|Out-of-band puts fraud out of bounds|
December 6, 2011
By John Ginovsky
First Midwest Bank, of Itasca, Ill., like many banks, endeavored to protect its commercial clients and comply with FFIEC authentication requirements by rolling out a system of security tokens.
In mid-rollout, however, someone was able to hijack a customer’s one-time password from the security token and very nearly was able to make a fraudulent funds transfer. Fortunately, the bank caught it through a back-end monitoring process and the transaction didn’t actually get submitted. Everyone admitted, however, it was a very close call.
So close that the bank immediately halted the token rollout and embraced a whole different approach, generally known as “out-of-band authentication.” The FFIEC guidance generally defines this as any technique that allows the identity of the individual originating a transaction to be verified through a channel different from the one the customer is using to initiate the transaction. For example, when a customer initiates an online transaction, a computer or network-based server can generate a telephone call, an email or a text message. When the proper response, such as a verbal confirmation or an accepted-transaction affirmation is received, the transaction is consummated.
More recently, in FFIEC’s supplement to this guidance, the agency says, “The use of out-of-band authentication or verification, for administrative changes to online business accounts, can be an effective control to reduce fraudulent funds transfers.”
First Midwest found this to be true very soon after it offered it to its business accounts, through a solution provided by PhoneFactor, of Overland Park, Kan. Within two weeks after it was put in place, “there was an attempted fraudulent transfer. The legitimate account holder was alerted to that through an automated phone call from PhoneFactor and was able to block the transfer. First Midwest was also notified that an attack was in progress,” says Sarah Fender, vice-president for marketing and product management at the security company, in an interview with ABABJ Tech Topics.
“We strongly believe that out-of-band transaction verification is critical to stopping threats that have become more sophisticated and virulent,” says Jorge Solis senior vice-president of security at the bank. “We are very pleased to be able to offer this extended level of security to our clients who view us as their trusted business partner.”
The bank makes signing up for this protection extremely easy. A separate web page in its Business Banking section explains everything. The customer simply enters the company’s name, telephone numbers, email, and contact person in boxes provided.
It describes how the real-time fraud alerts work: If a user receives a phone call to verify a transaction he or she did not initiate, the user can simply submit a fraud alert during the call. This locks the account and instantly notifies the bank's fraud department that the user's session has been compromised and an attack is in progress.
The key point in out-of-band authentication (or OOB) is its dual-channel nature. Because an online banking trojan runs on the same computer that is used for online banking, the trojan can hijack a user’s banking session without being detected by the online banking application or the end user. Such malware is effectively logged in along with the legitimate user and, once it’s in, one-time passcodes can be intercepted.
That’s not possible when the authenticator is located on a completely different system and which communicates with the user on a different channel. PhoneFactor’s Fender says her company has provided OOB authentication for some time through automated phone calls and text messages. That system almost instantaneously reacts when a bank’s client initiates a transaction by providing details of the requested transfer and then asking the user to confirm, which is done by clicking an icon. If it’s not authentic, a real-time alert is sent to the bank and the transfer is blocked.
In early December, PhoneFactor announced it has extended its OOB authentication product to iPhones and iPads, and expects soon to apply it to Android devices. Fender says the cost to banks is “materially less expensive than one-time password tokens. It leverages an existing device, the telephone. There’s nothing to purchase, deploy, or manage for commercial account holders.” She adds that banks usually absorb the cost, balanced by a return on investment based on reduced fraud losses, customer attrition, and the ability to attract new customers.
| TechTopics Plus