Locking down checking accounts

Conventional wisdom says IT security has less to do with technology than with people and process -- think Kevin Mitnick conning an administrative assistant or Frank Abagnale forging checks in Catch Me If You Can.

Yet Gartner is reporting that checking-account hijacking is on the rise, and technology may be the prime solution. In a report titled "Criminals Exploit Consumer Bank Account and IT System Weaknesses," Gartner's Avivah Litan says criminals increasingly steal account numbers and PINs by phishing and then create counterfeit ATM cards to withdraw the cash.

Banks could prevent such thefts, Litan says, by validating security codes on the magnetic stripe of the card while authorizing transactions. "These codes are stored on Track 2 of the magnetic stripe," she explains, "and include PIN offsets and Card Verification Value (CVV) codes."

Whoa, Avivah, stop, you're killing us with the fancy talk. And don't start with the two-factor, hard-and-soft-token thing, either. Why is it that every time there's bank fraud, a blizzard of jargon obscures the real issue? Because banks don't want to change the basic way they do business, which is to make transactions as easy as possible and spread the cost of a few bad apples across the big honest population.

But now the scope and velocity of the fraud has changed. We've gone beyond the occasional lost wallet. Banks have to bite the bullet and decide either to inconvenience customers or to absorb new infrastructure costs, or both. To deploy new PIN offset validation technology, Litan says, consumers would have to go to a branch to change their PINs. Alternately, banks could write their own proprietary security codes on the cards (CVV codes are apparently subject to "brute-force attacks"), eliminating the reliance on PIN offset.

Either way, it's time for banks to step up to the plate. Otherwise we might as well go back to stashing cash under the mattress.

IT cost benchmarking department

And while we're on banks … The Boston Consulting Group just came out with a report titled "IT Offshoring and Outsourcing, Hype or Opportunity?" The study tries to benchmark the IT costs of a set of European banks, acknowledging that outsourcing is often driven by an effort to cut costs to meet perceived industry cost standards.

The study concludes that as European banks struggle to translate IT spending into higher revenues or reduced operating expenses, they spend most of their IT budgets on "steady-state" IT operations versus "IT innovation." The study also included this quote, which took my breath away and sort of sums up the state of IT: "Banks that spend more on IT tend to have higher revenues, but it is unclear whether these revenues result from higher IT spending or whether banks with higher revenues simply spend more on IT."