Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

April 14, 2014

Danger Ahead! ATM Cash-Outs

The Federal Financial Institutions Examination Council (FFIEC) issued a warning in April to financial institutions about criminals continuing to launch attacks against ATM and web-based card management systems, especially those of small- to medium-size financial institutions (FI). Dubbed "unlimited operation" by the U. S. Secret Service, this type of attack can saddle a financial institution with fraud losses in the millions of dollars. As we highlighted in a post from last May, a bank in Oman experienced this type of attack in late 2012, which resulted in a loss to the bank of almost $40 million. Imagine the impact of a loss of that magnitude to a small to midsized FI.

These attacks are especially concerning for a number of reasons. First, the criminal organizations that carry them out are highly sophisticated and well-organized, and they have an international reach. The Oman attack included a money mule network across 26 countries—including the United States—performing more than 36,000 withdrawals in a 12-hour period.

Second, unlike typical counterfeit card fraud attacks that involve a large number of accounts, the criminals behind the card management system frauds need to compromise only a small number of card accounts. The attack that resulted in the $40 million loss involved only 12 accounts. Early in this type of operation, the criminals generally obtain the PINs of the cards for these accounts by conducting some sort of covert surveillance (pinhole camera or shoulder surfing). They then counterfeit the cards using those PINs.

Third, the attacks are generally timed to take place around holidays, when bank, IT, and fraud monitoring staff levels are low.

Fourth, the criminals get remote access to the financial institutions' card management systems to reset account balances and card withdrawal parameters. They can then use the counterfeit cards over their pre-established transaction limits or balances and drain the ATMs of all cash. The criminals usually obtain access to FIs' networks using e-mail phishing schemes that target processor or network employees. Through gullible employees, malware is loaded onto the network that later gives the criminals access to the FIs’ card management systems.

Major online networks now have transaction velocity monitoring capability, which detects a high number of transactions on an individual account. This approach is necessarily only a secondary and reactive measure, not a preventive measure.

FIs should immediately address the risk mitigation steps that the new FFIEC warning outlines. Because the vast majority of small to midsized FIs depend on third-party processors to run their card management systems, it is imperative all FIs verify that their processors have the controls and safeguards in place to prevent such attacks, and they should insist on seeing validation of those controls.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 14, 2014 in ATM fraud, cards, cybercrime, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5119e4e38970c

Listed below are links to blogs that reference Danger Ahead! ATM Cash-Outs:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

March 24, 2014

The Fraudsters Are Omni-Channel--and Omnipresent

"Omni-channel banking" is an in-vogue term for what bankers have known for quite some time: customers can access multiple channels to conduct their banking, have a preference for one over the others, and that preference to a large degree reflects their ages. Despite their primary preference, these consumers are likely to use multiple delivery channels, and when they do, they want a seamless experience when moving from one to another. The banking industry has struggled to successfully implement such an experience. Achieving this seamlessness is difficult because the industry has historically had a vertical organizational structure, in which each distribution channel has its own strategic plan and sometimes even an independent technology, which leads to differences among the channels. For example, if a customer were to check his or her account balance from an ATM or automated call center, the balance can be different from the balance they would get from a teller inside a branch.

Unfortunately, criminals have also adopted omni-channel usage, and at an even faster pace—they are not concerned with having a transparent or seamless experience. In fact, they seem to be more successful when there are disparate systems because that makes the detection of fraudulent activity more difficult. For example, we have seen criminal attacks move from in-branch armed robberies to ATM cash-out cyberheists. Why risk a physical confrontation and mandatory jail sentence when you can work anonymously and actually get a greater haul? We are also aware of cross-channel fraud activity within the electronic channels. In one case, e-mail phishing attacks led to a customer unwittingly disclosing online banking credentials (user ID and password) and then fraudulent payments or wires being initiated through the online channel. In a recent post, we talked about how criminals often target call centers. They use social engineering techniques to gain sufficient account information to fraudulently access accounts through a variety of channels.

