Boston, MA
December 2007

Online Security Review 2007: Better Defenses, Still Exposed


Mercator Advisory Group is pleased to announce the release of its latest report, “Online Security Review 2007: Better Defenses, Still Exposed”. This new report reviews the remarkable evolution in the sophistication of online security threats during 2008 against consumers, merchant and FI sites, as well as high value targets including commercial bank account holders and high net worth individuals. The report finds that few major FIs are enrolling consumers into the battle for online security. While websites make uneven efforts to broadly educate consumers, few FIs provide even discounted access to anti-virus software or employ multi-factor authentication that requires active consumer interaction. The hacker’s accelerated development of sophisticated malware and laser-like focus of spearphishing attacks on high value targets does not bode well for 2008,” comments George Peabody, Director of Mercator Advisory Group’s Emerging Technologies Advisory Service. “The vast majority of FIs and merchants have thus far resisted recruiting consumers into the fight through effective education, incentives for safer computing or encouraging direct consumer participation in the authentication process. That reticence to expose consumers to the realities of online security may become costly.”

Highlights of the report include:

* Despite recent reports of lowered online fraud at financial institution the online security picture remains challenging at best. The professionalization of online financial crimes is raising the ante. Security vendors are now unable to detect the presence of botnet infections on some 40% of computers.

* Few FIs have enrolled users in security. A review of the websites of the top 50 US FIs reveals FIs provide information on security but rarely subsidize anti-virus or other consumer security tools. Further, security information is often poorly placed on the FI website.

* Because of the professionalization of the hacker threat, the sophistication of malware and the specificity of social engineering exploits, Mercator Advisory Group predicts a major fraud event at a US FI with many smaller scale online frauds at smaller institutions.

* While the FFIEC’s two-factor authentication guidance has been broadly adopted with positive results, mobile handsets offer a potent third factor for authentication during online sessions. Bank of America’s SafePassTM is one of the first examples. The report includes an appendix containing a list of major data breaches during 2007, examines their costs and the sources of these breaches by economic segment.

One of the 4 Figures included in this report

The report is 34 pages long and contains 4 exhibits.

Members of Mercator Advisory Group have access to this report as well as the upcoming research for the year ahead, presentations, analyst access and other membership benefits.

Please visit us online at

For more information call Mercator Advisory Group’s main line: 781-419-1700 or send email to