Online Banking: The Nightmare

Western Union's recent woes show how easy it is for hackers to crack e-safes--and the need for regulation

Early Saturday morning Sept. 9, tens of thousands of Western Union Financial Services Inc. (FDC) business and individual customers awoke to an alarming phone call. A recorded message from company President Mike Yerington warned that intruders had snaked through an Internet security hole and gained access to up to 20,000 credit-card and debit-card numbers used in Western Union money transfers. Human error led to the breach: A Western Union employee doing routine maintenance left the site unprotected.

Some mistake. Since 1851, Western Union---now a unit of Atlanta-based First Data Corp.--has built its reputation on safely delivering the goods, whether money or information, anywhere in the the world. But when the dust settled on Sept. 10, the company tallied 15,700 compromised accounts, not to mention the blot on its Internet strategy, launched three months earlier. Many Western Union customers had subscribed to a service that allowed them to enter their card numbers in a Web account and then send money to Western Union locations over the Net.

Computer experts give Western Union credit for responding swiftly. It shut down its servers and went to great lengths to notify customers. It even urged them to cancel their exposed credit cards and request new ones, a move that risked souring relations with the company's bankers. It costs banks $125 to reissue each card, and few financial sites have recommended cancellations in past cases of Net credit-card fraud, according to Richard Power, editorial director of the Computer Security Institute in San Francisco.

Western Union"s site is back up, traffic is brisk, and no more fraud has been detected, the company says. But banks and customers, take note: This case is another sign that as financial institutions rush to the Web, they are more exposed than ever. The Net not only speeds up transactions, it also speeds the response time needed to prevent a financial or public-relations catastrophe.

That message still may not be getting through. "A lot of other industries often pay more attention to security than some of the banks we talk to," says Ken Bywater, manager of the Internet security practice at consulting firm Berbee Services. "We always tell them: `You are more of a target because of the data you hold and transmit, so you have to take extra care."' But most banks spend most of their e-commerce energy wooing customers. Security is a secondary concern, says Bywater.

Many banks are using software that could be far less secure than advertised. Although dozens of companies are selling packages for banks, no independent auditing board exists to check their claims. "I have taken a whack at three [secure banking] software offerings, and on all I have gained account numbers, even passwords," says Jim Stickley, a senior engineer at security consultants Garrison Technologies.

Getting that data provides an easy route to further fraud. Many banks store customers' addresses and Social Security numbers in the same data records. Side by side, that information can be used to reroute credit-card mailings or even open new accounts.

TIGHTENING UP. Last November, Congress passed legislation to create regulations to enhance online financial security. Unfortunately, that's not likely to be enough. Ideally, Power thinks online banking should use a system more like automatic teller machines, which require not only passwords but cards. It's not widespread yet, but some keyboard makers are starting to build in card readers.

Another step toward better security is American Express Co.'s Sept. 7 announcement of a new system providing disposable credit-card numbers. Amex customers can sign up for one of these cards at the AmEx Web site at no cost, and they can use it for just one transaction on the Internet.

Clearly, much tighter defenses are needed. Minimum security requirements should be laid down by the U.S. government or another third party, not by the institutions themselves, just as the Federal Deposit Insurance Corp. scrutinizes banks before providing insurance.

That might seem unwieldy. But so far, financial institutions collectively have failed to grasp the gravity of a massive security breach or the vast damage that could be done to customer confidence and their own reputations.

Let the Western Union case be a warning. Not every breach in security will end so happily.

Before it's here, it's on the Bloomberg Terminal.