Cleveland-based KeyBank decided to open up communication with its online customers this year. When an account funds transfer occurs or a new payee is added to a bill-pay list, Key now sends out an e-mail alert. If a PIN, password or address change is made through the Web, an immediate notification occurs. Even if changes are made to the optional alerts a customer enlists in-low-balance warnings or when a CD matures-Key sends out a notice to the accountholder.
It wasn't just for convenience. KeyBank's in-house anti-fraud teams sought to use the alerts as a crucial fraud-fighting tool. They also made the bank compliant with the Federal Financial Institutions Examination Council's multi-authentication guidelines, without having to invest in a more complex authentication software with automated security questionnaires or tokens. "This was a way - as far as [covering] risky transactions - we thought would be adequate from a security standpoint, instead of having a threshold where we would have to start asking the customers more questions," says Mark Melargno, e-commerce application manager for KeyBank's consumer banking.
Instead of heavy investments in a dense authentication product involving automated security questionnaires or tokens, the expanded-alerts strategy meant Key met its FFIEC guidance standards through a simple, in-house platform with a novel concept: just tell customer what's happening.
This overhaul in Key's online security helped the bank become one of the most improved institutions in Javelin Strategy & Research's annual banking safety "scorecard," a checklist of bank precautions and activities surrounding identity theft prevention at the nation's top 24 major institutions. Key, which ranked fourth behind Bank of America, JPMorgan Chase and Washington Mutual, was also prototypical of a healthy trend among U.S. banks, according to Javelin, a vast improvement over 2005 in the detection of potential ID-fraud activity. "We're seeing improvement, no question about it, and the big improvement was on detection," says Pleasonton, CA-based Javelin president James Van Dyke, who has co-authored the scorecard report for three years based on mystery-shopping and online-site research.
Developed in-house with the business, operations and legal teams, the KeyBank alerts system pings into action for things like dormant account activity, wire transfers, unusual activity, password changes or phone, address and email alterations. Of course, the bank is not forgetting about behind-the-scenes two-factor authentication, which at Key is based on PC registration technology. But those efforts, too, are aimed at providing as little intrusion and as much confidence as possible in the bank's security concerns. The proof the changes haven't created hardships, says Melargno, is in call-center volume about the new changes. "It's not as much as we anticipated," he says.
Involving customers in the fight against fraud makes sense, as they are the most likely whistleblowers in the prevention process, according to Van Dyke. More than half the cases of identity fraud are detected by accountholders themselves.
In addition to customer deputization, the improvement Javelin noted in detection is also, in part, due to investments in multi-factor authentication working under the radar in behavioral fraud detection. TowerGroup senior analyst George Tubin says these new technologies, like Bank of America's two-factor SiteKey authentication technology (powered by RSA Security's Passmark) have only recently become available to analyze Web logs or Web transactions using the approach credit card companies have perfected to help detect anomalies. BofA, which earned Javelin's highest marks in the ranking, which encompassing prevention, detection and resolution policies, attained them primarily through SiteKey adoption.
But it was also cited for its alerting capabilities. And alerts helped propel JPMorgan Chase to the top of the heap on detection performance (ahead of BofA and KeyBank). Chase was the only institution that met all of Javelin's criteria for recommended alert tools, including changes to registered users on the account. "If you change that at Yahoo! e-mail, you're going to get a notice," Van Dyke says.
Although alerts and self-detection issues are improving, Javelin notes the lag in notifications. It's an issue that flusters Jonathan Penn, a principal analyst in identity and security issues at Forrester Research. "When I check my frequent flier miles and change my password, I get an email," Penn says. "That's great. Why doesn't my bank do that?"
Another area where banks seem to be running in place is prevention. Only half the institutions in Javelin's study met criteria for things like killing paper statements, assistance in identifying phishing e-mail solicitations, and disallowing use of nine-digit Social Security numbers in authentication.