What Do Financial Institutions Need to Do in Order to Be Vigilant Against Identity-Based Online Attacks?

Written by Mark Reeves, SVP International for Entrust

Today, financial institutions (FIs) offering internet-based and mobile-banking services face increasing pressure to provide enhanced consumer protection against phishing, sophisticated malware and fraudulent activities.

Malware, phishing and fraud attacks are increasing. According to Kaspersky Labs IT Threat and Evolution Report for Q2 2013 more than 100,000 unique mobile malware samples were detected in that quarter which is substantially more than the previous quarter. In fact,  this was the most significant statistical category in both quantity and complexity in the report, indicating that not only are cybercriminals developing more malware targeting mobile platforms, they’re also advancing their capabilities and behaviours.  The UK also has the third highest incidents of phishing websites. Not surprisingly, payment services (47.6 percent) and financial services (27.32 percent) are the most targeted verticals.

Mark Reeves

How can FIs protect themselves against online attacks? Our advice is to invest in long-term solutions that enable FIs to adjust their security controls to keep pace with ever-changing and evolving threats.

Here are Entrust’s five best practice recommendations to protect against identity-based online attacks:

1.       Drive better risk assessment

Assess online transactions and the level of risk these present by type of transaction or user group in order to develop risk mitigation strategies. Be sure to assess specific attributes such as customer type, volume and capability of your transaction methods, information sensitivity and existing security, ease of use and the customer experience, and how mobile devices are interacting with your environment.  Consider not only financial loss, but also liability, corporate risk and reputational damage. And don’t just do this once, review and refresh this assessment at least every 12 months.   The risk assessment will help you to map out potential impacts and the security service levels required.

2.       Adopt strong authentication standards

Today’s threats require stronger means of authentication than simple usernames and passwords, particularly for high risk financial transactions such as wire transfers.  Traditional two-factor authentication solutions such as one-time password tokens and SMS-based authentication are no longer effective against, for example, sophisticated man-in-the-browser attacks if used on their own. Even SMS-based multi-factor authentication, while better than single-factor authentication, is vulnerable to SMS redirection malware. There are, however, a number of newer techniques that provide the level of protection required either through the use of a separate communication channel with the user or by relying on advanced behaviour-based fraud detection engines that can automatically detect transaction or website navigation anomalies in real-time.

3.       Take a layered approach

It is worth noting that no single authentication or traditional fraud detection solution can stop advanced malware on banks and other FIs.  It is the layering of different complimentary security technologies such as strong authentication, behavioural fraud detection, out-of-band transaction verification, mobile authentication and extended validation SSL digital certificates that provide the best method of protecting customer identities and transactions in a banking environment.

4.       Explore advanced authentication techniques

The good news is that today, there are a wide range of strong advanced authentication techniques available. As online fraud attacks increase in sophistication, so does the innovation in authentication technology required to stop these attacks in the consumer space. FIs should explore these advanced techniques like mobile-based transaction verification, dynamic device authentication – including one-time session cookies and digital fingerprints – rather than broadly using static device cookie-based approaches.   Remember however, threats are ever-changing and growing. This means FIs must have an ongoing programme of investment to evolve their technology, people and processes. Security in this area should not be a one-time exercise.

5.       Enhance customer awareness and education

Finally, we also advise that FIs involve the customer as much as possible to help fight fraud. Ongoing education and training programmes should be in place to ensure that everyone does their best to help protect and mitigate today’s threats.  For example, some progressive banks are deploying security measures that notify customers when suspicious transactions are in progress and ask the customer to confirm that a given transaction is valid.

It is vital that consumer confidence is maintained. No bank or FI can afford the reputational damage that an online attack can cause. Continuous investment in security systems, processes and people is a must rather than a nice-to have, otherwise banks risk leaving customer data vulnerable to attack.

