Respondents feel confident in defenses
Although ATO incidents have remained the same or increased, respondents reported higher confidence in their defenses today than four years ago.
There are some fundamental factors at play that continue to drive ATO. The cybercrime economy has been booming for years now - there’s just too much money at stake for cybercriminals. Couple that with the need to make banking easy and accessible and the conditions are in place for exactly what we’ve seen – institutions continue to implement new controls and soon after, cybercriminals figure out a way past them. Simply put, if account holders can get into their accounts, so can the bad guys.
What do survey results tell us about FFIEC guidelines?
Conformance to the guidelines are necessary, but not sufficient. Stronger authentication measures were needed at the time of issuance and are absolutely needed today. However, as you tend to see with compliance requirements across the board, it sets a minimum baseline and just being compliant isn’t really enough. That said, when the guidance was being drafted and published a lot of people were expecting that those additional measures would put a real dent in the level of account takeover and that just hasn’t been the case.
In this interview with Bank Info Security, PhishLabs CEO, John LaCour discusses why the FFIEC recommended security controls have fallen short, resulting in increases in fraud losses and ATO. LaCour points out that most investments have been in tools that catch attacks after credentials have been compromised. He notes that underinvestment has been in detection controls and tools that prevent account takeover upfront.
We’ll be further exploring survey results regarding defenses currently in place as well as future investments to protect against ATO in subsequent blog posts. Subscribe to our blog to stay tuned or download the full report.