A lesson from these incidents is that financial institutions must take a holistic view of fraudulent activity and not just a channel-specific view. For major losses, they have to perform forensics to determine the channel where the fraudulent effort began not just the channel where the actual fraudulent transaction occurred. Only after such investigative work can the financial institution identify the weak points in its system and processes and take the necessary steps to fortify them to provide a higher level of protection against future attacks.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 24, 2014 in banks and banking, crime, cybercrime, financial services | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a5118d52d4970c

Listed below are links to blogs that reference The Fraudsters Are Omni-Channel--and Omnipresent:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

January 27, 2014

The Importance of Partnerships between the Private Sector and Law Enforcement

Helen Keller once said, "Alone we can do so little; together we can do so much." As the "forum" part of our name implies, we tend to agree with Helen Keller's comment on collaboration. The mission of the Retail Payments Risk Forum (RPRF) is to identify, detect, educate, and encourage mitigation of risk in retail payment systems. We firmly believe that one of the ways to achieve our mission is to collaborate with industry participants, regulators, and law enforcement. And while we convene our own forums to encourage collaboration, ample opportunities for collaboration between law enforcement and the private sector exist beyond the boundaries of the RPRF.

Below are descriptions of organizations that are built on such collaborations.

  • Financial Services Information Sharing and Analysis Center (FS-ISAC): An organization dedicated to gathering and disseminating reliable and timely information from financial services providers, security firms, local, state, and federal law enforcement agencies, and other trusted resources related to physical and cyber threats against the financial services community.
  • National Cyber-Forensics &l Training Alliance (NCFTA): A nonprofit corporation with formal partnerships/agreements with more than 40 U.S. private-sector organizations and more than 15 U.S. and international law enforcement or regulatory agencies. The NCFTA enlists subject matter experts from stakeholder organizations to share real-time intelligence regarding cyber threats and supports the development of joint proactive strategies to better identity, mitigate, and ultimately neutralize threats.
  • Electronic Crimes Task Forces: Led by the United States Secret Service, these groups bring together federal, state, and local law enforcement with prosecutors, private industry, and academia for the purpose of preventing, detecting, investigating, and mitigating attacks on the nation’s financial infrastructures. Groups are structured through local field offices and organized in most major metropolitan areas.
  • InfraGard: Led by the Federal Bureau of Investigation, this association with representatives from the private sector, academia, and state, local, and federal law enforcement agencies is dedicated to sharing information and intelligence to prevent hostile acts against the United States. Like the Electronic Crimes Task Force, InfraGard is comprised of groups organized by FBI field offices in major metropolitan areas.
  • Anti-Phishing Working Group (APWG): An organization that seeks to unify the global response to cybercrime across industry, government, and law enforcement through data sharing, education, and standards development.

Each of these groups is different, but the common thread is information sharing between the private sector and law enforcement. This collaboration increases knowledge and awareness of threats and is often required to effectively capture and prosecute the masterminds behind attacks on financial institutions and their customers. I encourage our readers to learn more about and take advantage of these opportunities and others for collaboration between law enforcement and the private sector.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

January 27, 2014 in collaboration, cybercrime, law enforcement | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a3fcaadd09970b

Listed below are links to blogs that reference The Importance of Partnerships between the Private Sector and Law Enforcement:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 25, 2013

Maintaining a Strong Defense with Layered Security

A medieval castle generally had many lines—or layers—of defense to protect itself and its inhabitants from outside attackers. For example, it would have an outer perimeter with a high berm making the passage of horse-drawn weapons difficult. This berm would surround a vast, open space that allowed the enemy no cover. Closer to the castle would be the moat, which enclosed high fortress walls with ramparts that allowed the human defenders to fire down on attackers while still having protective cover. An enemy that successfully breached all layers of security was a strong enemy indeed—or a friend, someone with proper security clearance, who was permitted to pass through.

This multilayered security is highly effective in today's computer age. Financial institutions that haven't done so already should institute such a strong online authentication process. This process would require an individual who needs to access an account to go through multiple layers of authentication according to the risk level associated with the intended transactions. For someone checking an account balance, for example, a user ID and a password may be sufficient. But for someone initiating a wire transfer request for $50,000, more layers of authentication tools are appropriate and in keeping with the 2005 Federal Financial Institutions Examination Council's supplemental guidance for internet banking to implement more robust controls as the risk level of the transaction increases.

