Banks Urged to Look for Stronger Security

As banks turn their attention to stronger authentication technologiesin the wake of recent guidance from the Federal Financial InstitutionsExamination Council, it’s important that they don’t overlooktransaction-level controls, several security experts said.

The FFIEC on Oct. 12 released guidelines that call on banks to upgradesingle-factor authentication processes, which are typically based onusernames and passwords, by adding a second, stronger form ofauthentication during online transactions.

The FFIEC guidelines, which banks will be audited against starting inDecember 2006, has focused considerable industry attention ontechnologies that will allow banks to add a second form ofauthentication on top of those already used. While such measures willplay a part in security, it would be a mistake to focus on strongerauthentication alone as a way to mitigate online risk, said AlenkaGrealish, an analyst at Celent LLC, a financial services consultancy inBoston.

“I think its important to not only pay attention to how we secure thedoor to the bank, but also to what should be done when or if a criminalfinds his way through that door,” Grealish said. “The entire antifraudstrategy of a bank needs to be emphasized,” not just strongerauthentication, Grealish said.

From a security standpoint, threats such as phishing and Trojans canalready bypass some of the strong authentication technologies availabletoday, said Jonathan Penn, an analyst at Forrester Research Inc. inCambridge, Mass. As a result, better transaction monitoring, accountmonitoring and behavior modeling are needed to detect and preventfraud, Penn said.

Swedish bank Nordea AB, for example, was forced to shut down its onlineservices for several hours earlier this month after phishers reportedlytried to trick bank clients into parting with one-time passwords NordeaAB had supplied as part of a strong authentication system.

More recently, the Bank of New Zealand was forced to suspend Internetbanking services for several hours after phishers attempted to stealcustomer log-ins and passwords by directing them to a spoofed Web sitethat was an exact replica of the bank’s site, according to a statementfrom the bank.

Stronger authentication by itself is of little value in protecting users in such cases, according to Penn.

“It’s not just about the authentication,” he said. “If all of a suddenI change my address and then request a replacement credit card, thatshould raise a lot of red flags — and it has nothing to do withauthentication.”

Real-time transaction monitoring and account behavior modelingtechniques have been used for years to combat fraud in the credit cardindustry, said Ted Crooks, vice president of global fraud solutions atFair Isaac Corp. in Minneapolis.

Fair Isaac’s Falcon fraud management technology has been widely used bycredit card issuers since the early 1990s to detect and prevent fraud.At a high level, the technology works by monitoring transactions andaccount activity in real time, looking for and flagging any behaviorthat deviates from the norm, Crooks said.

Such tools have helped credit card companies reduce fraud from roughlyUS$0.18 per $100 about 15 years ago to just over US$0.05 per $100currently, and can help in the retail banking sector, he said.

“Because you can’t possibly know all the places where there might beleaks, what you need is this final view of the entire behavior of anaccount,” Crooks said.

Another company that offers similar technology is New York-basedActimize Ltd., whose suite of fraud prevention products is aimed athelping financial institutions deal with online issues such as accounttakeovers, identity theft, and check and account application fraud.

“Today in the credit card world, every single transaction is scored forthe chance of it being fraudulent,” said Naftali Bennet, CEO of CyotaInc., a New York-based vendor of fraud management technologies for thebanking sector. Banks, too, need to put in similar monitoring systemsto score every single activity for risk, particularly at a time whenphishing, pharming and targeted Trojan attacks are becoming morecommon, he said.

“It’s important to secure against today’s and tomorrow’s threats,”Bennet said. “Many authentication solutions that seem like magicbullets today will not stop fraudsters,” he said.

By Jaikumar Vijayan – Computerworld (US online)