Businesses Require Better Protection Online
31 August 2009
Jacob Jegher
Banks have taken many steps to protect customers online. Multifactor authentication (MFA) , policies for online banking, and consumer education, are among some of the sentries in place. The FDIC however issued a warning last week specifically aimed at the business online banking / cash management space. The alert relates to financial institutions that provide payment services online, and indicates that over the past year there has been an increase in the number of reports and losses related to online EFTs. The alert specifically mentions, "malicious software, including trojan horse programs, key loggers, and other spoofing techniques, designed to circumvent online authentication methods." This is of particular concern as more banks are attempting to increase usage of the online channel for payments. For example, Celent is seeing a trend towards banks offering small businesses the ability to send wires online. Even consumers in some instances are being offered the ability to send wires online (see the NetBanker blog, "Bank of America to Eliminate Wire Transfers from Branches, Moving Volume to Online Banking." In Celent's opinion, small businesses and consumers are quite vulnerable since they do not have a corporate IT department that can update virus protection or teach them what to watch out for. Additionally, most small businesses have not been issued the appropriate MFA solutions required to send a wire or other payment online. Relying on the familiar image/phrase and/or challenge questions won't cut it. I'm not saying that MFA is perfect - it too can be bypassed. However, Celent does believe in the use of tokens (hard or soft), or out of band authentication when dealing with high value payments. There are several steps banks should take:
- Banks should implement a transaction monitoring solution (if they have not done so already)
- Banks should adopt out of band authentication solutions (e.g. replace traditional token by sending a one-time password to a mobile phone via SMS)
- Banks should consider offering mobile soft tokens (e.g. an application on an iPhone or Blackberry that provides a one-time password). For more details see the following Celent blog entry, "Move Over Token, My iPhone Can do The Trick"
- Banks should revise certain policies and procedures (e.g. require a token, more frequent password resets)
- Banks should emphasize new customer education tools (e.g. training videos / blogs / podcasts on online risks, importance of virus protection, etc.)
Comments
-
[...] rash of business online banking fraud that has hit the market (see my blog entries on this here and here). I asked the panel if their financial institution had contacted them recently to make them aware [...]
[...] recently blogged about why Businesses Require Better Protection Online. The writeup was based on a warning from the FDIC that was aimed at businesses who bank online. [...]