|Can we put a price tag on the convenience offered by online banks and brokerages? After all, these services have allowed you to take control of your portfolio by eliminating the middleman. You can now execute trades at any hour of any day, based on any whim or fancy. You can save precious minutes in your busy life by eliminating the need to sign and mail checks. You can even place your market order while you eat lunch at the deli, if you so desire. |
In turn, financial institutions that embrace the web can provide more services to more customers more efficiently than ever before. According to the US General Accounting Office (GAO), the number of US households taking advantage of online banking is expected to grow to 32 million by 2003, up from 6.6 million in 1998.
HERE'S THE PROBLEM
On the surface, this seems like a win-win situation, but upon deeper inspection, that might not entirely be the case. The virtual world has its own set of bank robbers and scam artists, more commonly known as hackers and crackers. There's a subtle difference between the terms: a hacker is someone who illegally gains access to a computer system and exposes its vulnerabilities to the owner and the general public, but not necessarily for personal gain, whereas a cracker is someone who engages in a similar activity, but uses the information gained for self-benefit or for the benefit of some criminal or terrorist organization.
The skill sets among hackers vary greatly, although the results are much the same. At one end of the spectrum, novices with little or no experience download hacking tools and programs and run them blindly simply because they can. At the other end, hacking professionals with years of experience spend hours on end figuring out ways to get around the latest defense measures implemented by security experts.
International boundaries have no meaning in the realm of cybercrime. Increasing numbers of hackers and crackers are operating in countries such as Russia and China, where the activity of compromising US corporations and government agencies is seen as an ego-boosting achievement and a favor to nationalist causes. After the episode in April 2001 in which a US Navy EP-3 crew was detained on Hainan Island in China, various US hacker organizations waged a cyberwar, attacking as many Chinese websites as they possibly could. Chinese hacker groups retaliated by targeting US websites.
Interestingly, many of these individuals perpetrate their crimes by using equipment that is antiquated by US standards. Russian hacker Vladimir Levin was the subject of a 1995 case involving the online theft of $3.8 million from Citibank accounts. Apparently, he committed this crime using only a run-of-the-mill personal computer at his workplace with a dial-up connection to the Internet.
Further, online attacks against government agencies and companies worldwide are increasing at an alarming rate. In fact, reports from the Gartner Group, a well-known technology research and advisory firm, indicate that the financial damage caused by cybercrimes could increase by as much as 10,000% in the next four years. Given that the US Department of Defense alone endures more than 250,000 hacking attempts per day, the magnitude of the problem is not difficult to fathom.
Even more troubling is that less than 10% of such intrusions are actually reported. Financial institutions are especially inclined to keep intrusion reports under wraps because of the negative impact it would have on their online service businesses. In the Citibank case, the bank played down the episode as much as it could, issuing a statement that only $400,000 was actually moved and insisting that the security systems it had in place led to the eventual capture and conviction of Levin.
In addition to breaking into computer networks to steal large sums of money electronically, terrorists have also been known to hold their victims for ransom. In 1996, The Times of London reported that a group of Eastern European terrorists amassed more than $500 million from banks, brokerage houses, and investment firms after threatening to destroy their computer systems by hacking into them. However, this incident was strongly denied by the institutions involved.
In order to control the situation to some extent, the US government agency that oversees nationally chartered banks (the Office of the Comptroller of the Currency) sent out a notice in 1999 outlining a set of mandatory security guidelines to be implemented. Among them was a requirement that banks report computer crimes to law-enforcement authorities. The notice included several recommendations, such as the use of firewalls and complex passwords to protect the institutions' networks. But a GAO report later that same year indicated that only 40% of the institutions to which the notice was sent actually implemented the recommendations.
More recently, Senator Robert Bennett, chairman of the US Senate's high-tech taskforce, proposed that the Securities and Exchange Commission (SEC) require financial institutions to disclose their network security readiness in a statement similar to that required in 1999 for Y2K readiness. It remains to be seen if this latest attempt to strengthen security measures will have a positive effect.
The government itself is not immune to the problem. A recent security audit of the computer systems used by the Internal Revenue Service (IRS) indicated that if you used the IRS's new e-file system in 2000, your personal information could easily have been compromised. The report went as far as to say that tax records could also have been modified by a cracker from anywhere on the Internet.
A portion of the responsibility for solving these problems lies with government agencies, which need to set and regularly update adequate criteria for Internet security N especially for nationally critical services such as financial institutions N and to strengthen laws against cybercrimes. Responsibility also lies with law-enforcement agencies to enforce the law to the maximum extent by continuing to pursue and prosecute cybercriminals. Given the global nature of the threat, international cooperation among law-enforcement agencies from different countries is required. The financial institutions and other companies that conduct business online must also take responsibility by continuing to invest heavily in network security. Security experts are hard to find and hire, but given the current threats, this safeguard clearly cannot be skimped on.
Finally, some responsibility also lies with you, as a consumer of online services. You need to educate yourself about the threats posed by the online world and navigate cautiously within the World Wide Web.
HERE'S WHAT YOU CAN DO
You can do a lot to reduce the risks associated with allowing sensitive financial data to float around in the great Internet cloud:
HERE'S THE SUMMARY
Experts agree that 100% security on the Internet is just not possible. But with law enforcement working harder to prosecute cybercriminals, banks and corporations spending more money than ever on network security, and a little common sense among web surfers, the number of criminal incidents will diminish. In fact, in the grand scheme of things, cybercrimes that adversely affect consumers directly are almost nonexistent when compared with the number of incidents of credit card theft, calling card fraud, bank holdups, and purse snatchings. The jury is still out on whether the virtual world is safer than the real world, but when it comes to managing finances, it's safe to say that the risks are at least comparable.
Venkatesh Gopalakrishnan is a software engineer for a major software company.
Penn, David . "Onward, Online Banking," Working Money, Volume 2: July/August.
Copyright © 2001 Technical Analysis, Inc. All rights reserved.