Panel members at a recent forum cosponsored by the Secure Remote Payment Council and the Atlanta Fed's Retail Payment Risk Forum provided their assessment of the security tools that can improve online customer authentication. They did this by assigning scores to individuals tools based on a scale of 1 to 10, with 1 being extremely weak and 10 being extremely strong. While members gave pretty low scores to each individual tool, they pointed that a combination of these tools would significantly raise the strength of the authentication process, and presumably the scores of these combinations would be higher.

As the table shows, only one of the tools had an average score above 5.

Output effects from alternative tax reforms

We cannot say it enough: no single authentication method provides a complete solution. A strong customer/transaction authentication program uses a combination of hardware and software security tools to minimize the success of unauthorized account access. The program also incorporates customer education and training and internal policies and procedures to provide a well-rounded defense.

Portals and Rails is interested in how you would score the various tools and how your institution is implementing a multilayered authentication strategy.

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 25, 2013 in authentication, banks and banking, cybercrime | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b01a2f45e970b

Listed below are links to blogs that reference Maintaining a Strong Defense with Layered Security:

Comments

Interesting that Tokens scored that high. With malware bypassing them and the overhead of physical management of the hardware.

But, agree 100%...layered security is only direction to go in.

Posted by: Matthew | November 25, 2013 at 09:24 AM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

November 18, 2013

Forum Focuses on Best Practices and Other Tools to Fight Payments Fraud

The Retail Payments Risk Forum and the southeastern Regional Payments Associations (RPAs) cohosted an Executive Fraud Forum at the Atlanta Fed on October 30. Forum attendees engaged with speakers and panelists on such issues as the latest payments fraud trends, legislation and regulation, and best practices for financial institutions to mitigate risk in today's dynamic payments environment.

In one session, Federal Reserve Bank of Atlanta senior examiner Tony DaSilva discussed best practices to combat cybercrime. Cybercrime remains top of mind for financial institutions because denial-of-service attacks, which overload an institution's computers so customers cannot access their account information, can affect an institution's reputation and divert attention away from account takeover attempts. Account takeover is when a fraudster uses malware to attempt to steal a customer's valid online credentials and direct payments—often via wire and ACH—out of the customer's account. DaSilva suggests that financial institutions should assume that their systems are infected, and thus constantly, proactively monitor for cybercrime.

DaSilva also highlighted the importance for an institution's board and management to understand the nature of current cyber threats, assigning adequate IT resources and using industry tools to contend with cybercrime. DaSilva also emphasized the importance of following regulatory guidance.

A critical piece of regulatory guidance in this area is the Federal Financial Institutions Examination Council's (FFIEC) 2011 supplement to its 2005 guidance, Authentication in an Internet Banking Environment. The updated guidance recognizes the changing nature of cyber threats, including account takeovers, and emphasizes three area of responsibility for institutions.

  • Periodic risk assessments, at a minimum every 12 months, are important. In these assessments, institutions should consider the current threat landscape, changes in customers, and actual incidents, and then make adjustments to customers' authentication controls
  • Layered security for high-risk Internet-based systems should at a minimum detect and respond to anomalies and have robust controls for system administrators of business clients
  • Education should focus on making consumer and business customers aware of security steps, and should explain federal consumer protection provisions, risk controls offered by the institution and relevant institution contacts

For more on this topic, view Tony DaSliva's video interview and presentation on the conference web page.

Photo of Deborah ShawBy Deborah Shaw, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

November 18, 2013 in cybercrime, malware, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c019b014a7228970c

Listed below are links to blogs that reference Forum Focuses on Best Practices and Other Tools to Fight Payments Fraud:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

August 05, 2013

Gone Phishing: How Your Employees' Bad Security Habits Can Impact Your Business

Phishing is the practice of sending an e-mail that appears to originate from a legitimate representative of a company or government agency in an effort to get the recipient to click on an embedded link. The link takes the individual to a cleverly disguised imposter of a legitimate website. Here, the targeted victim is asked to enter various account credentials that the criminal records and uses later to access the individual's accounts. A refined version of phishing, known as "spear-phishing," targets specific employees to try to gain access to their companies' financial accounts or files. At mid-sized to large companies, such an e-mail could appear to be an internal directive from HR or IT.

