LOS ALTOS, Calif.-The most prevalent approach today to online security and fraud prevention is not working, said one executive who spoke to Credit Union Journal.
According to Terry Austin, CEO at Guardian Analytics, the multi-factor authentication approach taken by most financial institutions has been insufficient to stop cyber-criminals and, as a result, online account access leading to fraud "is a huge, huge problem and has just gotten worse over the last few years."
Multi-factor authentication allows access through username, password and some other identifiable factor, be it a particular image, providing an e-mail address or responding to a text message.
Rather, said Austin, financial institutions of all stripes-including credit unions-should look to recent guidance from the Federal Financial Institutions Examination Council, which included recommendations to use a layered security approach, with-at a minimum-the ability to detect anomalies and respond to suspicious online activity. "Credit unions need to monitor all of their users' activities in online banking and be able to detect when something looks wrong," said Austin.
Austin recommended that credit unions perform risk assessments and "look specifically at all of their members and where their vulnerabilities, and implement these baseline techniques to do monitoring and detection, and ensure that they've got the right controls in place."
He added that the suspicious behavior CUs need to monitor can range from something as simple as changing the phone number associated with an account to viewing account information from a different state at odd hours of the day.
"The notion is that everybody establishes a kind of normal behavior pattern, and mine is going to be different from yours," said Austin. "By creating a mathematical model associated with our normal behavior patterns, we can see suspicious activity very clearly."
Austin added that mobile banking channels are not necessarily safer, "but not inherently any riskier" than traditional online access, and said CUs that put in layered security, do monitoring and anomaly detection "shouldn't hesitate to roll out a mobile strategy."
