Banks Urged to Look for Stronger Security

As banks turn their attention to stronger authentication technologies in the wake of recent guidance from the Federal Financial Institutions Examination Council, it’s important that they don’t overlook transaction-level controls, several security experts said.

The FFIEC on Oct. 12 released guidelines that call on banks to upgrade single-factor authentication processes, which are typically based on usernames and passwords, by adding a second, stronger form of authentication during online transactions.

The FFIEC guidelines, which banks will be audited against starting in December 2006, has focused considerable industry attention on technologies that will allow banks to add a second form of authentication on top of those already used. While such measures will play a part in security, it would be a mistake to focus on stronger authentication alone as a way to mitigate online risk, said Alenka Grealish, an analyst at Celent LLC, a financial services consultancy in Boston.

"I think its important to not only pay attention to how we secure the door to the bank, but also to what should be done when or if a criminal finds his way through that door," Grealish said. "The entire antifraud strategy of a bank needs to be emphasized," not just stronger authentication, Grealish said.

From a security standpoint, threats such as phishing and Trojans can already bypass some of the strong authentication technologies available today, said Jonathan Penn, an analyst at Forrester Research Inc. in Cambridge, Mass. As a result, better transaction monitoring, account monitoring and behavior modeling are needed to detect and prevent fraud, Penn said.

Swedish bank Nordea AB, for example, was forced to shut down its online services for several hours earlier this month after phishers reportedly tried to trick bank clients into parting with one-time passwords Nordea AB had supplied as part of a strong authentication system.

More recently, the Bank of New Zealand was forced to suspend Internet banking services for several hours after phishers attempted to steal customer log-ins and passwords by directing them to a spoofed Web site that was an exact replica of the bank’s site, according to a statement from the bank.

Stronger authentication by itself is of little value in protecting users in such cases, according to Penn.

"It’s not just about the authentication," he said. "If all of a sudden I change my address and then request a replacement credit card, that should raise a lot of red flags -- and it has nothing to do with authentication."

Real-time transaction monitoring and account behavior modeling techniques have been used for years to combat fraud in the credit card industry, said Ted Crooks, vice president of global fraud solutions at Fair Isaac Corp. in Minneapolis.

Fair Isaac’s Falcon fraud management technology has been widely used by credit card issuers since the early 1990s to detect and prevent fraud. At a high level, the technology works by monitoring transactions and account activity in real time, looking for and flagging any behavior that deviates from the norm, Crooks said.

Such tools have helped credit card companies reduce fraud from roughly US$0.18 per $100 about 15 years ago to just over US$0.05 per $100 currently, and can help in the retail banking sector, he said.

"Because you can’t possibly know all the places where there might be leaks, what you need is this final view of the entire behavior of an account," Crooks said.

Another company that offers similar technology is New York-based Actimize Ltd., whose suite of fraud prevention products is aimed at helping financial institutions deal with online issues such as account takeovers, identity theft, and check and account application fraud.

"Today in the credit card world, every single transaction is scored for the chance of it being fraudulent," said Naftali Bennet, CEO of Cyota Inc., a New York-based vendor of fraud management technologies for the banking sector. Banks, too, need to put in similar monitoring systems to score every single activity for risk, particularly at a time when phishing, pharming and targeted Trojan attacks are becoming more common, he said.

"It’s important to secure against today’s and tomorrow’s threats," Bennet said. "Many authentication solutions that seem like magic bullets today will not stop fraudsters," he said.

By Jaikumar Vijayan - Computerworld (US online)

Copyright © 2005 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)