Securing The Weakest Link

All the internal security inthe world won't protect a bank whose customers conduct financial transactions from an unprotected PC or mobile device. To defend themselves and their customers against Web-based fraud, banks are offering customers USB tokens and security software from providers who say these tools can secure online banking sessions, even if the end-users' PCs are riddled with malware.

Fairfield County Bank, for instance, is requiring all corporate customers that initiate ACH and wire transactions to use secure USB tokens from IronKey to ensure funds are not hijacked by criminals.

Called IronKey Trusted Access, the solution works via a read-only portable USB device, which when plugged in encrypts the customer's keystrokes and launches a virtualized operating system and secure browser and a protected network between the client and the bank; the bank controls and pre-approves access to sites.

The aim is to create a partitioned or virtual machine that's walled off from the rest of the PC, so it's protected from the host's operating system, its applications and the wilds of the Internet - all places where malware lurks. "You literally plug it in, put in your password, and the device creates a machine that is only used for online banking," says Christina Bodine, cash management officer in business e-banking at Fairfield County Bank. "Clients can proceed to bank online as they always have."

Protecting customers has become paramount for banks mainly because they are often the weakest links, and hence the biggest threat vectors, to online transactions. And guarding clients against Web-based malevolence is as much about the banks' self-preservation as it is customer service: Online heists can result in customer lawsuits where regardless of verdict no outcome is good, particularly if everybody except the criminals lose something, whether it's reputation, customers, vendors, legal fees, stolen funds, or all the aforementioned.

Investments in Web fraud detection are "easily paid back... sometimes in as little as six months," Avivah Litan, vp at Gartner Research said in a Web Fraud Detection report released in April. Users, including banks, reported fraud reduction rates of 80 percent or more after deploying online fraud protection solutions, she said. Fairfield is including the cost of IronKey Trusted Access in its existing corporate cash management services fee, so "customers shouldn't see any change" in fee levels, Bodine says. Other banks offering the service as an optional feature have funded it by adding a small monthly fee per token. "We have retention goals in mind, so we made it very affordable," says Debbie Myers, svp of e-banking and business services manager at Bank of North Carolina.

Some larger banks are offering free downloads of kernel-level protective solutions like Trusteer Rapport, which specifically monitor online banking browser sessions for malicious actions and block any odd activity. Bank of America has since March 29 been offering Trusteer Rapport for free over its Web site. The solution proved its worth to the bank during demos in which it successfully protected a banking session on a key-log infested computer.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER