Ten tips to help financial services institutions protect themselves and their online users

The latest Consumer Confidence Survey conducted by RSA, The Security Division of EMC, in December 2006 highlighted that consumers are worried about the integrity of the online channel, and are starting to lose confidence in the Internet as a safe environment for their financial transactions:

  • 91% of respondents said that they feel banks should use some kind of stronger authentication rather than basic and static usernames and passwords for online transactions.
  • 82% of account-holders expressed that, as a direct result of scams such as phishing, they are less likely to respond to an e-mail from their bank.
  • 82% of account-holders would like their banks to monitor online banking sessions for signs of irregular activity or behaviour - similar to the way that credit card transactions are monitored today.
  • 51% would like their bank to contact them when suspicious activity is detected
    While many financial institutions have begun to deploy stronger authentication over the past year, only 39% of account-holders are aware of it
  • 52% of users are "less likely" to sign-up for or use online banking than in previous years

The rapid growth of online threats such as phishing, and the wide visibility they have received in the media have made many financial institutions realise that online banking requires more robust protection. However, banks have been slow to make drastic changes, and in many ways this is understandable: actual fraud losses are still relatively low, the cost of implementing stronger authentication is perceived to be high, and – most importantly – banks are hesitant to deploy anything that will complicate the user experience.

Until recently, the term “strong authentication” conjured images of thousands if not millions of consumers with hardware tokens, scratch cards in their wallets, and fingerprint scanners on their computers. Today, the industry is stressing the importance of matching the level of authentication required to the level of risk, regardless of the specific authentication technology deployed (be it one-time-passwords, grid cards, tokens, watermarks, device authentication, etc).

There are many different technologies that provide multi-factor authentication — and each has its place. What banks must consider are the implications of each in terms of cost, ease of deployment, impact on usability and effectiveness. More importantly, banks must also consider how and when to implement stronger authentication within their online applications.

Strategies and tips

Internet banking has been one of the most fundamental developments in the financial industry over the past decade. And despite the threats, account holders do continue to adopt online banking (albeit perhaps not as rapidly as had been hoped) and continue to expect new enhancements to security and functionality. By applying common sense and sound judgment, banks can protect their users without complicating the user experience or “breaking the bank”.

 10year
   

5 simple steps banks should take to develop a coherent Internet banking authentication strategy

1. Analyze existing operations to determine exposure to risk and choose an authentication method that best addresses it.

2. Implement a strong, yet simple authentication solution that won’t complicate the online experience, such as risk-based authentication which operates behind the scenes and does not impact users unless additional verification is necessary.

3. Explore which technologies will protect against today’s attacks as well as tomorrow’s emerging threats – the online fraud landscape is continually changing, and what works now could prove inadequate in the future. Ensure built-in flexibility to expand Internet banking features and functionality to attract new customers.

4. Issue Credit Cards compliant with the “Verified by Visa/ MasterCard SecureCode” Standard, and encourage/ and or mandate customers to sign up to the programme. Our research shows that cards are more used online when they are part of this programme, and fraud levels associated with these cards is very significantly lower.

5. Do not underestimate the importance of customer confidence - take steps to encourage trust in the brand by making security a visible yet unobtrusive part of the customer’s online experience.

Five main strategies that banks can adopt to protect themselves and their users:

1. Gateway, or “Flat” Authentication
This method sets one consistent level of authentication for all online customers (e.g. tokens or device authentication). In other words, an online user viewing a monthly statement would be subject to the same scrutiny as someone attempting a €60,000 transfer. Cost factors aside, many banks do not favor this approach since it would overburden the majority of online users who typically conduct low-risk transactions and trust their financial institution enough to not warrant tighter protection.

2. Zone-Based Authentication
This method segments the online banking environment into several risk zones (e.g. checking account balances in one risk zone, paying bills in a second risk zone, and ACH/wire transfer in a third risk zone), and authenticates transactions in each zone accordingly. While considerably better than the “one-size-fits-all” method, it can still complicate the user experience and is potentially expensive to manage and deploy. It is also inflexible: if a bank considers online bill-payment to be risky, this method treats the hundredth transaction to the same payee with equal scrutiny as the first.

3. User Segment-Based Authentication
Different customer segments receive different authentication methods – corporate customers transferring large amounts of money are treated differently to consumers who simply need to pay the regular monthly bills. Different users have different needs and preferences which financial institutions need to be aware of and sensitive to.

4. Transactional Risk-Based Authentication
Assessing the risk of each online transaction in real-time – the way credit card issuers do – and adjusting the authentication accordingly. Here, as a standard measure, all customers and transactions would be subject to moderate, usually transparent authentication, like behind-the-scenes PC device and user profile authentication. However, if someone attempts an unusually high-risk transaction, the bank could invoke further authentication procedures, such as an out-of-band phone call. This approach avoids complicating the user experience, keeps costs low, and offers the bank flexibility to deal with future threats. This approach does not, however, take into account that some consumers prefer more tangible or visible security for all transactions.

5. Hybrid of User Segment-Based and Risk-Based Authentication
This method includes both segment-based and risk-based authentication combined. Here, while most customers are protected with risk-based authentication, which is transparent for the majority of transactions, certain segments of customers use a more tangible method of authentication, such as a one time password on a hardware token. The institution can flexibly adapt the configuration over time and shift users between the two methods. This approach allows a financial organisation to secure its entire customer base while taking into account user preference, risk levels and regulatory requirements.