In response to the news that the financial ombudsman has come out today saying that banks should not assume victims are at fault, James Romer, Chief Security Architect at SecureAuth + Core Security and David Kennerley, Director of Threat Research at Webroot commented below.
“Cybercriminals dedicate time and effort to evolve their methods of tricking customers into handing over their bank details and login credentials, meaning that the threat landscape is in constant flux. Customers alone cannot be held responsible for keeping up with every scam and tactic that arises and assuming blame threatens their trust. Banks have a duty of care to constantly monitor, detect and neutralise new threats through investment in the appropriate technology and security expertise. Also, as banks open their APIs to authorised third parties to comply with Open Banking standards, authenticating users will become key to protecting sensitive customer information and combatting fraudulent transactions. Bad actors will attempt to impersonate third parties to trick consumers into handing over their credentials or payment details, causing further confusion for consumers. Banks need to make sure that they are helping their customers as these new services come online.
“Fighting fraud effectively requires a joint effort between banks and consumers, with identity and authentication at the centre of the strategy. Banks need to implement the most comprehensive cybersecurity technology which considers different factors (such as device recognition and geolocation) at the login phase and consistently apply multi-factor authentication(MFA) if risk is detected, to address the threats at the identity level efficiently.”
Dave Kennerley, Director of Threat Research at Webroot:
“Scams often use complex malware combined with a highly targeted delivery vector, such as personalised emails, to easily fool end users into handing over their personal details. Banks have the strong advantage of having the most sophisticated technology in place to monitor and detect for threats, meaning that it cannot always be the customer’s responsibility to be alert to fraudulent activity and remain vigilant.
Banks should take more responsibility for defending against cyberattacks and also assume the role of educator, as they possess the relevant knowledge of emerging threats, as well as the most effective defence. Cybercriminals only need to find one hole in the defence, while security professionals have to secure the entire attack surface area. It’s not an easy or simple task, but an intelligent approach of education combined with the relevant technologies – utilising smart capabilities, such as machine learning – can be used to deliver threat protection and help detect and stop attacks.”