The Broken Link - Digital Transactions

More documents

Recommendations

Info

hack into my bank’s Web site as Yodlee’s, so at least this way I can nip it in the bud.” But the point that this consumer is missing is that the passwords for all of his accounts are now with Yodlee. It is easier to hack into one database than many. As all the recent news about data breaches has shown us, consumer data is hard to keep safe. And a data breach involving consumers’ online-banking credentials would damage the payments industry immensely. It’s not difficult to see how such data can pile up quickly. After all, when a trusted entity like a financial institution asks its customers for their log-on credentials at another institution, most customers probably would not think twice about it because the request is coming from a trusted party. But a requesting financial institution should be able to answer some questions, such as: Who has access to the log-in credentials at the financial institution or service provider? How many people can see it? How is it protected? How long is it maintained? Who has the liability? Who has the reputation risk? Do you want your customers giving their log-on information to other institutions? The answer to the last answer should be a resounding “no.” Senior management in most of these financial institutions would probably shudder if they were informed that their 34 • digitaltransactions • February 2008 institution was requesting the log-on credentials at other financial institutions as part of their services. Banks at Risk The consumer is giving up a lot when he signs up for this sort of accountverification service. The following excerpt comes from the additional terms agreed to by the consumer for A data breach involving consumers’ online-banking credentials would damage the payments industry immensely. the account-verification service with Yodlee and Obopay: “By using the Account Verification Service, you authorize Obopay and its supplier Yodlee, Inc. (“Yodlee”) to access third party sites designated by you, on your behalf, to retrieve information requested by you. For all purposes hereof, you hereby grant Obopay and Yodlee a limited power of attorney, and you hereby appoint Obopay and Yodlee as your true and lawful attorneyin-fact and agent, with full power of substitution and re-substitution, for you and in your name, place and stead, in any and all capacities, to access third party internet sites, servers or documents, retrieve information, and use your information, all as described above, with the full power and authority to do and perform each and every act and thing requisite and necessary to be done in connection with such activities, as fully to all intents and purposes as you might or could do in person.” Even if a similar type of agreement were in place with the financial institution, the liability for security breaches and fraud as a result of misuse of the log-on credentials should fall squarely on the shoulders of the requesting financial institution. But the reality is that the account holder’s financial institution—which is an innocent party in all of this, especially if it is not aware that its customer gave out confidential information at the request of another financial institution—is also at risk. Account-holding financial institutions must continue to educate their customers. They should inform them that they should never divulge their online credentials to third parties, not even to another financial institution. Another step they should take is to advance their multifactor authentication programs to prevent this practice from continuing. Above all, requesting financial institutions should stop this practice altogether and instead rely on methods like challenge-account verification, which may take a little longer but has none of the risks of requesting log-on Instant account verification is not essential and is surely not worth the inherent risks. credentials. Challenge-account verification usually occurs when random low-value transfers are sent to the consumer’s account, after which the consumer must verify the amounts. Instant account verification is not essential and is surely not worth the inherent risks. DT George F. Thomas is chief executive of Radix Consulting, Oakdale, N.Y. Reach him at gfthomas@ radixconsulting.com.
SECURITY February 2008 digitaltransactions Why Issuers Hesitate To Enlist Cardholders in the War on Fraud Lauri Giesen With data breaches exposing more and more card accounts, credit and debit card issuers should be doing much more to involve cardholders in fraud detection, some experts say. But would the fraud cardholders spot justify the cost of the tools issuers gave them? There is no doubt that credit and debit card issuers are doing a lot to protect their cardholders from fraud. With the application of advanced neural networks that can detect suspect payment patterns and rigorous enforcement of cardassociation rules, most issuers are attacking fraud aggressively. But are they giving cardholders all the tools they need to help protect themselves? That’s where there seems to be some criticism of card issuers. Most issuers send statement stuffers or post Web-site notices informing cardholders about basic fraud-prevention steps. And most issuers will call or send e-mails to customers when they see questionable transactions or purchase patterns indicating something might be amiss. But many experts believe that is not always enough to get the cardholder actively involved. Most issuers don’t allow customers to prohibit, or at least request to be notified about, certain types of transactions they are unlikely to make. Many issuers also do not aggressively promote the idea that customers should regularly check their online statements to catch problems early. And while most issuers call or e-mail customers to report questionable transactions, none of the top issuers sends immediate text messages to customers’ mobile phones, even though waiting until the cardholder gets home at the end of the day to check phone messages or e-mails may be too late. These days, with data breaches compromising tens of millions of card accounts, issuers should be doing more to enlist cardholders in accountprotection efforts, some observers say. “Issuers can strengthen brands, loyalty, and return on security investments by placing some of the responsibility traditionally handled by backoffice expertise into the hands of the customers,” researchers at Pleasanton, Calif.-based Javelin Strategy & Research wrote in a mid-2007 report. Javelin founder James Van Dyke doesn’t think most card issuers have done a good job of engaging cardholders in fraud prevention. “We estimate more than half of the identificationfraud crimes start with information that is in the cardholder’s control, yet financial institutions have not always involved these cardholders in fraud control as well as they could. Financial institutions seem to want to work on behalf of their customers rather than give them the tools so they can work together,” Van Dyke says. One reason for this, Van Dyke says, is that many issuers think cardholders don’t want to be bothered. With zero liability required by law or network policies, issuers often believe cardholders operate under the assumption that since they don’t bear the brunt of the loss, they can hand over responsibility for loss prevention to banks. But consumer research by Javelin contradicts that perception. It found 60% of consumers say fraud prevention is a joint responsibility between cardholder and issuer. Other experts also dismiss the notion that consumers are complacent. “Nobody wants to have their accounts violated,” says Brian Riley, senior analyst for bank cards at Needham, Mass-based TowerGroup Inc., an editorially independent unit of MasterCard Inc. “There is a real feeling of violation if fraud occurs to your financial accounts, even if you don’t bear the financial burden.” Adds a spokesperson for San Jose, Calif.-based PayPal, the payments subsidiary of eBay Inc.: “Our customers tell us all the time they want to February 2008 • digitaltransactions • 35
Page 1: VOLUME FIVE, NUMBER TWO • DIGITAL
Page 4 and 5: SOME COMPANIES STAND OUT FOR OBVIOU
Page 6 and 7: D I G I T A L T R A N S A C T I O N
Page 8: THE GIMLET EYE FEBRUARY 2008 • VO
Page 11 and 12: challenges to interchange. Last yea
Page 14 and 15: TRENDS & TACTICS TRENDS & TACTICS A
Page 16 and 17: ACQUIRING February 2008 digitaltran
Page 18 and 19: ecently adopted NCR Corp.’s solut
Page 20 and 21: In addition, 67% of retail treasury
Page 23 and 24: Changing consumer behavior regardin
Page 25 and 26: Earn Interchange with United Cash S
Page 27 and 28: Inc., has announced enhancements to
Page 29 and 30: The SEAA is Back in the SouthEast A
Page 31 and 32: From the merchant perspective, deco
Page 33 and 34: Revolutionary Times Call for a Revo
Page 35: Yes, we’re on the Web. And in you
Page 39 and 40: they don’t want approved. Some cu
Page 41 and 42: ENDPOINT Behind the Experimentation
Page 43 and 44: ©2007 Digital Check Corp. All righ

The Broken Link - Digital Transactions

Create successful ePaper yourself

Delete template?

Save as template?