Community Banking Advisor: Are there holes in your online banking security controls?

February 12, 2015

Online fraud is an enormous problem today and it’s on the rise. But while most banks have taken steps to secure their systems against hackers and other external threats, many remain vulnerable to one of the most common fraud techniques: compromising customers’ login credentials to obtain unauthorized access to their online accounts.

For example, a fraudster might send a “phishing” e-mail to customers. The e-mail would contain an embedded link to a phony website that tricks customers into supplying their login credentials or downloading malware that records information customers type on their computers.

Here are some of the extra precautions you should take to protect yourself and your customers.

Traditional protections no longer work

Traditionally, banks have authenticated online users by requiring a login ID and password, combined with an additional layer of protection. For example, many banks use a cookie loaded onto a customer’s computer to confirm that it’s the same computer the customer used to enroll in online banking and that it matches the customer’s login ID and password. Unfortunately, it’s relatively easy for fraudsters to copy a cookie to their own computers to impersonate a customer.

For additional protection, some banks use geo-location or Internet Protocol (IP) address matching to confirm users’ identities. But fraudsters have figured out how to use proxies to mimic a legitimate user’s location or IP address and bypass the bank’s security measures.

Another common authentication technique is to use challenge questions selected by the customers during the enrollment process. Often, however, impostors are able to answer these questions. For example, a fraudster who knows the customer or is adept at online research can easily supply a customer’s mother’s maiden name or the year the customer graduated from college.

In light of these weaknesses, the Federal Financial Institutions Examination Council (FFIEC) in 2011 supplemented its 2005 guidance on Authentication in an Internet Banking Environment. The FFIEC advised banks that device authentication and basic challenge questions, used as a primary control, no longer served as effective risk mitigation techniques.

Your security may need improvement

According to the FFIEC, “Virtually every authentication technique can be compromised,” so it’s critical that banks avoid reliance on any single control. Instead, they should implement “layered security,” which involves two or more controls for authorizing high-risk transactions. Examples include:

Sophisticated challenge questions. Challenge questions can be effective, provided they don’t rely on publicly available information. It’s more difficult (or impossible) for a fraudster to find out your favorite hero, for example, than it is to find out the name of your high school. It’s also a good idea to use multiple challenge questions and to rotate them to avoid using all of the questions in a single session. Otherwise, it’s easier for a fraudster to obtain the answers using a phishing scheme.

Another highly effective technique is to include one or more “red herring” questions. These are nonsensical questions that customers know to leave blank. For example, a customer without children might select the question “What is your daughter’s nickname?” Any answer a fraudster provides will be wrong.

Out-of-band authentication. This is one of the most effective strategies for avoiding the risks associated with malware. It involves using another “channel,” such as a cell phone, to verify a transaction initiated online. For example, after customers authenticate transactions on their computers, they might be required to enter a one-time-only code sent to them by text message. This makes it extremely difficult for fraudsters to take control of an account, even if they have a customer’s login ID, password, and challenge question answers.

There are many other forms of layered security, including fraud monitoring and detection systems, transaction limits, antimalware software, and security tokens (such as read-only USB devices customers use to create a secure channel directly to the bank’s servers). One solution is “positive pay.” Under this approach, checks and ACH payments are blocked unless the payee is on a preapproved list furnished by the customer. The bank alerts the customer when unauthorized transactions are presented on the account and gives the customer an opportunity to allow the transaction.

Evaluate your risk

The right level of security for your bank depends upon its risk profile. Conduct annual online fraud risk assessments to ensure that you have sufficient controls in place. Depending on your level of risk, you also might consider engaging an IT consultant to conduct network penetration testing to reveal any security gaps.