The anonymity of the Internet has fostered an environment in which bank account takeover flourishes. Just as advancements in technology have boosted the capabilities of today’s Internet banking platforms, it has provided new opportunities to cybercriminals leveraging the same technology advancements. Phishing attacks on online banking customers continue to rise; the threat of identity theft looms large in the minds of consumers; and card-not-present fraud remains a global scourge.
Most instances of payment fraud used to be opportunistic: perpetrated by a small group of individuals working together, often with the assistance of an insider for larger attacks. In recent years, the banking industry has tracked the development of more sophisticated fraud patterns, coordinated by groups across the Internet in search of banking systems with major security weaknesses. Once a vulnerable institution is identified, the group typically plans a large-scale attack to be launched when defenses are at their weakest.
With the threat mounting, the immediate reaction is to build additional barriers to mitigate the risks. It is a step in the right direction, but these measures can make services much less easy to use and can wind up pitting security against the quality and convenience of services offered.
Financial institutions know that they are constantly under attack, but assume that only a small percentage of these attacks will actually succeed. The fact is, however, that the rules and risk management systems that the industry has developed over the past 20 years are quickly losing traction against increasingly sophisticated cybercriminals.
The current security archetype, which focuses on detecting transactions that can be classified as meeting either a “valid” or a “fraud” transaction pattern, is obsolete. If banks continue to center their risk practices on separating a few valid transactions from millions of fraud attacks, fraudsters will eventually find a way in and wreak havoc on the institution. While these successful attacks clearly have a negative impact on banks internally, they also lead to a customer perception that systems are less secure than they might actually be.
Rewrite the Status Quo
To strengthen security while boosting end-user convenience, focus on customer authentication and transaction approval processes. Regardless of the banking channel being used to manage a transaction, reliable customer authentication is increasingly critical to a bank’s bottom line. This is all the more so with the move to providing real-time payments. These transactions must be flagged as final and irrevocable within a matter of seconds.
Today’s banks have myriad choices when shopping around for a transaction authentication product, but many of the more common systems available (including those employing fixed and one-time passwords) have become progressively more vulnerable to malware and man-in-the-middle attacks.
The most popular systems utilize one-time passwords delivered to banking customers through expensive hardware and software tokens or via SMS text or automated voice message on their mobile phones. To secure the one-time password delivery channel, some banks use an additional layer of security, such as a knowledge-based authentication model, digital certificates or biometrics.
As different as these methods may seem, the basic flaw each approach shares is the continued reliance on browser-based communications back to the bank. Should a phishing site mimic a bank’s online banking portal, or if the browser had been compromised by some form of malware, the customer’s login credentials and one-time password can easily be captured by cybercriminals and immediately used to access accounts.
Rather than continue with these easily compromised systems, banks in the know are adopting new security standards that use advanced cryptography to verify their customers’ identities and authenticate transactions in real time and entirely out of band — thus benefiting from a vastly more reliable means of combating fraud without impacting negatively on the end-user experience.
Unlike one-time passwords and expensive hardware tokens, a digital certificate-based authentication system, coupled with transaction signing, can eliminate virtually all types of man-in-the-middle attacks. Securely encrypted private keys are deployed to online banking customers’ mobile phones, transforming them into personal transaction authentication devices that can meet the highest levels of security a bank deems necessary. Transactions are individually signed before they are confirmed in a one-touch verification process so simple and intuitive it requires virtually no customer education.
In the end, those institutions that simply maintain the status quo will continue to experience successful online account takeover attacks, and risk declining profits and the loss of customers to competitors that inspire greater confidence. In any case, why continue to write off fraud losses when improved technology can eliminate fraud altogether?
Doug Parr is senior vice president of Entersekt. For more information visit www.entersekt.com.