While early phishing efforts were easier to spot through their spelling and grammatical errors or poor company logo reproductions, many criminals have become more sophisticated. They now produce well written and convincing messages with high-quality graphics that make the messages appear legitimate and create a sense of urgency. In some cases, a criminal's success in writing a convincing message comes through the practice of social engineering. He or she "researches" targeted individuals by gathering information about their interests, activities, family, and friend names, travels and other personal information through their social network sites. The criminal weaves some of this information into the phishing message. For example, if the criminal sees you are an avid golfer, you might get an e-mail that seems to be from a sporting goods company asking you to enter a sweepstakes contest to win a set of clubs. Most people would never think of providing information such as birthday, place of birth, or other personal data to a stranger they meet on the street, but often do so without hesitation on social websites.

Many employers provide periodic workplace security training including warnings not to click on links that are unknown or appear to be suspicious. Despite such efforts, an investigation conducted after a criminal online intrusion generally reveals that an employee did such a thing to start the chain of events. That employee's actions resulted in the disclosure of the information necessary to illegally access the company's accounts or to download malware into the employee's computer that sniffed for the account credential information and later relayed it to the criminal. Unfortunately, many small businesses neglect this education and find themselves victims of major financial losses that can threaten the viability of their entire businesses.

There are hardware and software solutions that provide some layer of protection to a business, but the best protection is having educated and aware employees who receive frequent training and reminders about the importance of solid workplace computer safety practices. Employees must be made to understand that lax or weak online security practices in their personal lives can be harmful to themselves and to their employers.

Tell us: how do you protect yourself and your business from phishing?

Photo of David LottBy David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 5, 2013 in cybercrime, fraud, malware | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01910497c249970c

Listed below are links to blogs that reference Gone Phishing: How Your Employees' Bad Security Habits Can Impact Your Business:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

July 15, 2013

In Memory of a Beloved Colleague: Protecting Your Bank Account

This repost of a blog post, originally published on April 8, 2013, is in memory of our beloved colleague and friend, Michelle Castell. Michelle died earlier this month after a long and courageous battle against cancer. The blog summarizes a white paper Michelle wrote earlier this year concerning online account takeovers, a topic that is still timely. Michelle was new to the world of payments when she joined the Retail Payments Risk Forum in mid-2012. In her enthusiasm to learn about payments, she experimented with different payment types and channels to gain a personal understanding of how they work and the risks they pose. Michelle was immediately intrigued and concerned by the account takeover risks posed to consumers and businesses from the alarming growth of malware on mobile phones. It was through her personal and enthusiastic approach to her work that Michelle became an advocate for improved consumer education when it comes to payments security—which is the conclusion of this post and her account takeover white paper. You can find a link to the white paper at the end of the post.

Today's news is loaded with stories of account takeovers of both businesses and individuals. With an alarming frequency, accounts are hacked, identities are stolen, and money disappears. Have the availability of smartphones and their increased use for conducting social, financial, and personal business sparked this increase? With a 78 percent penetration rate in the United States alone, mobile phones are not going away, and smartphone growth is catching up.

Currently, there are 6 billion mobile subscribers worldwide, with more than 1.2 billion of them accessing the web at any given time. These individuals are shopping, banking, watching videos, playing interactive games with other players, texting, or e-mailing on their devices. Smartphone users are actually three times more likely to provide their log-in information when prompted than those accessing the Internet from a personal computer, according to the computer and network security company RSA. Given these trends, fraudsters are once again taking advantage of the weak spot and using technology to spread malware onto mobile phones.

