner. "This
means building multiple lines of defence: starting with solutions
that neutralise specific fraud sources such a phishing or pharming;
through stronger authentication solutions that can adapt to new
threats; and finally, an on-line fraud detection solution that can
monitor and manage the fraud that slips through the previous lines
of defence".
