Community

I think saying "if you could only do one" can be a dangerous game and is probably not beneficial since I really do believe in a layered approach.

With regards to giving a weight to the various options (event monitoring, multi-factor auth and transaction auth) I think event monitoring should probably comprise about 50% of your total solution (budget/efforts/etc) and the others spread evenly at 25% each.

If you implement a multi-factor auth solution to authenticate logons, then you should be definitely using the same system to authenticate payments or other key account activity as well, to maximise its value.

Fraudsters are always looking for new ways to steal money, and this is an example of how they are working across different platforms to breach security. However, I think it is wrong to say that this necessarily enables them to 'fly under the radar of fraud detection systems'. True - many financial institutions use out-of-band authentication - but it is rarely used in isolation.

The strongest fraud detection always comes back to one key premise - knowing your customer: knowing what transactions they do, who they send money to, what amounts they spend, where they log on to their online banking site from, when they typically do transactions etc. Banks have got, at their fingertips, everything they need to build up a detailed picture of normal behaviour for their customers and any transaction that falls outside of that, even if it has apparently been authenticated by a mobile phone, should still be treated as suspicious.

Of course, it is important to educate customers about threats, and ensure they know not to open suspicious messages or links - but the right security system needs to assume all these things will happen anyway, but the customer is still protected.

Unfortunately, I'm not surprised by these figures. Fraud, of all types, is a serious problem across all areas of society, and I completely agree with the NFA that everyone has to play their part to help beat the criminals. For their part, banks in the UK and around the world make significant investments in their fraud prevention tools and people, using many different techniques to try to identify any suspicious activity and stop fraud as soon as they can. But it isn't enough to leave the problem to the government, police or banks, every single person must also take fraud seriously and try to protect themselves and their money.

This can be as simple as not throwing sensitive personal information in the bin, checking bank statements regularly and flagging anything suspicious, or protecting your PIN when withdrawing cash or using a card to pay in a shop or restaurant. It would be naïve to think we will ever be able to eliminate fraud completely, but there's no reason why we can't all work together to reduce it significantly.

This news is very concerning, although it probably isn't surprising. What this means is that we are likely to see a sharp rise in the more sophisticated, and harder to detect forms of internet banking fraud such as man-in-the-browser, which may signal the beginning of a new wave of internet banking fraud globally.

Banks need to ensure they are monitoring customer behaviour and profiling their typical activity. The highest risk patterns such as transfers to a new beneficiary need to be risk ranked and checked using alternative methods of communication such as an SMS message to a mobile phone - even by those banks that employ multi factor authentication as part of the login process.

I can see why Juniper would refer to this as a win-win situation by improving dialogue between banks and the customers, but reading this story actually causes me a few concerns. Communication is essential but it must be managed properly.

If customers are receiving an SMS message every two days from their bank then it risks turning into 'white noise', just there in the background and consumers will stop noticing it. When banks are using tools such as SMS to communicate with their customers for areas such as fraud prevention, for example, it is important that customers read and respond to messages immediately, especially if they are being told of a transaction on their account that is fraudulent.

With the way technology is evolving, surely it won't be long until you can auto-file SMS messages in the same way that many email systems allow you to do today - and if customers are inundated by messages from their banks will they stop reading them all? I would caution banks in overuse of any communication tool, and instead communicate in the way that best suits the needs of that particular message - be in email, SMS, phone or even good old Royal Mail.

This is an interesting story and is obviously one for debate! I can understand the desire from consumers to use an online money management site and, indeed, any site that makes it easier for consumers to interact with their bank, such as regularly checking statements, has significant possible benefits.

However, I would be interested to understand further how sites like this interact with the banks' security systems. Preventing fraud over the online banking channel is an imperative for banks, and to do that many are implementing intricate security processes and checks at the authentication stage. The risk is that these aggregator sites may pose a weak link in the security chain, for example if they can't fully facilitate so called 'out-of-band' communication, or the necessary IP address information for IP checking.

I would also highly encourage consumers to check with their banks about any potential liability shift through the use of sites - for example it may be that if the consumer ‘gives' their login details to a site like this, they in turn become liable for any subsequent fraud losses.

Saying that, however, it will be interesting to see how this technology develops. If any potential security threats can be mitigated then there is the potential that these sites could, in turn, actually provide an additional layer of transaction monitoring for banks across different organizations, rather than the bank only having its own data as a way of identifying potentially fraudulent transactions. I will watch with interest.

Uri,

You have hit the nail on the head with this. SEPA not only increases the speed and reach of where fraudsters can funnel money, but it delivers the same ease at which domestic transfers can be done to countries who may not have the same strict banking, KYC and policing structures in place.

This effectively gives the fraudster that ability to hide in a country with little ramifications for fraud and siphon money from customers in all of the "plump" nations. I've personally been involved in talks with many of our customers about these potential problems and they are well aware, and well positioned with countermeasures. With a robust, real time solution in place, there are lots of strategies that can be done to mitigate the risks, but they certainly do exist!

Visa's CodeSecure initiative is a good one that finally makes multi-factor card security realistic and convenient for customers; removing the need to carry around another device. For online merchants the use of the card to generate a OTP (one-time password) will remove the main obstacle to VbV, which is the challenge of remembering yet another infrequently-used password which, in turn, risks the retailer losing sales at the final stages of checkout.

For online banking, however, Visa CodeSecure does not eliminate the problem of more sophisticated attacks such as man-in-the-middle or man-in-the-browser where fraudsters can manipulate a legitimate online banking session to redirect funds to their own accounts. Banks must ensure they take full advantage of the technologies offered in these solutions, such as signing transactions and educating their customers as to what to expect when using the new cards online, since fraudsters can socially manipulate customers into inputting false data to allow fraudulent transactions to be placed. Banks must also ensure they have a robust fraud detection solution in place to allow customer behaviour profiling and monitoring as well as real time prevention to take full advantage of these strategies.

This story may alarm some consumers, but it isn't actually a new threat. Attacks of this type have been happening for a while, and the Canadian banks and Interac are very aware of the situation. It isn't possible to always block every fraud attempt, but they use the latest technologies, including comprehensive point of compromise tools, to identify potentially vulnerable cards and stop them before they fall victim to the criminals.

"It merely closes just one of the many doors open to criminals."

Dean, are you saying banks should, instead, leave all the doors open and not bother?  Seems to me that closing any door possible is better than leaving it open.  Anything to lower the ROI for a fraudster is going to dissuade them from attacking you personally.