AS MORE PEOPLE go online to do their banking, criminals see greater opportunities for theft. They see openings for fraud in the form of unwary newcomers to online banking and in the use of increasingly sophisticated malicious software, or “malware.”
This view was confirmed by speakers at the 2009 World Economic Forum in Switzerland, where it was reported that, worldwide, an amazing $1 trillion per year is attributed to online theft. Often this theft is carried out by large, well-organized criminal gangs, not lone hackers. The stakes are large and the threat is real.
Primary Threats to Your Banking Site
Let’s take a quick look at some of the most frequent threats and then examine the best defenses.
Malware is a generic term for the viruses, Trojans, worms, spyware, and adware that can plague computers. One of the most insidious types of malware is a keystroke logger. Just as the name implies, it can record every keystroke made on a computer and transmit the information to a fraudster. In some cases, it will even delete itself when finished, leaving no trace.
Another common ploy used by criminals is luring a user to a copycat website that looks exactly like the site of a legitimate business, frequently a financial institution. Often users will be led there by a “phishing” scam-an e-mail or even a phone call claiming to be from a familiar firm and requesting that you update your personal information.
Cyber criminals also like to find people who have logged on to an unsecured wireless network. The fraudster may be able to monitor traffic, including name and password data, coming in and out of the router on an unencrypted or poorly encrypted network.
There are other threats such as spyware hidden in an otherwise desirable software program, or a spy program that infects a computer by exploiting a security hole in the user’s Web browser.
The end result of all these methods is the same-a criminal obtains a user ID, password, challenge questions, and possibly a credit card or Social Security number. Then the fraudster logs on to a bank site and grabs information needed for making transactions, or gives himself or herself ACH or wire-transfer authority.
Given the variety of methods employed by criminals, there is no single solution for keeping them at bay. It’s best to use a wide-spectrum approach with multiple layers of security. Here is a top-10 list of the best ways to safeguard your website.
1 Implement antivirus measures and up-to-date software
Both end users and financial institutions should be using reliable software that protects against malware. This software should be updated continually to protect against the latest threats. In the same manner, computers should be kept up-to-date with the security patches issued by the maker of your operating system and by the companies that make your office and financial software.
2 Educate your customers and staff
On a regular basis, include fraud education in your communications with account holders. It’s most effective to communicate on multiple fronts if you can. Use a variety of media, including Web announcements, statement stuffers, e-mails, blogs, and social site announcements. Typical reminders should:
* Explain that no one from your institution will be calling or mailing to ask for a password, Social Security number, or account number.
* Provide the phone number to call for lost or stolen cards.
* Explain how to identify phishing attempts and suspicious account activity.
* Recommend that home computers have virus protection.
Similarly, employees ought to be trained and tested in your security procedures. They should be able to recognize unusual customer behavior and know when to confirm or question transaction requests.
3 Make sure that passwords are secure
Superior password protection requires three parts. Although end users usually create their own passwords, these three factors should be under your control.
Expiration. The more frequently a user must change passwords, the less likely it is that a criminal can acquire them. For many institutions, 90 days is a reasonable length of time. There is always a trade-off between user convenience and strength of security. While you don’t want to irritate users by making it hard for them to remember a password, you’ll find them much more irritated if funds disappear from their accounts.
You may want to experiment with the appropriate balance between security and inconvenience. Is 60 days too often to ask for a password change? Is every four months not often enough? When you do establish or change the time interval, be sure to fully explain to users what is at stake.
Reuse. A good log-on system will be able to specify when a previously used password is acceptable for use again. Usually, this interval is measured by the number of times a person has changed passwords. To discourage frequent repetitions of the same word, set this option to the maximum number of password changes before reuse.
Length and strength. These are extremely important factors for the security of your site and the safety of your customers’ identities and assets. Possibly the worst choice of password is a simple English word, such as the user’s name. Instead, your log-on system should enable you to require a minimum number of characters and an alpha and numeric mix. An alphanumeric combination is strongly recommended. As for the required length of the password, this can be a tricky decision. A longer password-six to eight characters-is definitely harder to crack. On the other hand, because long passwords are more difficult to remember, people may be tempted to write them down, thereby increasing vulnerability. You’ll need to make this decision based on knowledge of your end users and the recommendations of your security specialists.
There is a simple method to help end users come up with a complex password that can be remembered. Ask users to create a sentence about their life that includes numbers, and then use characters from the sentence to create a password. For example, “My mother was born in August 1952” could translate as “mmwbia52.”