Less than 50% of Mobile Consumers Find Many Dangerous Behaviors to be Risky

While the number of individuals accessing the web is staggering, perhaps even more amazing is the increased usage of mobile devices for sending text messages. In 2011 alone, more than eight trillion text messages were sent. As such, text messaging fraud—or “smishing,” a term created from the abbreviation for short message service SMS—is now becoming a tool of choice for fraudsters.

Is your phone protected? Studies conducted in the United States and abroad show that only 4 to 10 percent of all phones have antivirus software, compared to over 80 percent for personal computers. It's just as easy for a cybercriminal to gain access to your financial institution through a mobile text or a mobile e-mail account as it would be on a computer. Could protection and education about mobile security be the ticket to reducing account takeovers? I believe it can. Taking a bite out of that 90-percent statistic for unprotected smartphones most certainly will deflect attacks that could penetrate through to the financial environment. T-Mobile recently announced it was teaming up with Lookout virus protection to begin shipping most Android models with out-of-the-box protection against malware and viruses. This move could be a significant first step in virus protection, especially if other phone manufactures were to follow suit.

What can you do? Well, there are a few things, including:

  • Install a certified virus application on all family devices and set them to run weekly (many good options are free).
  • Don't change the default security restrictions by jail breaking your device. Only download applications from a reputable vendor application marketplace (Google Play store or iTunes, for example).
  • Review and make sure you understand any pop-ups, e-mails, or texts before you click.

For more information related to account takeovers, check out the Risk Forum's recent survey paper, "Mitigating Online Account Takeovers: The Case for Education."

Michelle CastellBy Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed

July 15, 2013 in cybercrime, identity theft, mobile banking | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901e4679ba970b

Listed below are links to blogs that reference In Memory of a Beloved Colleague: Protecting Your Bank Account:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

June 03, 2013

Do Digital Currencies Need Bank Secrecy Act Regulations?

Nearly two years ago, a Portals and Rails post looked at digital currencies and posed the question, "Will the use of alternative currencies gain popularity in the criminal world?" It appears that the answer to the question is "yes." According to the recent indictment of a digital currency provider, the currency under question "was designed to give criminals a way to move money earned from credit card fraud, online Ponzi schemes, child pornography and other crimes without being detected by law enforcement," ultimately building up a $6 billion money laundering operation.

At the heart of the issue with this particular digital currency is its anonymous nature. Payment instruments that provide anonymity do attract the criminal element. Anonymity is a major reason cash remains king when it comes to payments for illicit activities. The anonymity that prepaid cards provided in their earlier years attracted the criminal element, which ultimately resulted in regulators attaching Bank Secrecy Act/anti-money laundering (BSA/AML) regulations to these instruments.

There is no doubt that digital currency has benefits over paper and coins. The convenience of not having to lug around paper and coins is appealing to me, as is the fact that I wouldn't feel the need to scrub my hands after handling digital currency since it's no secret that paper money and coins are dirty. I am all for the success of digital currencies and can't wait for them to become more mainstream. But I believe that as long as any digital currency continues to support anonymity, it will be difficult for that to happen.

While regulation can stifle innovation, I believe that BSA/AML regulation of digital currencies could help increase the adoption of this type of payment instrument by the mainstream. One need look no further than the prepaid card industry to understand the potential impact. Many factors have played into that industry’s phenomenal growth rate, but the BSA/AML regulatory requirements also played a role by providing a credibility to prepaid cards that did not exist in their infancy.

What are your thoughts on the need for BSA/AML regulation of digital currencies?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

June 3, 2013 in cybercrime, emerging payments, money laundering, regulations | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901cef3bcf970b

Listed below are links to blogs that reference Do Digital Currencies Need Bank Secrecy Act Regulations?:

Comments

Great Post.
In my opinion all e-currencies need to be regulated, specially the more popularly used ones. It will be sad to see another one going down like LR.

