Bank staff pose a far greater security risk than any external threats, according to senior executives from Westpac, the Commonwealth Bank and ANZ.
In a panel discussion at the Technology and Innovation for Banking and Financial Services Conference in Melbourne yesterday, Jim Karvounaris, head of global information security said ANZ are doing “a hell of lot of work around user access management” in a bid to counter the growing threat.
Karvounaris said the bank was currently working out how to deactivate all USB drives from employees’ computers to prevent workers downloading and exploiting confidential customer data. IT staff in particular have had their access to data restricted. “Historically, IT folk had access to data, now they have access only in emergency situations.”
Marcus Judge, general manager e-commerce at CBA, agreed the internal threat was much more serious than the phishing and the spam problem affecting internet banking.
Get Crikey FREE to your inbox every weekday morning with the Crikey Worm.
Stephen Holm, head of trust services, eChannels, Westpac, said they had improved employee screening in recognition of the growing internal risk and impending requirements of laws on anti-money laundering.
The panel all seemed to agree with Karvounaris that it wasn’t just new employees that posed a threat, but also long-term employees who had accumulated access to numerous areas of bank systems over many years.
Meanwhile, Marcus Judge, from Commonwealth Bank, told the conference that internet banking fraud had spiked in September and October last year, and then fell away dramatically in November and has remained at “very low levels” throughout the first half of 2007.
However, he said, concerns about security do not impact on customers’ usage of internet banking. “Last year, we saw an incredible torrent of spam and phishing, but that did not affect the growth and use of the channel,” said Judge. “Security concerns are a barrier to those who don’t already use it, but not to existing customers.”
Take up of the bank’s new tokens (a form of “two-factor authentication”) by customers was slow and “most customers don’t need two factor anyway” he said.
The chair of ASIC’s review of the EFT code of conduct, Delia Rickard, told the conference that while actual fraud levels maybe low “you cannot overestimate the fragility of the public’s trust in the channel”. Extending the EFT code to cover small business was now the “crunch issue” in the review, with the internet fraud liability issue now basically resolved.