Earlier this month, federal prosecutors unsealed an indictment charging several men with bank theft on massive scale. According to prosecutors, the thieves loaded stolen account data onto magnetic stripe cards, which they then used to steal $45 million from ATMs around the world.
As financial institutions reconsider their security procedures in the wake of the breach, much of the attention will naturally fall on America's reliance on magnetic-stripe cards, instead of the more secure chip-and-PIN (also called EMV) cards used in other parts of the world.
While they're at it, though, the banks should also consider another big security black eye: The fact that it's easier to hack into your bank account than it is to crack your Facebook account.
Protecting Us From Ourselves
It's a fundamental truth of network security that no system can ever be truly safe from intruders. That's because of one universal weak point: the user. As long as people insist on opening phishing emails, picking weak passwords and leaving their PCs unprotected from malware, hackers will find a point of entry.
So recent innovations in online security have focused on solutions that protect consumers from themselves.
One such solution is two-factor authentication, which aims to protect users even if their log-in information has already been stolen. It typically involves sending a second, temporary passcode to your mobile phone, on the assumption that whoever managed to snag your password probably doesn't have access to your phone too. Facebook and Google have both implemented two-factor systems in recent years.
Javelin Strategy & Research, which consults for the financial services industry, surveyed the top 25 largest financial institutions and found that just eight let users set up "out-of-band" authentication on their phones. While that list includes large institutions like Bank of America, Citibank, JPMorgan Chase and PNC, that still leaves another 17 banks that haven't gotten on board, including Capital One, HSBC and TD Bank.
"When we have better security for our Facebook and Gmail, maybe it's time for the banks to step up," says Chester Wisniewski, security researcher for Sophos. "Consumers are genuinely surprised that it's easier to log into your bank than it is your Facebook."
Banks that don't offer two-step authentication will usually attempt to verify your identity by prompting you to answer security questions that you set when you initially created your account. But those questions -- including your mother's maiden name and the name of your favorite pet -- have been criticized as ineffective in the age of social-media oversharing.
"If and when [users] register secret questions with financial institutions, they should not be putting the answers on social media," says Shirley Inscoe, a banking industry analyst for the Aite Group. "A lot of banks are discontinuing the use of those secret questions because bad guys are able to find the answers."
Locks on the Door, Motion Detectors in the Vault
If the bad news is that many banks are behind the times when it comes to preventing access to your accounts, the good news is that log-in security procedures aren't the only lines of defense against fraud.
"You have to assume that [intruders] are going to gain access, so you need a platform of protection that works up against that reality," says Terry Austin, CEO of Guardian Analytics.
Much like the procedures that credit card issuers use to detect card fraud, Guardian builds a profile of how you typically use your online banking account; it can then detect when your account is being used in a way that you don't usually use it. Common giveaways that trip the alarms can range from unusually large transactions to simply navigating to a part of the site that you've never used before.
Even if the algorithms don't stop thieves from making off with your cash, consumers still have one last line of defense: Federal regulations say that in most cases, consumers are not liable for fraudulent transactions on their account.
Still, if someone cleans out your account and you have to wait a week or more to get your funds back, it's a huge disruption to your life. And since the financial institution will incur the cost of the fraud, they too have a clear incentive to stop fraud before it starts.
So that brings us back the original question: If Facebook and Gmail can offer account holders two-step authentication, why have several major banks failed to follow suit with so much money at stake?
Convenience vs. Security
Wisniewski says it's partly a matter of banks not wanting to hinder the convenience of online banking by introducing another barrier to entry -- no bank wants to be the first to make it harder for customers to log into their accounts. Even banks offering two-step log-in don't do so as a default. Bank of America, which was named best in class by Guardian's security report, made me click around a bit before I could find and enable the feature.
And I'm security savvy. The people who need extra security the most -- the careless types who reuse passwords and leave their PCs unsecured -- are the least likely to put enhanced features in place. "If banks make it optional," Wisniewski observes, "the people who don't need it will be the only ones who use it."