In the first article of this online banking security series, we provided an overview of how credit unions can help prevent online identity fraud, a crime that cost the U.S. economy nearly $55 billion in 2005, with 10% of the burden falling on the shoulders of the consumer.*
We introduced “Deep Defense,” our holistic, systematic approach to security that helps satisfy the needs and demands of credit unions, members and regulators over the long term. Since security is a process, not a product, maintaining a Deep Defense is accomplished by weaving layers of technology together to prevent, detect, correct and report online fraud.
Part One of this series also stressed the vital role of consumer education, a key element of fraud prevention. We recommended that credit unions include a detail-rich security “microsite” on their websites that elucidates the fraud landscape and highlights existing features offered by credit unions that help keep members safe. Two of these features were Email Balance Alerts, in which your members take control of monitoring balance activity themselves, and Check Clear, where members can log in check numbers and monitor check clearing online.
Since prevention is the single most critical element to avoiding online fraud, we’ll now explore this element of a Deep Defense in greater detail.
A Pound of Prevention…
Prevention lays the foundation for online security.
To some of your members, paying bills online and receiving online statements may seem like feeding the flame of online fraud, when the exact opposite is true: More than 90% of information breaches that lead to identity fraud are generated from means other than online transactions, including lost or stolen wallets, checkbooks, credit cards and confidential information.* Furthermore, only 8% of online fraud is perpetrated by fraudsters employing cyber crimes like phishing, hacking, computer viruses or spyware.*
So promoting online Bill Pay– and making it available to your members for free─ and encouraging Online Statements are two vital ways you can get your members to instantly safeguard themselves.
Credit Unions unions should also be able to confidently recommend best of breed anti-virus software and firewalls to their members. Speak to your online banking service provider when selecting preeminent products for security systems, from PDAs to home computers.
On October 12, 2005, the FFIEC issued guidance for authentication in an online banking environment that recommended a “layered” approach to online security, citing that passwords alone would no longer be acceptable as the sole means of achieving online security. Some agencies are mandating compliance by the end of 2006.
“Multi-factor authentication” (MFA), though hardly a new concept– it’s been a key concept of cryptography for centuries– is a term to which many industry people were only recently introduced. MFA is the process of verifying and validating the authenticity of an identity using more than one validation mechanism.
The motivation behind MFA is to prevent access to online data even if a member’s user ID and password credentials are compromised. When MFA is in place, at least one additional unique factor of authentication beyond the password is necessary to gain access to online data. MFA requires two of the following three things:
- Something the member knows: passwords, challenge questions, secrets, etc.
- Something the member has: computer, phone, PDA, etc.
- Something the member owns: fingerprints, iris scans, voice prints, etc.
We elected to offer a MFA solution that prevents unauthorized users from successfully impersonating a legitimate user at sign-on by requiring not just a user ID and password, but a second level of authentication that, in effect, “checks the ID” of the user’s computer. The minimally invasive solution can be further enhanced by adding levels of identity verification through USB tokens, pass codes, a series of challenge questions, or even biometric methods. We believe this is especially helpful for providing access to legitimate users who are not at their normal computer and offers the long-term flexibility necessary to adapt to evolving threats with minimal disruption to the end user experience.
Fully implemented, MFA can defend against phishing, pharming and other cyber attacks. It can also help ensure your credit union passes with FFIEC regulators by the end of 2006.
Look Within: Credit Union Prevention Best Practices
Finally, place the following on your security prevention checklist:
Data Center Security – Your online banking service provider’s data center is your data center too. Fraud prevention layers, operational security controls and network infrastructure should all be integrated within this complex data powerhouse. Ask what audits and certification are regularly performed. Find out how the data center is protected in case of emergency, and what redundancy plans are in place. These types of guarantees secure the highest standards of data protection.
Partner Diligence & Security – With complexity at the core of online banking, numerous partners and service providers interface to bring a seamless, user-friendly experience to your members. Features like secure chat, online statements, check imaging and others are outsourced to a host of expert resellers. It is the responsibility of your online banking service provider to apply the same security standards to technology partners and resellers as those that are applied to its core data center. Don’t forget to ask detailed questions about the security screens and regulations around these reseller relationships.
With these and other preventative measures in place, you’ll help keep your members, their information, and their money, safe. Yet fraudsters do win from time to time so stay tuned for more on detecting, correcting, and reporting online fraud within a Deep Defense. Until then, stay safe.
About Scott Mackelprang
Scott Mackelprang, vice president of security and compliance, has overseen Digital Insight’s security and compliance efforts since joining the company in May of 1999. He oversees Digital Insight’s physical security, computer security and security compliance. Prior to joining Digital Insight, he was Rockwell International’s chief information security officer, where he oversaw their global information security efforts. During his career, Mackelprang has managed enterprise software architecture, software development, network operations and data center operations. Mackelprang graduated summa cum laude with B.S. and M.S. degrees in computer-aided design and computer-aided manufacturing from Brigham Young University’s College of Engineering.
About Digital Insight
Digital Insight® Corporation is the leading online banking provider for financial institutions. Through its comprehensive portfolio of Internet-based financial products and services built upon the company’s unique architecture, Digital Insight enables banks and credit unions to become the trusted transaction hub for their retail and commercial customers. Digital Insight offers consumer and business Internet banking, online lending, electronic bill payment and presentment, check imaging, account-to-account transfers, Web site development and hosting and marketing programs designed to help increase online banking end user growth and more. Each Digital Insight product and service reinforces the strength of its financial institution clients.
To access Part One of this series on preventing, detecting, correcting and reporting online fraud, please click here.
1 2006 Identity Fraud Survey Report, Javelin Strategy & Research, January, 2006, p. 1.
2 2006 Identity Fraud Survey Report, Javelin Strategy & Research, January, 2006, p. 27.
3 2006 Identity Fraud Survey Report, Javelin Strategy & Research, January, 2006, p. 27.