Nigel Prince has been with D+H for 14 years, serving a leadership role in various capacities. He led the Internet banking development team for several years, interfacing with many financial institutions, as well as third-party vendors and strategic partners. Nigel is now part of the D+H product management organization with specific responsibility for driving the strategy for self-service channels, which include Internet banking, mobile banking and voice banking.
You are hereResourcesOur ViewpointsCreating a Fraud Shield for Your Self-Service Channels
In today’s mobile society, self-service channels are the superstars – bringing speed, convenience and anytime access to increasing numbers of consumers. But, these online channels also attract the attention of something more sinister – criminal groups who continually launch attacks and develop new ways to commit fraud.
To encourage financial institutions to stay on top of these threats, the Federal Financial Institutions Examination Council (FFIEC) has issued a 2011 supplement to its original guidance on Authentication in an Internet Environment. This document updates the Council’s expectations around login authentication controls for high-risk online transactions that involve access to personal information or the movement of money to other parties. The reason? The previously recommended controls are no longer effective in combating today’s more sophisticated criminal.
This article takes a look at some of these guidelines, explains why they’re necessary, and discusses technology that not only satisfies these expectations, but is most effective in protecting your consumers and your institution from harm.
New Authentication Strategies and Multi-Layered Security
Remember when, “what is your mother’s maiden name” was a good way to detect fraudsters? Today, with social media, so much personal information is so readily available that a single form of verification just isn’t enough anymore. The FFIEC agrees, and is recommending a multi-layer, multi-authentication approach to fraud prevention.
The best solution starts by aggregating customer data and comparing interactions with the way that consumer usually does things to root out potential fraud. By automatically monitoring device type, location, browser type, time of day, and the cadence with which data is entered, the Internet banking solution can continuously scan activity and, when something deviates from a consumer’s normal pattern, require extra validation.
These requests should include “out-of-wallet” questions, or information that’s not easily searchable, like “what was the color of the SUV you drove in 1990?” Challenge questions on “facts” that don’t really exist in the consumer’s life – like asking an only child her brother’s first name – are also effective ways to verify identity. A criminal will more than likely guess the answer for a question the real account holder can identify as pure nonsense.
The next generation of out-of-wallet questions will include behavioral inquiries as well. For example, a question like, “How often do you order Chinese food?,” with response options of “Often,” “Seldom,” or “Never,” would personalize the authentication further for added security.
The FFEIC’s supplemental guidelines also recommend additional layers for higher-risk Internet banking situations, driving the adoption of one-time passwords. These one-time password generators, also called secure tokens, can be downloaded and saved to consumers’ desktops, mobile devices or on a key fob, and generate a random number on demand that is mapped to the specific user. This code, in combination with the user name, is then used to safely access the Internet banking site.
Many institutions are rolling out these one-time passwords to high net worth clientele and business customers. Not only does this strategy protect the bank or credit union where it has the greatest risk, but one-time passwords can act as differentiators, used to retain these highly profitable market segments, while meeting FFEIC recommendations.
Out-of-Band verifications are also increasingly used in layered security programs. Basically, Out-of-Band refers to an authentication that takes place through a separate communications channel than the one used to initiate the transaction.
For example, a person logs into an Internet banking account from a laptop and enters the password incorrectly. A random code is sent to his or her mobile device via text or through a voice response channel. The person enters that code online and can now access the Internet banking account. The idea is, if an organized crime group is infiltrating an Internet banking account, chances are they don’t have that individual’s mobile device, home phone and other channels captured, as well.
The Power of an Informed Consumer
But, all of the FFEIC’s recommendations aren’t focused on an institution’s internal operations only. They recommend that you keep your account holders informed and make them a part of your fraud prevention efforts.
Create collateral, e-mails and web site banners that keep account holders up to date on the latest threats. Let them know that you’re not going to e-mail them and ask them for their account numbers, and that you’re never going to send them an e-mail link. Make this information a part of new account onboarding – from the teller line on through other service channels. Also, let your customers know where and how to report suspected fraud. Their extra vigilance gives your institution additional protection.
The Security Continuum
It’s important to note that although these security measures work today, next year, there will be a new threat that will require a different kind of protection. Keeping your self-service channels safe is not a “once and done” deal. As long as criminals are out there, and Internet banking and mobile banking continue to grow into the channels of choice for today’s connected users, securing these channels now require an ongoing investment, year after year.
The goal goes far beyond doing the minimum required for compliance. By being diligent and keeping your online security up-to-date, you’ll not only protect your customers or members, but you’ll also protect your institution’s reputation. What could be more valuable than that?