For a bank, protecting consumer online banking sessions from criminal activity is like protecting your family from a storm in California when you're in New York — there's very little an institution can do to protect personal computers that it doesn't own.
In light of strict new online banking authentication and protection guidelines from the Federal Financial Institutions Examination Council, a growing number of banks are using technology to dig a moat around their customers' online banking sessions. Such software is designed to protect consumers and the bank from criminal malware that may have already attached to the PCs. Prosperity Bank is deploying a feature that lets consumers navigate to a list of pre-approved websites during a protected web banking session.
"The customers are in a hardened sandbox where it doesn't matter how infected the environment is around them," says Jason Raymond, CIO and executive vice president of the $806 million-asset Jacksonville, Fla.-based community bank.
Prosperity has purchased IronKey's Trusted Access product. Online banking customers who want to execute financial transactions via other websites while logged into Prosperity plug in a USB device that encrypts the user's keystrokes and forms a protected network between the client and Prosperity Bank. The bank controls which sites the user can access through a white list of commonly accessed sites and other sites requested by consumers.
Generally the approved sites are for firms (utilities, retailers, brokerages) that are frequently used by bank customers as destination sites for online account transfers. The benefit for the consumers is the security of the transfer from the bank account to the approved site is unaffected by any PC vulnerability on the users' end.
The consumer's online banking session and transactions involving the approved sites all take place in a sequestered environment — any infestations from the broader internet or the user's computers can't penetrate the session. Yet there's no infringement of privacy. "People can conduct business without worrying about whether somebody is 'watching over' them," Raymond says.
Raymond says there are about 50 sites on the list, including firms such as eBay, Amazon.com, Blue Cross/Blue Shield and Charles Schwab. IronKey doesn't necessarily have a security relationship with these firms, but the bank's security strategy is to remove online banking sessions from the user's PC to a virtual environment in which layered protection is easier for the bank to ensure. "If any of our customers are performing ACH or high risk transactions, the transaction will comply with the FFIEC guidance," Raymond says.
Banks have good reason to worry about PC vulnerability. The Anti-Phishing Working Group says nearly 40 percent of all computers are infected with financial malware designed to steal account information. The group also reports that financial services is the most frequently attacked sector. Additionally, the Financial Services Information Sharing and Analysis Center says online banking account takeovers are growing at more than 150 percent per year.
IronKey rival Trusteer has also recently made headway. It signed CNB, a $1 billion-asset bank based in Clearfield, Pa. that serves the northwestern and central portions of the state. CNB will deploy Trusteer Rapport to protect online banking sessions.
The software is designed to lock down consumer browsers to protect communication between the PC and bank site, preventing penetration from man-in-the-browser and man-in-the-middle attacks. The software also includes website authentication to shield against phishing attacks, and includes security alerts.
Other tech firms active in the space are Guardian Analytics, which detects potential fraud in online banking; and Nice Actimize, which offers technology that spots suspicious behavior online.