If a problem is detected, "the bank will call them and tell them," says Theiler, adding cybercrooks would rather target high-dollar automated clearinghouse (ACH) transfers and other substantial payment transfers from business customers, but they wouldn't turn down what they might be able to get from consumers doing online e-banking. "No bank is immune from being faced with these ACH issues regarding a computer malware attack," Theiler says.
But it's a tough question on how far the banks can or should go to try and impose security requirements on their customers' desktops. Theiler acknowledges that at this point, the approach for existing online banking customers is mainly to "highly recommend" using the Trusteer-developed software.
The Trusteer software, tailored for each bank, is now offered by almost 40 institutions, including SunTrust, HSBC, Fifth Third Bank, ING Direct USA, and Huntington National Bank. Trusteer, along with Prevx and TrustDefender, are among the few security vendors coming up with defenses of this type for the banking industry, according to Gartner's Litan. She faults larger security software providers, including McAfee, Symantec and Trend Micro, for doing so little.
But this type of help-the-customer banking software is not an approach Litan thinks should necessarily be a high priority for financial institutions.
"My advice to banks is they can't count on it, it's not ubiquitous," she says, adding "They need to make clear it's not total protection."
Once banks get involved in this help-the-customer software approach, a number of potential liability issues may arise if something bad does occur, she says. "The higher priority should be on things they can control, such as fraud detection and out-of-band protections," Litan suggests.
This so-called out-of-band security in e-banking and payments includes automated phone calls that can be initiated when online behavior analysis tools indicate suspicious online behavior, as well as systems that involve a recording of a voice pattern that can be matched against someone speaking their password.
"The threat landscape is changing," says Christopher Beier, senior product manager in the electronic banking services group at Fiserv, an online payment and services technology provider for banks. Fiserv recently began to make the PhoneFactor phone-based out-of-band authentication system available to its customers, which include 24 of the largest banks.
Phone-based authentication "doesn't take you away from the online banking channel," Beier says. "But I know the computer might be compromised. So you take the authentication out of that channel and onto the phone." This method will likely hold the most appeal in high-risk, large-dollar transactions, he notes.
Bank Leumi, as well as some banks in Australia, are known to be leading the charge in this type of out-of-band authentication, Litan says, but overall there are few practical roll-outs.
Sign up for Computerworld eNewsletters.