If you are interested in finding out more about how FIs can implement identity-based security to win the war against online attacks, why not download our latest whitepaper: It’s Cyber Warfare

Written by Mark Reeves, SVP International for Entrust

Today, financial institutions (FIs) offering internet-based and mobile-banking services face increasing pressure to provide enhanced consumer protection against phishing, sophisticated malware and fraudulent activities.

Malware, phishing and fraud attacks are increasing. According to Kaspersky Labs IT Threat and Evolution Report for Q2 2013 more than 100,000 unique mobile malware samples were detected in that quarter which is substantially more than the previous quarter. In fact,  this was the most significant statistical category in both quantity and complexity in the report, indicating that not only are cybercriminals developing more malware targeting mobile platforms, they’re also advancing their capabilities and behaviours.  The UK also has the third highest incidents of phishing websites. Not surprisingly, payment services (47.6 percent) and financial services (27.32 percent) are the most targeted verticals.

Mark Reeves

How can FIs protect themselves against online attacks? Our advice is to invest in long-term solutions that enable FIs to adjust their security controls to keep pace with ever-changing and evolving threats.

Here are Entrust’s five best practice recommendations to protect against identity-based online attacks:

1.       Drive better risk assessment

Assess online transactions and the level of risk these present by type of transaction or user group in order to develop risk mitigation strategies. Be sure to assess specific attributes such as customer type, volume and capability of your transaction methods, information sensitivity and existing security, ease of use and the customer experience, and how mobile devices are interacting with your environment.  Consider not only financial loss, but also liability, corporate risk and reputational damage. And don’t just do this once, review and refresh this assessment at least every 12 months.   The risk assessment will help you to map out potential impacts and the security service levels required.

2.       Adopt strong authentication standards

Today’s threats require stronger means of authentication than simple usernames and passwords, particularly for high risk financial transactions such as wire transfers.  Traditional two-factor authentication solutions such as one-time password tokens and SMS-based authentication are no longer effective against, for example, sophisticated man-in-the-browser attacks if used on their own. Even SMS-based multi-factor authentication, while better than single-factor authentication, is vulnerable to SMS redirection malware. There are, however, a number of newer techniques that provide the level of protection required either through the use of a separate communication channel with the user or by relying on advanced behaviour-based fraud detection engines that can automatically detect transaction or website navigation anomalies in real-time.

3.       Take a layered approach

It is worth noting that no single authentication or traditional fraud detection solution can stop advanced malware on banks and other FIs.  It is the layering of different complimentary security technologies such as strong authentication, behavioural fraud detection, out-of-band transaction verification, mobile authentication and extended validation SSL digital certificates that provide the best method of protecting customer identities and transactions in a banking environment.

4.       Explore advanced authentication techniques

The good news is that today, there are a wide range of strong advanced authentication techniques available. As online fraud attacks increase in sophistication, so does the innovation in authentication technology required to stop these attacks in the consumer space. FIs should explore these advanced techniques like mobile-based transaction verification, dynamic device authentication – including one-time session cookies and digital fingerprints – rather than broadly using static device cookie-based approaches.   Remember however, threats are ever-changing and growing. This means FIs must have an ongoing programme of investment to evolve their technology, people and processes. Security in this area should not be a one-time exercise.

5.       Enhance customer awareness and education

Finally, we also advise that FIs involve the customer as much as possible to help fight fraud. Ongoing education and training programmes should be in place to ensure that everyone does their best to help protect and mitigate today’s threats.  For example, some progressive banks are deploying security measures that notify customers when suspicious transactions are in progress and ask the customer to confirm that a given transaction is valid.

It is vital that consumer confidence is maintained. No bank or FI can afford the reputational damage that an online attack can cause. Continuous investment in security systems, processes and people is a must rather than a nice-to have, otherwise banks risk leaving customer data vulnerable to attack.

If you are interested in finding out more about how FIs can implement identity-based security to win the war against online attacks, why not download our latest whitepaper: It’s Cyber Warfare