As banks turn their attention to stronger authentication technologies in the wake of recent guidance from the US Federal Financial Institutions Examination Council, it’s important that they don’t overlook transaction-level controls, several security experts say.
The FFIEC guidelines call on banks to upgrade single-factor authentication processes, which are typically based on usernames and passwords, by adding a second stronger form of authentication during online transactions.
The FFIEC guidelines, which banks will be audited against starting in December 2006, has focused considerable industry attention on technologies that will allow banks to add a second form of authentication on top of that already used. While such measures will play a part in security, it would be a mistake to focus on stronger authentication alone as a way to mitigate online risk, says Alenka Grealish, an analyst at Celent, a financial services consultancy in Boston.“I think its important to not only pay attention to how we secure the door to the bank, but also to what should be done when or if a criminal finds his way through that door,” Grealish says. “The entire anti-fraud strategy of a bank needs to be emphasised,” not just stronger authentication, Grealish says.
From a security standpoint, threats such as phishing and Trojans can already bypass some of the strong authentication technologies available today, says Jonathan Penn, an analyst at Forrester Research in Cambridge, Massachusetts. As a result, better transaction monitoring, account monitoring and behaviour modeling are needed to detect and prevent fraud, Penn says.
Swedish bank Nordea, for example, was forced to shut down its online services for several hours earlier this month, after phishers reportedly tried to trick bank clients into parting with one-time passwords Nordea had supplied as part of a strong authentication system.
More recently, the Bank of New Zealand was forced to suspend internet banking services for several hours after phishers attempted to steal customer log-ins and passwords by directing them to a spoof website that was an exact replica of the bank’s site.
Stronger authentication by itself is of little value in protecting users in such cases, according to Penn.
“If all of a sudden I change my address and then request a replacement credit card that should raise a lot of red flags — and it has nothing to do with authentication.”
Real-time transaction monitoring and account behaviour modeling techniques have been used for years to combat fraud in the credit card industry, says Ted Crooks, vice president of global fraud solutions at Fair Isaac in Minneapolis.
Fair Isaac’s Falcon fraud management technology has been widely used by credit card issuers since the early 1990s to detect and prevent fraud. At a high level, the technology works by monitoring transactions and account activity in real time, looking for and flagging any behaviour that deviates from the norm, Crooks says.
Such tools have helped credit card companies reduce fraud from roughly US$0.18 per $100 about 15 years ago to just over US$0.05 per $100 currently, and can help in the retail banking sector, he says.
Another company that offers similar technology is New York-based Actimize, whose suite of fraud prevention products is aimed at helping financial institutions deal with online issues such as account takeovers, identity theft, and cheque and account application fraud.
“Today, in the credit card world, every single transaction is scored for the chance of it being fraudulent,” says Naftali Bennet, CEO of Cyota, a New York-based vendor of fraud management technologies for the banking sector. Banks, too, need to put in similar monitoring systems to score every single activity for risk, particularly at a time when phishing, pharming and targeted Trojan attacks are becoming more common, he says.
“It’s important to secure against today’s and tomorrow’s threats,” Bennet says. “Many authentication solutions that seem like magic bullets today will not stop fraudsters,” he says.