At the start of the year all financial institutions were required to have strong authentication in place to deter online fraud, and now the effort seems to be paying off.
Observers say that most banks met the Federal Financial Institutions Examination Council's requirement that customers use more than just a username and password for access to online banking.
Since bankers were not required to have stronger authentication in place at the start of the year — they only had to demonstrate progress toward the goal — it could be hard to pinpoint when the true impact of the requirement began. TowerGroup Inc., a Needham, Mass., independent research firm owned by MasterCard Inc., found that by October, 80% of U.S. banks had met the requirement for online banking, and another 15% were very close to meeting it.
Wachovia Corp. put its antifraud system last year and found that this year fraud dropped 9% in the online channel, though the number of phishing attacks against Wachovia rose 255% from last year. One reason for that increase is that fraudsters have to make more attempts if they hope to break through the defenses, the Charlotte company said.
Wachovia's approach is not fully visible to the end user. Rather than asking for one-time passwords or making other changes in the login procedure, it monitors the user's behavior, picking up on details such as the Internet protocol address to see whether the person trying to log in is the actual customer.
"That's worked very well for us," said David H. Stone, Wachovia's senior vice president for online customer experience. "We've seen that we are stopping a lot of fraud from occurring for our customers, a lot more than we previously had."
Though Wachovia's method is not intrusive, its customers are aware of the extra steps it has taken, he said. "Our customers seem to be pleased with the additional security that we've done."
The company further strengthened its online security system in the third quarter by adding challenge questions for certain transactions, such as moving money to an account at another bank. It uses "out-of-wallet challenge questions," such as previous addresses.
The Charlotte company plans to continue to fortify its security, because fraudsters have not been deterred, Mr. Stone said.
"That traffic has not seemed to have slowed at all due to the FFIEC guidelines," he said. "I don't think the volume" of online fraud attempts has slowed. "I think we've gotten better at fighting and preventing it."
George Tubin, the senior analyst at TowerGroup who tracked the rate of compliance with the FFIEC mandate, said that the effect has been noticeable.
Preliminary results show "fraud has decreased by 30% to 40% in the online channel in the U.S. from 2006 to 2007 specifically due to implementing the FFIEC-required authentication," he said. That estimate is based on anecdotal observations, he said, because many bankers are reluctant to share their fraud rates. (Many banking companies contacted by American Banker would not comment for this story).
Wachovia said part of the reason its fraud rate dropped by a lower percentage than Mr. Tubin's nationwide estimate is that it beefed up its security far in advance of the FFIEC's deadline, so it was already observing a drop in online fraud last year.
"The fraud numbers have gone down," Mr. Tubin said. "Not that they were runaway before, but they have gone down."
Bankers now need to be more alert in other channels, he said, because that is where a lot of the fraud has moved as scammers look for weaknesses.
"We're hearing of both increased incidents of branch and contact center fraud and criminals working the channels to get pieces of information," Mr. Tubin said. "Going in through the Internet channel's more difficult, especially for the common criminal."
But online fraud still continues, he said. "The more educated criminals are continuing to find ways to get around the current systems in the online channels, and the others are going back to the old methods."
Mr. Stone said he could not say what his colleagues in other channels are observing, but he did say that fraudsters certainly have not disappeared from his channel.
Avivah Litan, a vice president and research director at the Stamford, Conn., market research company Gartner Inc., said that it is hard to measure the impact of the FFIEC mandate, though it certainly has had an effect.
She estimated that the percentage of account takeovers has dropped by 15 basis points in the past six months. This estimate does not include less damaging forms of online intrusion, since those are harder to measure, she said.
"We don't know how many people are logging in and looking around," Ms. Litan said.
Instead of taking over accounts online, fraudsters are using the information they get from phishing and other methods to open accounts at institutions with weaker defenses, she said. "They're focused more on opening their own accounts and moving it more into other institutions that may not notice it."
She agreed with Mr. Tubin's estimate for compliant institutions. "Ninety-five percent of the banks have done something and are meeting the guidance," she said, largely because the small banks are working with vendors that vetted compliant technology for them.
Though successful phishing attacks have grown in the past year, the dollar amount lost in each incident has dropped, Ms. Litan said, since banks doing a better job of catching and blocking fraud.
Today "online banking is actually a model for security," she said. "The regulators definitely did a good job in this case."
However, she said there is still one unaddressed area of the FFIEC requirements: telephone banking. "The phone channel no one's paid attention to, and that's a big hole."
Fraud over the phone has risen 35% to 40% now that online banking is harder to crack, Ms. Litan said.
