Internet Banking Fraud Risks

By David Dyk, Moss Adams LLP

While regulators don’t maintain a single source of statistics on Internet banking fraud, it’s clear that fraudulent ACH and wire transactions resulting from online account takeovers were a growing trend in 2009 and 2010. A number of high-profile fraud incidents and resulting lawsuits have raised awareness of the growing problem and have damaged reputations and caused increased regulatory scrutiny.

The most relevant current guidance was issued in 2005 by the Federal Financial Institutions Examination Council (FFIEC) and focused on authentication. The guidance specifically instructed institutions to implement authentication that’s stronger than a single factor.

Single-factor authentication involves something the user knows, such as a password. A second factor would be something the user has, such as a token. Many institutions have hybrid systems that attempt to validate a password and recognize the workstation. If the workstation isn’t identified, then an additional “challenge” question is validated. Fraudsters, however, can use software designed for customer workstations to steal challenge questions and passwords or even steal a time-sensitive onetime passcode during authentication. These authentication solutions are inherently compromised technologies that no longer provide strong security.

Regulators and examiners have been considering this issue in recent years and are expected to provide updated guidance in 2011. In the meantime, scrutiny based on existing regulatory guidance has increased, and institutions should carefully examine their Internet banking to gauge the need to increase the security of high-risk transactions such as ACH batches and wire transfers. 

If your institution does offer these higher-risk Internet banking transactions online, a combination of controls – including authentication, verification, limits, risk management, and monitoring – should be considered:

• Out-of-band authentication (with transaction details at the transaction level). Out of band means outside the Web browser and could include an automated voice phone call or SMS text message. To be most effective, the out-of-band verification – the most important control to consider for high-risk transactions – should include details of the transaction in question and request a positive affirmation (such as a PIN) to proceed with the transaction. This helps ensure that the details of the transaction, such as the total amount of the ACH batch and details regarding the payees, match what the authorized sender intended.
  

• Securing the Internet channel and browser. A client-to-server encrypted tunnel and software installed on the client to protect the browser from keyloggers and other client-side attacks is a less onerous solution to implement on top of existing Internet banking systems. These products, such as Trusteer Rapport, are installed by customers on workstations, so many banks that are using this type of technology are providing it as an opt-in solution.
  

• Transaction monitoring and correlation. A number of solutions for identifying unusual patterns, payees, times of day, or other indicators of risk, and escalating those high-risk transactions for follow-up and manual validation, are available. To be effective, these tools must be implemented along with an overall antifraud or other program. Institutions should also consider implementing these solutions across multiple customer channels to identify fraud that may not be limited to a single Internet banking channel.
  

• Revisiting credit limits and customer agreements. Ensuring that customer agreements are current and that exposure limits and other customer controls are identified and enforced remains an important element of managing risk to the institution that shouldn’t be overlooked. Institutions may want to consider two limits: lower limits for simple authentication only and higher limits with out-of-band verification or other secondary controls.

The major Internet banking service providers are aware of these risks and are beginning to offer solutions to help institutions deal with them. However, out-of-band authentication and security options for the client browser are newer technologies and have generally not been incorporated into the basic offerings from these firms, which means they’ll need to be implemented separately.

The updated FFIEC guidance in 2011 may require improvements in authentication, in which case the major Internet banking service providers will be rolling out authentication improvements to many of their customers, reducing those costs for any one institution. In the meantime, smaller community banks with limited volume should consider manual controls, such as verifying high-risk transactions through the phone and revisiting credit limits, as a cost-effective first step. Internet banking fraud risk is a hot topic for regulators, and taking action now in advance of 2011 guidance updates will help your institution manage the transition successfully.

<back to March 2011 Technology & Security Digest>