Welcome to the third and final article in a series about Deep Defense, a best practice recommendation for optimizing online banking security.
In Part One, we provided an overview of how credit unions can help prevent online identity fraud, a crime that cost the U.S. economy nearly $55 billion in 2005, with 10% of the burden falling on the shoulders of the consumer.* We introduced “Deep Defense,” a holistic, systematic approach to security that helps satisfy the needs and demands of credit unions, their members and regulators over the long term. Since security is a process, not a single product, maintaining a Deep Defense is accomplished by continuously weaving layers of technology together to prevent, detect, correct and report online fraud.
In Part Two, we examined the importance of prevention to an online banking security strategy. We explained the role of multi-factor authentication (MFA) within a “layered” approach to security vis-à-vis the FFIEC’s guidance for stronger authentication in an online banking environment. We recommended selecting a minimally invasive solution that can be further enhanced by adding levels of identity verification as threats evolve. And we suggested some security best practices be added to your prevention checklist.
Now, we’re ready to drill down into the third and fourth elements of Deep Defense: correction and reporting.
Correction, the Customer and Bill Payment
The top financial institutions offer online guarantees surrounding fraud resolution and correction to their customers. Now, credit unions and smaller financial institutions alike are being held to similar expectations. Customers want to know they are going to be made “whole” again should they fall prey to online fraud.
The good news is that vendors who provide online bill payment services regularly help credit unions and end users correct online fraud. Typically, bill payment vendors:
- Stop unauthorized payments from being completed when a fraudulent payment request is detected.
- Leverage their relationships with major payees, such as credit card companies, to help correct fraudulent transactions.
- Facilitate changing the user ID, together with the Internet banking vendor, so that additional fraud is stopped.
These features, an integral part of the bill payment relationship, should be vigorously promoted to online bankers, to help assuage fear and suspicion of the online channel. After all, we’ve previously reviewed a number intrinsic security advantages to paying bills online.
Playing the Peace Keeper
Deep Defense strategy includes specific service options specifically designed to regain customer confidence and goodwill should any fraud occur, whether offline or online. Since studies show that the biggest loss to fraud-affected consumers is the loss of both time and peace of mind– not money– this is vital. *
With identity theft resolution powered by ID Theft 911, Deep Defense is able to counter the perceived lack of guidance and identity fraud support. Via a subscription to the ID Theft 911 service financial institutions are able to furnish personalized, one-on-one consultation and assistance to help victims restore credit and identity. The service also includes a co-branded Web site that offers extensive, frequently updated educational materials designed to help consumers avoid becoming victims.
Cops and Cyber-Robbers: Tactical Steps to Fraud Correction
Rapid correction of technical or operational glitches that can lead to fraud is fundamental. Redundant, un-interruptible power supply systems, on-going patch management and 24x7 support are integral to the Deep Defense strategy.
The Online Fraud Shutdown Service component of the Deep Defense security strategy provides round-the-clock correction capabilities for external network threats, including phishing. Financial institutions procuring this service benefit from the vendor’s established relationships with ISPs, which enable efficient notification of the existence of fraudulent Web sites and prompt action to shut them down. The service can also counterattack fraudulent sites by feeding bad data or “bait” that serves as traceable evidence during efforts to catch and convict fraudsters. Fraudulent sites are typically shut down in less than five hours. Furthermore, the service can in many cases provide forensic information about which users’ data may have been compromised. This helps spur the correction and resolution of online fraud for affected individuals.
Reporting for Duty
Reporting is the final phase of the Deep Defense strategy. Within Deep Defense, online banking service providers, financial institutions and consumers communicate the effects, occurrences and implications of online fraud.
Several reporting tools can help track suspicious activity and stop online fraud in its early stages. We recommend an Account-to-Account transfer service that allows financial institutions to monitor transactions based on pending ACH money transfers and immediately halt potentially fraudulent transfers. Furthermore, the institutions should monitor administrator activity with reports that provide a full accounting of user activities (password resets, registration approvals, administrator log-ins to the Management Console from outside the credit union, etc.)
Online banking users should also be given a role in reporting online fraud. For instance, business owners can issue reports using an online business banking feature to discover which individual users have requested online payments via ACH. This assists in the early discovery of ‘inside fraudsters’ making unauthorized payments.
Regularly checking account activity via online banking is the most fundamental fraud reporting capability available. The ability to view balances, transactions, check images, pending payments, etc., reduces the magnitude of fraud loss and remains a major member motivation to making online banking a regular practice.
Research estimates project that online banking usage will reach one in three U.S. households, or a total of 42.5 million households, by 2007─ a compound annual growth rate of nearly 9%.*
Deep Defense helps prepare for this impressive growth with vital security processes that help you identify and assess online risks and then diminish them. It strengthens the protection of your members’ data and finances. And with its approach to a stronger, more secure login underpinned by multi-factor authentication, it enables credit unions to respond to the newest FFIEC guidelines with confidence.
By implementing a Deep Defense security strategy, consumer peace of mind will only get stronger as online banking adoption continues to grow.
About Scott Mackelprang
Scott Mackelprang, vice president of security and compliance, has supervised Digital Insight’s security and compliance efforts since joining the company in May of 1999. He oversees Digital Insight’s physical security, computer security and security compliance. Prior to joining Digital Insight, he was Rockwell International’s chief information security officer, where he spearheaded their global information security efforts. During his career, Mackelprang has managed enterprise software architecture, software development, network operations and data center operations. Mackelprang graduated summa cum laude with B.S. and M.S. degrees in computer-aided design and computer-aided manufacturing from Brigham Young University’s College of Engineering.
About Digital Insight
Digital Insight® Corporation is the leading online banking provider for financial institutions. Through its comprehensive portfolio of Internet-based financial products and services built upon the company’s unique architecture, Digital Insight enables banks and credit unions to become the trusted transaction hub for their retail and commercial customers. Digital Insight offers consumer and business Internet banking, online lending, electronic bill payment and presentment, check imaging, account-to-account transfers, Web site development and hosting and marketing programs designed to help increase online banking end user growth and more. Each Digital Insight product and service reinforces the strength of its financial institution clients.
* 2006 Identity Fraud Survey Report, Javelin Strategy & Research, January, 2006
* 2006 Identity Fraud Survey Report, Javelin Strategy & Research, January, 2006
* Improving Consumer Online Banking Adoption: Conquering Indifference and Fear, TowerGroup presentation, 2004.