4 Employ multifactor authentication
Multifactor authentication (MFA) is the kind of log-on protection that requires more than one type of identifying information. This is recommended for any high-security applications. MFA can employ something the user knows as one factor, such as password, log-on ID, or challenge questions, and something the user possesses for another factor, such as a token. A different factor could be a biometric measure, such as fingerprint authentication or information stored on the user’s computer that is used for risk scoring. A good MFA system will provide the following:
Levels of protection. The simplest form of MFA provides authentication only at log-in. A better, recommended setup requires additional authentication for ACH, wire transfers, and bill payments. Yet another level of security adds out-of-band authentication. This means there is some type of callback notification to the user. A second network, such as a phone call, is used to confirm the transaction, transfer, or whatever activity is being conducted. In this situation, a criminal who has compromised one network will still be stopped by lack of access to the second.
Connectivity protection. If your multifactor authentication is being provided by an online third-party vendor, a possible weakness is temporary loss of connection to that vendor. You should set your authentication system to automatically stop users from completing an action until communication is regained. The user should receive a message such as, “We are unable to process your request at this time. Please try again later.”
Risk-score assignment. Your authentication software creates a risk score based on information such as IP address, operating system version, computer type, and so on, and allows entry or activities based on that score. This offers more discrimination and precision in controlling access.
5 Set the risk rules
The above-mentioned risk score assignment is especially advantageous if it has modifiable rules and limits for scoring. That gives system administrators flexibility in deciding how stringent the rules are for log-in and online activities. For example, for first-time users of your site, you can require that the person create challenge questions. Typical questions are “What is your father’s middle name?” or “In what city were you born?” For users registered previously, you may set a relatively high risk score for log-in before the system will ask the challenge questions. For general payment activities, you may create a lower threshold before challenge questions are initiated. For high payments (maybe $1,000 or more), you can set your system to automatically ask challenge questions.
A good security program will enable you to test various rules in order to measure their effectiveness and perfect your security parameters. Authorization reports also will help you evaluate effectiveness and review any cases that may be flagged as potential problems.
6 Consider using security tokens
Security tokens are a very secure option that significantly reduces risk. They usually come in the form of a smart card, a small chip, or a device on a key ring. Tokens in the form of cell-phone software are likely to become more common in the future.
A good token uses a one-time password. Each time you use it, or at set intervals, a new password is generated. This password is time-synchronized with the authentication server or otherwise matched in such a way that the server will recognize it. If criminals manage to capture a one-time password, it will be useless to them since a new password will already be in place.
Security tokens often are used by employees of business customers who need administrative access to high-security information or large amounts of money. All users must have the token in their physical possession to access their accounts.
7 Put restrictions on IP address and time
Some security software programs will enable you to establish a list of valid IP (Internet Protocol) addresses. An IP address is a unique numerical label assigned to each device that connects to a computer network. The system will check a “whitelist” of allowed IP addresses. Anyone attempting to log in from a different address will receive a message that he or she is not an authorized user. This particular security option is effective only for users who have a static IP address, as opposed to a dynamic IP address. A static IP address is one that is permanently assigned to users by their Internet service provider, whereas a dynamic IP address is one that changes each time a user signs on.
A time restriction, on the other hand, will assign specific days and time periods to users and enable access only during those times. For example, if there is an attempted log-on from a computer when that computer’s user is not scheduled to be at work, access is denied.
8 Put hold restrictions on new users
If a criminal manages to gain access to the credentials of a cash management administrator on your network, you could be in trouble. The fraudster can create a new, authorized cash management user and start originating transactions as that person.
Prevent this scenario by using your fraud management tools to automatically put new users on hold. Set up a rule that the new user is not given authority until an employee at a specified management level approves. You can have an e-mail alert automatically sent to the appropriate staff for approval.
9 Enable core processor settings for cash management
Your core system may enable security settings that keep a lid on dangerous activities:
Bank overrides. This enables authorized bank personnel to override default security settings, thereby allowing customization of certain settings to conform to the institution’s risk model.
E-mail alerts and notifications. These settings will alert administrators to specified account activities such as ACH batch initiation and wire activity. These alerts will occur via e-mail or an SMS text message.
ACH host parameters. Your core system may enable company-level ACH parameters, setting validations for batch initiation, company- and batch-level validation, and calendar validation.
Dual control. This setting ensures that a single user does not have the ability to create and initiate a batch. It must be done in tandem with another authorized user.
Manual batch notification. This requires customer notification through a separate notice, such as e-mail, phone, SMS text message, or fax, to prevent batch initiation that is not authorized by the customer.
10 Use a stand-alone computer for cash management
Industry security experts recommend the use of a stand-alone computer to perform high-level cash management activities. Make certain that the computer is secure and not used for Web surfing or e-mail.
The Value of Customer Trust
Most of these top 10 strategies for website security are commonsense precautions that are simple to implement. Others may require a technology or software upgrade. Your return on investment in this area is usually obvious, considering the time, trouble, and cost of fraudulent activity.
Equally important but less visible is the fact that fraud can significantly damage your relationship with account holders. When you take steps to prevent fraud, you’re also preserving customer trust. What is the value of your customers’ confidence? You can’t quantify it, but you know you’ve got to have it in order to attract and retain customers and realize your business and growth goals.