loose wire blog

Is phishing beginning to take its toll on banks?

It's been my belief for some time that this is, or would be, the case. Banks have seen the Internet as a cash cow and have been over-eager to milk it without realising that it's not just a way to grab more customers and slice overheads. The Internet is a world unto itself, with its own rules, its own technologies -- and its own scams. Banks and the Internet make sense, but not if banks think that an online department can be set up in a few weeks and staffed by a few sysops.

That's why phishing is such an important wake-up call. It's the first seriously clever scam that online banking has faced, and banks -- and other institutions -- have done a very poor job in responding to it. Sure, they're beginning to now, but not after anything between $500 million and $5 billion has been lost to phishers. Whatever the figure, some folk made some serious money out of phishing, which means that Internet-based financial crime is going to be the main attraction for every criminal with half a brain from here to Archangel.

Which is where a new survey, reported by this month's American Banker magazine (subscription only), comes in.

The article says that "nearly 30% of respondents to the 2004 American Banker/Gallup Consumer Survey said they think a bank has violated their financial privacy. That is the highest level since the question was first asked in 2001 and "a statistic you want to pay attention to," said John J. Byrne, director of the American Bankers Association's Center for Regulatory Compliance". The article goes on to say: "A possible explanation for the increased perception among consumers that banks have violated their privacy may be the rising incidence of sophisticated identity-theft operations such as "phishing," say experts."

Of course, banks are going to say it's not their fault: "Peter Cassidy, secretary general of the group, said that it is common for victims of phishing attacks to blame their financial institution for the loss of their personal information, despite the fact that the company had no involvement in the scam." Of course banks are involved, in the sense that they did not heed the problem when it first appeared more than a year ago, but let's not dwell on that. The bigger problem, the magazine says, is maintaining customer trust. "Dollar-for-dollar, the loss of customers' trust that a bank is a safe place to put their money is a potentially bigger deal than all of the money people have lost to phishing attacks so far," Mr. Cassidy said.

While the article swings between the idea of privacy as in releasing information to third parties for marketing purposes, and privacy as in "why did you let someone steal all my money from my account?", to me the problem is pretty much the same. Any institution that plays fast and loose with your data -- by letting third parties email trying to sell you stuff, to banks that see their online services as another way to flog more services (two banks I deal with try this, one by having lots of rubbish on their logout page that confuses the user who is looking for certainty they've logged out -- admittedly better than a few months ago when they had a message along the lines of 'you've logged out but you haven't logged off' along with a picture of a palm tree and an offer of travel insurance -- while another forces me to sit through an ad for special interest deposit accounts while I call their helpline via an IDD call) -- any institution that does this kind of thing is of course going to score low with the customer. "Is my bank spending time protecting my assets or trying to sell me more snake oil?" would be a reasonable question to ask in the face of this marketing onslaught.

I think banks are going to lose customers if they can't figure out ways to make online banking more secure. And it's not just about educating users, although that's part of it. It's really listening hard to people who know about some of the scams -- and vulnerabilities that lead to scams -- out there, and then trying to pre-empt them. In the end it's about making a technology that is as bulletproof as you can make it.