By Ashley Bray, contributing editor, This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

 

As online transactions have soared, so has malware.

According to an Online Banking Security Survey by PhoneFactor, a provider of two-factor authentication, 69% of respondents indicated an increase in attacks over the past 12 months. About half (51%) cited real-time attacks from online banking trojans as the greatest threat. Password phishing came in second at 24%.

Trojans like ZeuS, are said to have infected 90% of the Fortune 500, and more recent threats like SpyEye are emerging, so these fears are not ungrounded. ZeuS and similar malware threats work by installing themselves underneath the user’s web browser. From this position, they can steal passwords or even inject unrequested transactions without the true user being aware of them. This browser-based malware targets ACH transactions and wire transfers especially.

Since 2005, Federal Financial Institutions Examination Council (FFIEC) guidelines have been in place to ensure that banks are using layers of security to combat fraud threats. Doug Johnson, vice-president of Risk Management Policy at ABA, expects these guidelines to be revised to better fit more recent authentication measures. “Our desire is to assist the agencies in understanding what measures banks are utilizing so the guidance is reasonable from a business as well as from a security standpoint,” he says.

Some of the recent authentication measures include two-factor authentication. “Banks, to varying degrees, have some two-factor deployed to at least a small subset of their customers,” says Sarah Fender, vice-president of Marketing & Product Management for PhoneFactor. This subset is comprised primarily of commercial customers, and the two-factor system typically includes tokens, which dispense a one-time pass code to holders. Tokens do little to ward off malware, which can steal pass codes from browsers, according to Fender. To better combat this fraud, “out-of-band” authentication measures have emerged.

This approach uses a different channel from the one the transaction is using. PhoneFactor, for example, uses the telephone channel. When users attempt to make a transaction online, an automated call or text asks them to confirm the transaction by voice (checked by biometrics) or by sending a text message back.

Improved customer knowledge can help, as well. “It’s time for commercial banks to get to know their customers better,” says Brian Krebs, of KrebsOnSecurity.com. “One way to adopt that stance is to shift the focus of customer authentication from authenticating the user to trying to authenticate their activity. This can take the form of profiling transactions, profiling the customer’s website usage habits, etc.”

By recognizing and authenticating client activity, banks can flag unusual activity and intercept a fraudulent transaction. Of course, customers need to make efforts to protect themselves from fraud, as well.

“It’s not that there’s a problem with the [online] channel,” says Lin Abbot, CISM, chief information security officer for $10.5 billion-assets Citizens Republic Bancorp, Flint, Mich. “The key is that people understand how different internet usage behaviors can make them more exposed, and how to protect themselves by changing their behaviors.”

 

The electronic version of this article available at: http://www.nxtbook.com/nxtbooks/sb/ababj1210/index.php?startid=24  

TrackBack URI for this entry