As new technology innovations and capabilities impact the traditional products and services available within the banking industry, online and mobile banking fraud and account takeover attacks continue to serve as two of the fastest growing forms of fraud for financial institutions each year. In fact, according to recent survey results from the Financial Services Information Sharing and Analysis Center, the total number of reported account takeover attempts has more than tripled since 2009.
With the number of attacks showing no signs of slowing down, and fraud losses set to reach $4.9 billion this year according to a 2012 report from Javelin Strategy & Research, the question must be raised: Are financial institutions giving a high enough priority to addressing the issue of account takeover attacks, or are they content with absorbing the losses and writing them off?
Rather than simply continuing to absorb the losses and write off billions of dollars each year, financial institutions should be reevaluating the effectiveness of their authentication methods and increase security to better prevent fraud and reduce the growing risk of account takeover.
Advances in technical capabilities have revolutionized traditional payments processes and subsequently opened a new door for fraudsters to infiltrate consumer accounts via online and mobile channels. While traditional security and authentication techniques may have worked for institutions in the past, these outdated systems pale in comparison to the exceptional power and speed of current fraudsters and further highlight the need for change within the industry.
Last year, the Federal Financial Institutions Examination Council updated guidance on Authentication in an Internet Banking Environment, with the goal of enhancing authentication practices for online banking transactions. While these efforts were a step in the right direction and encouraged financial institutions to take action, financial fraud analysts still expect account takeover fraud to continue to grow in 2013 and beyond.
Although the updated FFIEC guidance has caused banks to improve their ability to detect fraudulent activity sooner, many banks remain focused on only meeting the minimum requirements from government agencies like the FFIEC in order to avoid penalties from examiners, while still being considered compliant. However, in an era where banking institutions require a thorough security strategy to prevent fraud losses from growing, simply checking the box is not enough. Compliance does not equate to secure.
Rather than soldiering on with obsolete online security practices and focusing on meeting minimal guidelines for protection, financial institutions need to break the cycle and begin employing more advanced methods of security to stay ahead of fraudsters. Those institutions that choose to continue with inadequate protection not only leave themselves vulnerable to attack, but may also be compromising the future success of their businesses.
According to a survey conducted by Harris Interactive and Entersekt, 71% of U.S. banking customers reported they would consider moving to another institution if they were a victim of online banking fraud at their current institution. While understanding the issue is one thing, successfully taking action to solve the problem is rapidly becoming a requirement for banks that wish to maintain their reputation for account security.
In order for financial institutions to prevent account takeover attacks before they occur, they must build-in multiple layers of security and invest in stronger safeguards to their systems. Older forms of authentication, such as one-time passwords and SMS confirmation messages, have been successfully defeated by advanced fraudsters and are no longer viable for protection against attacks. However, there are now options available to replace these practices.
Using a completely out-of-band encrypted communication channel enhances second-factor authentication by creating a secure communication channel between the customers mobile device and the bank. The process goes further than minimal security requirements and ensures the customer that their financial information is secure by using a completely separate channel to confirm the transaction outside of the online channel, which can be hacked by a fraudster.
Available forms of out-of-band authentication can also leverage the customers mobile device as the second factor. By utilizing digital certificates and ensuring that all communication between the device and the bank is securely encrypted end-to-end, transactions can be securely authenticated and digitally signed. Technology that leverages this type of out-of-band authentication has proven to thwart multiple forms of fraud, such as phishing, man-in-the-middle and similar attacks, improving customer confidence and offering banks a rapid return on their investment.
As incidents of account takeover attacks continue to heavily impact the financial services industry, it is important for banks to leverage the available advanced technology and security methods now rather than later, to not only protect both themselves and their customers, but to gain back the billions of revenue loss associated with account takeover. With well equipped, highly motivated fraudsters constantly looking to infiltrate consumer accounts, maintaining minimal levels of security is too risky. If banking institutions do not provide a more well-rounded security infrastructure, fraudsters will continue to advance their techniques to defeat online and mobile banking defenses.
Doug Parr is a senior vice president of Atlanta-based Entersekt.