As credit unions boost online security, scam artists are finding new ways to solicit passwords and account information from members using online banking. The truth is that no matter how much we educate members or how quickly we shut down fraudulent sites, scammers will develop new tactics to trick members into giving up sensitive information. But with a state-of-the-art security strategy, this may be less of a problem than it sounds.
You Can’t Stop the Phishers
To date, many credit unions have relied on prevention and education strategies to combat phishing. While it is important to educate members about phishing trends and risks, education alone will not protect them, nor should we blame the victim. Fraudsters have become so adept at mimicking official emails and webpages that even security-conscious personnel employed by banks and credit unions can be fooled. A 2005 survey by internet management vendor Websense found that 50 percent of the IT decision-makers who participated in the survey do not believe that their employees can accurately identify phishing sites. Expecting members to be able to do so consistently is unrealistic.
Some financial institutions have turned to monitoring techniques and anti-phishing services, which attempt to actively identify phishing attacks and shut down fraudulent sites. Some solutions providers claim to terminate phishing sites in five hours or less. The problem is that it can take less than five hours for multiple members to disclose their login information. Furthermore, it is notoriously difficult to prosecute phishers, especially those located overseas. In the absence of lasting consequences, the phishers keep phishing. While more effective than a member education-based strategy alone, monitoring tactics are still band-aid approaches that ultimately leave scam artists with the upper hand.
A Strategy That Works
The root of the problem lies with the single-factor authentication systems typically used by credit unions to identify online banking members. Once a fraudster obtains a user name and password, he has free access to the member’s accounts. Credit unions need to evolve their fundamental security strategies to focus on eliminating the value of stolen user information.
Multi-factor authentication, a security strategy that employs more than the traditional username and password to authenticate online members, is one way to do this. By adding additional login authentication levels, credit unions can increase overall security while simultaneously protecting members who mistakenly give information to phishers.
Additional authentication levels can take a variety of forms, from challenge questions to voice confirmation. One of the more cutting-edge solutions utilizes a member’s computer and IP address, previous online banking behavior, and geographic factors to create a member profile. When a member logs in to the credit union’s webpage, the credit union identifies the user’s computer. If the credit union doesn’t recognize the user’s computer or if the user tries to execute atypical transactions, they are required to provide an additional one-time password, which is sent directly to the member’s cell phone, subsequently halting any fraudster dead in his tracks.