We get a lot of questions about what banks should do to protect themselves against online fraud. There seems to be a lot of confusion which only gets worse as dozens and dozens of vendors start to fight different pieces of online fraud. This article describes
what a mature online banking fraud program looks like at top institutions:
(1) Online Fraud Awareness
Top banks use their website, emails, and in-flow reminders in their online banking system to remind customers about how to be safe online. They also make it easy and obvious for customers to report online fraud that they detect, as customer detection is
still a leading source in fraud detection.
(2) Endpoint Protection
Many banks offer a solution like Trusteer (recently bought by IBM) or Invincea to business customers as a way to provide additional security around the customer’s endpoint. These solutions aren’t offered to personal customers are frequently because most
of the online fraud risk for banks is for commercial customers. These solutions became popular in the face of man-in-the-middle and man-in-the-browser attacks as a way to “harden” the connection between a web browser and their bank.
(3) Simple Authentication
This is the 800-pound gorilla in the online fraud space. Companies like RSA and Entrust have been providing this to banks for years, and they offer basic protection around obvious attacks like mid-session IP address changes, repeated password attempts, etc.
These solutions rose to prominence in the wake of the 2005 FFIEC guidance that required banks to implement two layer of authentication (which resulted in username, password, and those largely ineffective picture recognition tests).
(4) Device Fingerprinting and Reputation
Companies like iovation, ThreatMetrix and 41st Parameter (acquired by Experian) build more accurate profiles of end user devices (web and mobile) and maintain a score of how risky these devices are, across multiple banks and retailers. The hope behind these
solutions is that they would provide the “something you have” factor in authentication, but they were increasingly defeated with the rise of man-in-the-browser Trojans that took over legitimate devices.
(5) Online Session Monitoring
Companies like Silvertail (acquired by RSA/EMC), Guardian Analytics, Tealeaf, and Intellinx have slightly different IT approaches, but all ultimately monitor how a user navigates through an online banking application. The profile a user’s “normal” behavior,
and then alert when anomalies are detected. These solutions have become increasingly popular lately as a way to detect accounts that have been hijacked by man-in-the-browser attacks.
(6) Online Transaction Monitoring
Companies like Actimize, SAS, Oracle/Mantas, and Detica look at business transactions (the payment, the change to the account) to see how normal they are compared to historical customer behavior. These solutions work similarly to Online Session Monitoring,
above, but have a very different technical approach as they largely integrate with core banking systems.
(7) Strong Authentication
Dozens of companies like Toopher, Authentify, PhoneFactor, the FIDO Alliance and RSA are using innovative approaches to provide stronger authentication mechanisms while avoiding unpleasant and inconvenient user experiences. Strong authentication continues
to be a fast growing space and is supported by the 2011 updated FFIEC guidance regarding online authentication.
(8) Brand Monitoring and Phishing Takedown
Financial institutions have a strong incentive to protect their brands and this includes identifying and minimizing phishing attacks which harm the brand and the customer. Vendors such as RSA and SecureWorks offer monitoring services to help institutions
identify and take down phishing sites. These activities help institutions minimize negative brand impact while helping to protect their customers from online criminals.
(9) Remediation Assistance
Many institutions recognize that their customers – particularly small business customers – may not have the in house expertise to solve IT security challenges which impact online banking. Some organizations have sought to provide guidance, software and education
to their clients to remove malware and harden their systems going forward. Institutions can strengthen their relationships with their customers by offering advice and referrals when a customer experiences an online fraud.`
(10) Online Fraud Risk Scoring Platform
With all of these systems in the mix, top institutions are starting to build or buy an overall risk scoring platform that combines their transaction monitoring, session monitoring, device fingerprinting, and data collected during authentication into a combined
risk score. That risk score is then used to decide when to approve or block transactions, or to ask customers to go through an additional layer of strong authentication.
Where Should I Start?
The decision on which of these pieces to implement first will be based on your institution’s online fraud risk. Most banks we’ve seen start with Online Fraud Awareness and Transaction Monitoring, but quickly move on to add other controls as their losses
increase.