NEW YORK—The phishing epidemic that has overwhelmed the financial services industry is getting worse by the day, and security teams at banks and other financial institutions are in a daily battle to keep their customers data safe from an increasingly sophisticated enemy that is constantly changing tactics and honing its craft, security experts say.
Security officials at several banks, who spoke on condition of anonymity, said they have run up against a wall in trying to find new ways to deal with phishing attacks and are getting little or no help from federal law enforcement agencies. The phishing phenomenon exploded last year and caught many in the banking industry unawares. Virtually every major bank has been hit with at least a handful of phishing attempts, but many banks are just now setting up response teams and codified procedures to deal with the problem.
This time lag has given the scammers a tremendous head start on the banks and made it difficult for security teams to get their arms around the problem quickly.
"Phishing isnt a simple thing. Its been around since the 90s. Its really gotten sophisticated and had an impact on these businesses ability to work," said Dave Cullinane, president of the Information Systems Security Association, during a speech at the CSO Interchange conference here Tuesday. "The money-making capability of it is huge. If something like this happens to a bank, its not a good thing because people think of a bank as a place that will protect your information."
Cullinane added that in his experience, the FBI and other federal agencies are generally unresponsive to requests for help from banks on phishing attacks unless the bank can show substantial financial losses. "If youre running on the assumption that calling the FBI will get you assistance, it wont," he said.
The CSO Interchange event, hosted by security vendor Qualys Inc., is a forum for chief security officers to share ideas and best practices and seek advice from their peers. Among the CSOs from the financial world, the twin problems of identity theft and phishing were the main topics of conversation.
Several bank CSOs said that their employers were looking at the possibility of implementing some form of two-factor authentication for online banking customers. But, to a person, the officials also said that they were reluctant to move ahead with such a program until someone else had proven that it can work on a large scale.
"Unless all the banks do it, no one will. No one wants to be first," said one CSO.
Officials from international banks said that their European and Asian customers are clamoring for a two-factor authentication solution, but their U.S. customers are uninterested. Many of the CSOs said that biometrics such as fingerprint scanners hold promise for strongly authenticating online banking customers, but that many consumers are worried about the privacy implications.
"You cant have it both ways. If you want security, you have to give out something like a fingerprint and have some trust in someone," one CSO said.