I’ve just come across an article that outlines some of the threats that come from the use of Web 2.0 technologies in financial services applications. The basic conclusion of the article is that banks should not be rushing into the space:
A lot more analysis needs to be done before financial applications can be integrated with their core businesses using Web 2.0. The Web security space is filling up with new attacks as we speak or offering new ways of delivering old attacks – both are dangerous where “monetary transactions” are involved. A lot more analysis needs to be done before financial applications can be integrated with their core businesses using Web 2.0. The Web security space is filling up with new attacks as we speak or offering new ways of delivering old attacks – both are dangerous where “monetary transactions” are involved.
This reminds me, strangely, of many of the objections that banks faced when they first began to do banking online. And before that, with telephone banking. The new thing hasn’t been fully tested, it can’t be safe, everyone should slow down and see what happens.
Of course, if we all followed the "wait and see" approach, there would be, in fact, nothing to see ever.
Now, I’m not arguing for a minute that banks aren’t an attractive target for attack. Of course they are. But just as with every kind of security threat, the minute you meet it, someone will find something else to exploit. Having good processes for helping customers who have been attacked is key. So is being able to respond to threats quickly and efficiently. Any decent bank is doing all that already.
I guess, when you distill the article down, the real concern outlined by the author is that banks adoption the new Web 2.0 styles of interaction are actually increasing the attack surface of their online presence. That is clearly correct. New ways of interacting mean that there are new ways to get abusive.
A bank that creates new channels and interaction styles must also create new security and threat response procedures. A greater attack surface means more dollars spent on meeting threats. With the advent of Internet banking in the first place, this is just what happened. And in the end, lots of customers would switch banks if they were told that they couldn’t bank online any more because an institution wasn’t stepping up to invest in their safety any more.
Actually, I worked with a bank in Australia that was thinking about reducing its online functionality because of these costs. They killed the idea after testing it with customers in focus groups.
I think, ultimately, that this is the point that the article fails to draw out. For each incremental investment in customer experience, there is also an incremental investment in protecting customers. Simply suggesting that an institution is opening itself to attack and not making these investments doesn’t really reflect the true picture.