Online Security Challenges: Moving Beyond Multi-Factor Authentication
MFA is just a recent effort in guarding against fraud. Credit unions need a broad front of new programs to assure member confidence.
While many credit unions are breathing a sigh of relief after implementing multi-factor authentication, it’s clear that security will continue to be in the forefront of IT initiatives as credit unions update systems to counter new attacks. The majority of Technology Survey respondents reported undertaking major security-related initiatives in 2007 or 2008. Financial institutions are finding the need to continually examine and adjust their practices in the face of new threats and technology advances.
As the use of electronic payments and billing increases, credit unions must be more vigilant than ever in identifying and stopping fraud online. Increasing use of online member applications and online loans offers great convenience and benefits for members but is also forcing credit unions to investigate better ways of confirming member identities.
New initiatives aimed at improving security and consumer comfort levels continue to change the competitive landscape. NACHA is working with a number of financial service industry stakeholders to develop a system to provide more secure payments by allowing consumers to authorize payments through their financial institutions directly to a vendor. The benefit is that consumers won’t have to give vendors their personal bank account info, and the payments go through quickly via ACH. The consumer goes from the vendor site to login with their financial institution and authorize the payment directly to the merchant. Several credit unions are expected to participate in the trial program being rolled out in 2007-08.
Improving and Adjusting Multi-Factor Authentication Systems
In the wake of the FFIEC recommendations, many credit unions found themselves implementing multi-factor authentication systems. The difficulty was that there was not much data on optimal systems for fighting fraud or industry best practices for implementation. Financial institutions found themselves under a tight deadline for evaluating providers and implementing new systems. Most of the Technology Survey respondents report that MFA is already in place or being implemented over the next year.
Post implementation, credit unions are finding the need to adjust their systems to better deal with the realities of member usage patterns and human nature. Depending on member demographics, some systems work better than others with highly mobile or non-technically oriented member segments. Some credit unions are realizing that the systems in place aren’t flexible enough to meet their member’s needs. Others are finding the need to adjust support practices for members who can’t remember their validation responses. While multi-factor authentication may have helped calm some of the fears of members who are currently online banking users, it is yet to be seen whether it will help convince other members to start using online banking.
Some financial service providers point out that the FFIEC guidance doesn’t require all financial institutions to adopt multi-factor solutions, but just complete a risk assessment.
But as more financial institutions adopt multi-factor authentication over the coming months, those who don’t have these systems in place may find themselves left behind as consumers come to expect more stringent online security measures.
Analyzing Transaction and Behavior Patterns
Security experts say that one of the best tools that credit unions have at their disposal is their own database of member transaction history and behavior patterns. Neural network systems that flag suspicious transactions are considered the fastest way to identify potential fraud and lessen its impact. As financial institutions look to reduce risk without relying on costly human methods, these systems may provide a cost-effective means of preventing fraud.
However, credit unions have to weigh security with member convenience. For example, too stringent controls may cause problems for members trying to access their funds or make payments while on a trip. As members make online payments in increasing numbers, rules and fraud scoring systems need to be adjusted to reflect this activity.
Regulators recently proposed new rules requiring financial institutions to have an identity theft program that includes “policies and procedures for detecting any “red flag” relevant to its operations and implementing a mitigation strategy appropriate for the level of risk”. The proposed regulations include guidelines listing patterns, practices, and specific forms of activity that should raise a “red flag” signaling a possible risk of identity theft. Credit unions will need to ensure their existing programs are detailed enough to meet and ideally exceed these regulatory requirements.
Automated Penetration Testing and Monitoring Systems
For many credit unions, keeping up with the latest risks and types of attacks is a daunting task. Callahan’s Technology Survey found that credit unions of all asset sizes are turning to outside vendors for testing and monitoring, with three-quarters reporting outsourcing elements of firewall/DS/IPS management and/or monitoring.
Benefits can include 24-hour monitoring, fast access to the latest security patches and ongoing assessment of new vulnerabilities from security professionals.