Posted by: Bhagesh Nair | June 04, 2013 at 04:48 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

May 20, 2013

ATM Cash-Outs: A Major Escalation

The banking news this week has been dominated by the story about the two ATM cash-out schemes that netted the criminals a total of $45 million. (We mentioned the $40 million fraud involving prepaid cards issued by a bank in Oman in a post earlier this month.) The news articles and opinion pieces have focused on what I consider secondary aspects of this attack—counterfeit card production and prepaid cards. Some observers have pointed to this attack as further justification for a faster move to EMV reader capability in the United States. While it is certainly true that an EMV-only environment will virtually eliminate counterfeit card crimes such as this, the reality is that a dual EMV-magnetic stripe environment is going to exist, both here in the United States and the rest of the world, for quite some time. And while some categorize the United States as the only EMV holdout, the fact that 94 percent of the ATM cash withdrawals took place at ATMs outside the United States shows that we are not the non-EMV island that we are often portrayed as. Others have pointed out that the targeted cards were tied to prepaid accounts, implying or outright stating that a prepaid card management application is less secure than a regular debit card management application. This is not the case, as the fraud was not a product or an access device issue.

The real threat from this attack comes from the criminals' ability to gain access to the card management application on a real-time basis. It is still unclear whether they gained the account number and PIN from accessing the card management system or through the more traditional skimming means. What is clear is that they had the ability to continually replenish account balances and reset usage limit parameters during the 10–13 hour attack that involved more than 3,600 withdrawal transactions from ATMs located in 26 different countries. The investigation of the two processors located in India will tell if there was some level of insider involvement or if the criminals learned how to gain access to the card application and make the changes to keep the fraudulent attack going.

So how should bankers and card management processors address these concerns? I would suggest they consider an immediate review and understanding of their card management application access controls that identify the personnel having the authority to make "on-the-fly" changes to specific account parameters. Some access is required for actions such as flagging a reported lost or stolen card, but other parameters should be completely off limits or tightly controlled and monitored. Another safeguard would be to have account velocity monitoring, which would identify unusual card usage activity or usage from different parts of the world occurring at about the same time.

This highly sophisticated and coordinated attack is a game changer for the security controls of all types of card management applications. Let us know how you are responding.

David LottBy Dave Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

May 20, 2013 in ATM fraud, cybercrime | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901c607e9d970b

Listed below are links to blogs that reference ATM Cash-Outs: A Major Escalation:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

April 29, 2013

It's Time for Better Online Authentication Solutions

I recently read a news story in my daily news feed about litigation between a bank and corporate customer related to an account takeover, and the liability of the loss from a fraudulent transfer. Unfortunately, it seems that I am reading these types of stories far too often these days.

Online corporate account takeovers are an important issue in the payments risk world and have been the subject of our blog in the past. Even with stringent security procedures in place, including two-factor authentication (2FA) and out-of-band verification, companies remain high-risk targets. Undoubtedly, employees will slip up and procedures will be ignored, actions that ultimately result in fraudsters getting their hands on account or network credentials that give them access to corporate bank accounts. Although ongoing and comprehensive employee education is vital, improving authentication techniques and requiring their use are critical to better mitigate online account takeover risks.

Requiring some form of authentication is better than requiring none. Yet the current state of our “some” generally consists of a user name coupled with knowledge-based authentication of a password and, if 2FA is being used, usually a set of challenge questions. Knowledge-based authentication is often ineffective due to the use of weak passwords and the ability of fraudsters to find answers to challenge questions through public sources or social engineering. So then, what is the most effective and reasonable authentication standard moving forward? Biometrics? Security tokens? Dynamic password generators?

Fortunately, both the public and private sectors are working to develop improved authentication solutions. The National Strategy for Trusted Identities in Cyberspace (NSTIC) is a federal initiative developed to encourage collaboration between the public and private sectors in developing interoperable technology standards and policies whereby individuals and organizations can be authoritatively authenticated. In addition, the FIDO (Fast Identity Online) Alliance is a private-sector initiative created to change the nature of online authentication by developing specifications that will supplant the reliance on passwords. I do not know whether any of these groups or another entity will be successful in solving our authentication challenge, but I do know fraudsters are hoping their success isn’t any time soon. What are your thoughts on improving online authentication?

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

April 29, 2013 in account takeovers, cybercrime, fraud | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01901bae212d970b

Listed below are links to blogs that reference It's Time for Better Online Authentication Solutions:

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in