Tim Lenhoff is monitoring the legal haggling between banks and business clients over fraud losses with a keen eye to prevention. "We are trying to protect ourselves from that type of situation," says Lenhoff, chief technology officer of the $4.6-billion asset Columbia Bank, which is based in Fair Lawn, N.J. and has 44 branches throughout the state.
Lenhoff is responsible for not only coming up with a tech strategy that's designed to mitigate web fraud, but making sure the strategy actually works — which can be two different things. In a recent high profile case, a court suggested that even having adequate tech protection may not be enough to stave off liability for business fraud losses so clearly tech's not enough.
"If you look at [that case], the bank had a solution but wasn't following up property, so you have to have good procedures and make sure you are following up on them," Lenhoff says.
In addition to heavy transaction monitoring and encrypting online banking to sequester it from other internet activity at the user level, the New Jersey bank is also monitoring interaction between the bank and business clients and is using an alerting program that communicates fraud threat detection and preventative actions with business clients.
Direct personal communication with clients is also part of the strategy, to update businesses on emerging web fraud threats, what the bank is doing on the tech and business side to mitigate those threats and what the businesses themselves can and should do to protect themselves. "We tell them they should be doing email monitoring, for example, and use dual transaction authorization [in which two executives have to approve payments]," he says.
Lenhoff says bank execs have been traveling throughout New Jersey holding breakfast meetings with business clients to discuss fraud prevention, as well as the laws surrounding business banking fraud, a topic that's often just as educational for the bank. "It's amazing that many of them believe that if someone hacks into their account and they lose money, we will just give them money to recoup the losses," Lenhoff says.
Unlike consumer theft, the financial responsibility for business account fraud losses is much more nebulous, and is the subject of numerous court cases. Even with the high profile nature of the cases, many business owners think the rules are the same for businesses and consumers, Lenhoff says. "To them it was a bit of an eye opener," Lenhoff says.
Technology is also a heavy part of Columbia's strategy. It has recently deployed several layers of fraud prevention software for businesses, and plans to extend web protection for consumers in the coming year, since the threat is considered greater on the business side. "We haven't had a consumer account takeover or fraud attack, but it has happened to the business side," Lenhoff says.
On the business side, Columbia is using a mix of products to protect internal devices from malware attacks and account takeover, such as Rapport from Trusteer and Blue Coat web filtering. Blue Coat uses a combination of traffic and content tracking, reputation analysis, script analyzers, malware scanning, sandboxing and browser simulation of real-time web requests to identify malware threats.
Rapport is downloadable software that locks down users' browsers and encrypts communication between a customer's device and the bank during an online banking session — a measure designed to thwart malware attacks, screen scraping and installed technology that monitors a user's keystrokes. The software also ensures authentication credentials can only be viewed by genuine sources. Users have extra protection when visiting other websites that use Trusteer, including banks such as Bank of America (BAC), ING Direct (ING), CIBC (CIBC), First Direct and HSBC (HSBC), that are commonly visited during an online banking session. When visiting these protected sites, a green icon is displayed near the URL; a grey icon shows up for unprotected sites. Trusteer additionally blocks redirection attacks -- or the hijacking of URLs — and includes an internal store for all data worked on during an online banking session.
The web protections are free and optional for business clients, and Lenhoff says about 52 percent of the bank's business clients are currently participating. A marketing campaign is planned to increase participation among the other businesses. "The bad guys know there's more money in business accounts, so if you get a takeover it can be more beneficial to the crook," Lenhoff says.
The bank has created an internal ticketing system that monitors interactions between customers and the bank to determine who at the bank is engaging with corporate clients, and for what purpose. It also uses Trusteer as part of an effort to monitor back-end processing to spot unusual activity during online banking sessions. "If someone is always using Explorer in New Jersey to log into online banking and all of a sudden is signing on with Firefox in Japan, we can spot that and send out an alert," Lenhoff says.