As Deadline Passes, Some Banks Going Beyond Compliance Guidelines
According to the FFIEC, any system that permits the movement of funds to other parties or access to customer information is deemed high-risk, necessitating stronger authentication or additional controls. At a minimum, this means two-factor or layered single-factor authentication. In two-factor authentication, the user presents both something he knows, such as a password or PIN, and something he owns, such as a PC, phone, or one-time password. In layered single-factor authentication, the user presents two of the same factors (e.g., two separate passwords). This is as far as most banks go in authenticating customers.
To fully protect customers and assets requires going beyond these measures, however. Leading-edge banks have implemented a layered approach to online security that incorporates a combination of mutual authentication, device recognition, biometrics, and one-time password tokens.
According to an Oct. 2006 report by Javelin Research, the extra protection of this layered approach more than compensates for any potential inconvenience it may cause. "Consumers would prefer receiving a phone call to be informed of unusual and potentially fraudulent activity on their accounts, to waking up to find their bank accounts empty the next morning," the report says.
Midwest Independent Bank has implemented a mutual authentication system for its cash management customers that allows the flexibility of remote logon from anywhere while providing a secure authentication mechanism. “Standard passwords no longer provide the level of security that is required in today’s online environment," said David Vandeven, president and CEO of Midwest Independent Bank.
In December, HSBC USA deployed a fraud detection system to enhance the protection it provides to customers to prevent identity theft and fraud. “The system provides additional online authentication and fraud monitoring, which will enhance the measures the bank already employs to safeguard customer information and assets when banking over the Internet,†said Martin Hayes, senior vice president and head of e-business at HSBC USA.
The system includes a state-of-the art risk engine that offers layered, risk-based authentication and fraud prevention capabilities. It runs behind the scenes, utilizing advanced anomaly detection technology which flags potentially fraudulent activity while continuing to ensure a favorable user experience and timely delivery of services.
Wells Fargo & Co. has upgraded its consumer online banking with new technologies including real-time risk analysis software that determines if someone is trying to log in from a different PC and location, a risk management system that detects fraud by analyzing transaction and session behavior, and one-time password tokens for high-dollar transactions. “The fight against online fraud is a continuous and comprehensive effort and an evolutionary process,†said Jim Smith, executive vice president of Wells Fargo’s Internet channel and products. “No one solution can solve the problem of online security. We favor a layered security approach to protect our most important assets, our customers.â€
The upgrades are continuing, says Smith. "Wells Fargo relies on a vigilant and steadfast approach to online security – a layered approach and best-of-breed solutions – to protect customers’ information and funds in a way that is seamless and also does not inconvenience them.â€
Nevada State Bank has enhanced its online banking with mutual authentication technology called SecurEntry. The technology provides two-way security, authenticating the bank’s Web site to its customers and the customer’s identity to the bank.
“While no invasions of customer accounts have occurred at Nevada State Bank to date, there is every reason to remain diligent and take security to the next level,†said Bill Martin, Nevada State Bank's chairman and CEO. “SecurEntry can tell if the client is at their own computer. They'll know it's us and we'll know it's them."
Customers continue to access accounts using their current login ID and password. In addition, they will be asked to set up a personalized SecurEntry profile. First, they select a picture from a wide variety of images and create a corresponding caption. After setup, users will see their secret picture and phrase each time they log in so that they can be assured that they are accessing Nevada State Bank’s Internet Banking site, rather than an impostor site.
The setup takes only a few minutes. Thereafter, time spent logging in to accounts should be comparable to the time spent prior to the addition of SecurEntry features.
SecurEntry also allows the bank to use risk management and transaction analysis tools to identify potentially fraudulent activities. The result is end-to-end protection for the bank and its customers against phishing, spoofing, key logging, and other fraudulent attacks.