Cyber Security News / Retail/Restaurants/Convenience

What Banks Can Teach Us about Combating Online Fraud

A multi-layered approach, including the end user, is required to keep up with sophisticated fraudsters.

Financial institutions have been battling cybercriminals for decades. A constantly evolving network of bad actors continues to identify and exploit vulnerabilities to perpetrate fraud. Traditional prevention approaches are a necessary first line of defense but are far from bullet-proof. And so criminal organizations continue to make millions.

The weakest link in this network continues to be the customer.  Despite a relentless education campaign, banking customers remain either unwilling or unable to practice safe computing.  And when losses occur, customers believe that regardless of their inability – or unwillingness – to implement secure online banking practices, the bank will reimburse their account for the entire loss. It often makes more sense for the bank to reimburse a small loss than dedicate the time and effort needed to deny the claim and potentially incur negative publicity. Meanwhile, assuaged by this false sense of security, consumers have little incentive to change their behavior.

In a recent case involving Choice Escrow Land Title LLC and BancorpSouth, the court sided with the bank regarding a $440,000 loss associated with the theft of the company’s online banking credentials and subsequent fraudulent wires. The ruling was based on the fact that Choice Escrow previously declined to use a process recommended by the bank, requiring two employees to approve wire transfers. However, in two separate, highly publicized cases involving Comerica and People’s United Bank, the courts ruled in favor of the customer in both cases.

There is no guarantee a court will rule in favor of the bank – regardless of the degree to which the customer failed to protect themselves.

Consumer Education Will Only Take You So Far

Financial institutions have long embraced customer education as an effective fraud prevention tool. Unfortunately, so long as consumers are indemnified from loss, these types of educational messages will likely fall upon deaf ears.

The FBI and the American Bankers Association (ABA) recommend designating a separate computer solely for online banking activities (i.e., no emailing or Internet browsing) to prevent online fraud. But limiting banking to one computer is neither convenient nor realistic for the vast majority of consumers. And this challenge only grows as customers increasingly leverage banking applications on their mobile devices.

When given the choice, customers will routinely opt for the “path of least resistance” when conducting business online. And this applies not just to banking, but to anyone who deals with customers, partners or employees online. The more complex the process, the less likely the customer will be to comply. Attempting to shift too much of the compliance burden to the end user will be met with resistance, and ultimately rejection. The last thing a company wants to do is make their online channel so unappealing to their customers that they leave in droves.

Unless customers are provided with a minimally invasive approach to secure their online activity, they will continue to engage in careless behavior that leaves them exposed to bad actors.

Achilles Heel of Online Fraud

To date, fraud prevention technology has overlooked the primary point of failure – the customer’s computer. Extending fraud prevention to the customer’s device through a secure browsing platform can dramatically reduce fraud-related losses. Such a browser creates a protected connection to the financial institution’s website. Since transactions can only take place via the personal browser and a secure proxy server, any malware that exists on the user’s computer is “blind” to the exchange of customer information.

Using this approach, the exchange of critical information in the transaction takes place at the server level, instead of at the user’s machine. A secure personal browser also thwarts more sophisticated tactics such as pharming, man-in-the-middle (MITM) and man-in-the-browser (MITB) attacks. The browser turns the user’s computer into a dedicated machine for online banking that isolates critical data from the cybercriminal’s prying electronic eyes. Such an approach is effective, yet does not place an excessive or unrealistic compliance burden on the customer.

Financial institutions have little choice but to be on the bleeding edge of security best practices. In addition to adopting traditional fraud prevention technologies, including the detection and prevention of suspicious log-ins, transaction anomaly detection and real-time monitoring of account activity, banks are now realizing they must take security to the last line – the consumer herself.

Any organization that houses sensitive financial data and wants to stay ahead of the latest cybercriminal methodologies should follow the lead of these organizations, to learn how they might apply these security best practices to their own customers and corporate security posture. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security December 2014 issue cover

2014 December

This issue of Security Magazine covers our 12th annual Top Guarding Firms list. Check out the best of the best as of December 2014. The 21st century has brought with it new types of security threats. Read how to combat and protect against these threats.

Table Of Contents Subscribe

Security Emergency Preparedness Training

Which security personnel emergency preparedness training is the top priority to you and your enterprise?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.