Online security measures basic at best 20 September 2007 4:38PM John Kavanagh The majority of security breaches affecting the online services provided by financial institutions are originated from customers' computers, yet only half of those institutions require any more than a password from their customers to make an online transaction. Deloitte's 2007 Global Security Survey, released yesterday, reports that 65 per cent of respondents were subject to "repeated external breaches" of their IT infrastructure. The top three breaches were email attacks, viruses and worms, and phishing and pharming. All of these breaches were perpetrated via the customer.Only 51 per cent of respondents said their organisations had moved to a security level beyond password authentication for end user internet transactions.Local financial institutions are well behind their peers in other regions when it comes to having the required skills and competencies to handle security requirements. Deloitte rated financial institutions in the Asia-Pacific region as "worst of breed" in this regard.Deloitte's partner in charge of technology risk services, Dean Kingsley, said financial institutions knew they had a problem but couldn't see a cost-effective solution.They could transfer the liability on to the consumer but that would be politically unacceptable. They could adopt the "help desk" approach and provide IT support to their customers but that would be too expensive. Kingsley said education was practical and useful, and there was evidence that more financial institutions were issuing advice to customers on internet security.Some institutions were using tokens for two-factor authentication but this was expensive. Kingsley said a more cost-effective way of delivery two-factor authentication was through SMS messaging. "Everyone has a mobile phone," he said. "The bank doesn't have to pay for the devices."SMS technology is a sound technology. It is a sweet spot - the most cost effective of the current solutions."As to why local institutions were worse in this regard than their peers in the United States and Europe, the survey found that there was a shortage of IT people with security skills. And the people who were working in the field were too "tech-centric"."We have people here, although not enough of them, who can design solutions that reduce IT security risks," Kingsley said. "But these are not the sort of people who can tie those solutions into a business plan, or get the management of the company to adopt their ideas as strategic imperatives."An interesting aspect of the report was its finding that 36 per cent of financial institutions in the region had experienced internal breaches of their IT systems in the past year. Either through error or misconduct, staff are creating security issues for their companies.