Usage of these services are likely to become more widespread, as online attacks continue to multiply and exploit weaknesses but also increase in complexity. Outsourcing these tasks helps ensure that the credit unions have access to the most up-to-date safeguards, while freeing up internal IT staff for other critical functions.
Ensuring Internal Safeguards Are Working
Recent publicity surrounding lost governmental laptops and personal information databases have made us all aware of how tenuous the links surrounding security can be. Even the best security systems rely on ensuring that employees and vendors follow procedures - a factor that is often difficult to fully control.
Some credit unions are finding automated network security systems helpful in monitoring employee activities to ensure that security measures are being followed. Automated systems can be used to monitor activities such as email communications, password logins, copying of files, and network access. Access can be blocked or notifications issued if suspected security lapses are found.
Xerox FCU ($748 Million in El Segundo, CA) is using an automated IT risk assessment software solution from Xacta Corp to conduct ongoing system-wide assessments. They cite benefits such as more sophisticated analysis capabilities and more frequent assessments to identify new vulnerabilities, as well as the knowledge that they have a strong system in place to keep their member accounts safe.
Enlisting Members in the Fight Against Fraud
Member education plays a major role in preventing many types of fraud. Ongoing efforts are needed to update members on the latest types of scams and warn them. Equally important is making consumers aware of their own role in preventing fraud. A recent Callahan Internet Strategy Consortium study found that many members had not implemented basic safeguards, such as anti-virus or personal firewalls, on their own computers to fight against fraud.
Online services should be marketed to members as a tool to help them monitor and manage their accounts to prevent fraud. Using online banking can help prevent both offline and online types of fraud. Email alert and transaction confirmations can help members detect fraud early. Members should be informed about how to identify official credit union communications and how to report suspicious emails.
Develop an Action Plan to Handle Security Breaches
Even credit unions with the best systems in place can find themselves responding to a security breach by another partner provider. While it’s difficult to anticipate every fraud situation, credit unions should have action plans in place covering the major types of fraud seen today, including phishing, spoofing, internal security breaches, and vendor security breaches. These action plans should be periodically reviewed and updated to ensure appropriate personnel are involved.
The action plan should cover the following issues:
• Member Notification
As security breaches don’t always occur during business hours, credit unions should have a team prepared at a moment’s notice to develop written notifications to members. Communications need to be carefully worded – many fraud attempts today start with information about a “potential security breach”. The difficulty lies in balancing the need to inform members quickly along with the need to determine the extent of a breach in order to not worry members unnecessarily.
• Resources Available to Answer
Since fraud could occur at any time, the credit union should have a plan for bringing in extra personnel to handle evening or weekend calls. The credit union should also be sure that other channels are available to respond to members, including e-mail response and website resources such as FAQ or knowledge base help.
• Helping Members Whose Accounts Might be Compromised
The credit union should consider how quickly new credit cards, ATM cards, or account numbers can be created and provided to members. Are there provisions for members with an urgent need for a replacement card?
Depending on the situation, members may need credit monitoring tools or resolution services. While many credit unions are offering fee-based credit monitoring and resolution services to their membership, they should research the cost of providing this service directly to members whose accounts become compromised by fraud. Credit unions should consider developing a relationship with a provider in order to be able to act quickly and communicate this service to members as soon as a breach occurs.
• Educate Employees
Employees need to be educated on all types of fraud but need to be particularly aware of types of online fraud and whom to notify if members call in with suspicious situations. Employees need to be able to respond to members who call with security questions and concerns with online banking.
The credit union’s action plan should be periodically reviewed with all employees to heighten awareness of security measures and reinforce their role.
As with physical security challenges, credit unions should perform comprehensive risk assessments periodically to understand potential weaknesses and identify areas to strengthen network security. Credit unions should start with their vendor relationships to understand their existing safeguards and implement solutions that complement these systems to ensure a broad-based plan is in place.