I did a study for one of the top 10 banks – they see more fraud from trusted family members than from mass Phishing. But even if you increased their Phishing Loss Events by a factor of 10, you’re talking about increasing a few hundred thousand in IRT spending vs. a significant amount more for the KBA and Cyota. However, it’s obvious that the government is looking for preventative measures, not reactive measures so these “silver bullets” get implemented regardless.

I’m in total agreement with you. I get so fired up about this because of the folks out there who are suggesting that we legislate two factor authentication because of the claim (mostly perpetuated by vendors) that it will eliminate phishing. Pretty much any bank that delivers a second factor will have to pay out the wazoo in order to implement – for example, even if you can get a token for two bucks a pop (laughably cheap – usually it’s more like 8 a pop depending on volume) you’re still talking about millions of dollars for most banks.

Citi, for example has 15 million users (according to Wikipedia,) so the token hardware would cost 30 million dollars. Then there’s the cost of mailing those tokens: say (again, conservatively) 30 cents per user – that’s 4.5 million dollars. Then help-desk costs rise, ACE servers get bought and deployed, backup servers rolled out, all the apps changed to accomodate the new mechanism (trust me, legacy apps would need to change), etc. At the end of the day, you’re probably talking about upwards of 150 million dollars. But guess what – that’s not just a one-time deal: old users leave and new users join, so the bank gets to keep paying and paying and paying… And we pay for it. The costs get passed on to the consumer, so we’re the ones who foot the bill. Now, I don’t mind paying for something that works – but I’m not happy about paying for something that doesn’t fix the core issue.

Any decent risk analyst could have told you that the “second factor” would be breached, and quickly. But hopefully the would also mention that even the most anemic of second factors would, for a time, dramatically change the phishing landscape. By adding a second factor, (I’ll use FAIR terms, here) you are increasing Control Strength. By increasing Control Strength, you are increasing the Threat Capability needed to create a successful Loss Event. And by increasing TCap, you’re actually reducing Threat Event Frequency, and, therefore, Loss Event Frequency.

It’s very easy, really.

At the end of the day, I would argue that Phishing fraud presents a relatively small amount of risk to any specific FI, and most of these actions are taken for marketing/compliance reasons.

July 18, 2006 Good Morning: Sorry you are getting TDI a bit late this AM. I had some network difficulties this AM. Thanks BellSouth! I can work anywhere, but changing horses (I mean devices) mid-project is a challenge without network access to sync