Financial Fraud Action have recently announced that during the course of 2014, there was a 48% increase of Online Banking fraud in the UK, driven by a rise in malware and fraud perpetrated through social engineering.
While the FFA states that the losses are "relatively modest", it is fair to say that despite increased media coverage of the risks to customers from both malware and targeted social engineering attacks, the levels of fraud from this channel are increasing.
So what are the options available to financial Institutions to protect their customers; and to customers to protect themselves?
If we consider the financial institutions, first and foremost is a need to understand how customers have been compromised. For a number of years, fraudsters have been targeting institutions with poor password reset processes. By obtaining customer information
through social engineering, fraudsters have been able to take over customers' accounts by passing limited ID&V processes. Once past the ID&V process, fraudsters change contact details and request online banking password resets. They subsequently gain access
to the account online and withdraw funds. There is a need for financial institutions to move away from static authentication and implement knowledge based authentication to ensure that a more robust validation of the customer is in place. By asking validation
questions, for example those based on historical information (such as "where did you live 8 years ago) reduces the opportunity to fraudsters to passing ID&V.
Secondly, systems must be in place to monitor account activity, to detect for abnormal behaviour such as increased calls to customer support, then changes to contact details, followed by a request to reset online banking passwords. Having such monitoring
in place may even detect instances where internal fraud has also played a part in the process.
Lastly, customer education still has a part to play. A number of financial institutions in the UK have provided customers free access to online security programmes to support their existing antivirus products on their home PCs, while others have education
programmes targeted and the more vulnerable in the community. There are also a number of initiatives by banks, schemes and industry bodies, working with the media to ensure the message is out there.
But while Financial Institutions are keen to provide protection to their customers, what can customers themselves do to protect themselves?
Initially, there is a need to ensure that their home computing (including phones and tablets) are protected by adequate Anti-virus and Anti spyware technology. And while anti-virus and anti-spyware protection is vital, what is also critical is to ensure
that their devices all have the latest system updates and patches; and that they are running the latest browser technology. A number of malware attacks have targeted known weaknesses in browsers and operating systems, and if a consumer has not performed the
necessary updates they could be vulnerable.
Further to this, any programmes or files downloaded from the internet should be from a reputable source, and scanned through a systems antivirus technology. It is well known that digital downloads can contain malware and as the old saying goes, if a deal
on software is too good to be true, it usually is.
Finally, there is a need to protect their information, especially passwords. While it is common sense to not write your passwords down, we all know that some people still do. If there is a need to store passwords, antivirus software from some vendors contains
a virtual vault to store such items. Likewise, if a person receives a call pertaining to be from their bank, or from law enforcement; if the caller requests their online security credentials then the likelihood is that the call is not genuine and should be
ended and reported.
So there it is, while financial institutions are looking to protect their customers, there is still more that be done, not only by the financial institution, but by the consumer themselves.