One solution is to use software or a dedicated terminal to ensure that no malicious program can intercept a consumer’s communications with a bank. Consumers who have an old PC or laptop lying around could install the free Linux operating system on the machine and use the machine exclusively for financial transactions, suggests SecureWorks’s Stewart. Some security firms are also developing software to allow people to run a secure zone on their computer that eliminates the threat of communications being intercepted.
“It goes back to the question, ‘Can you trust the computer that you are using? Has it been infected by something that can impact you when you log on to your bank?’” Stewart says.
Another solution is to use a second means of communication, such as calling from a phone or sending an SMS message, to confirm that a transaction is valid, says Ariel Avitan, manager of information security for the Europe, Middle East, and Africa region of Frost & Sullivan, a global business consultancy based in San Antonio, Texas. “It’s a cat-and-mouse game,” Avitan says. “The [criminals] open a new door, and we shut it. Then they find another one.”
Finding solutions and pushing financial firms to adopt them are two separate challenges. Banks only implemented two-factor authentication in October 2005, after the Federal Financial Institutions Examination Council (FFIEC) mandated additional security for online bank accounts.
Ferma’s Ferrari has already arrived decided to fall back on a low-tech solution. “We have gone back to issuing manual checks,” he says.