Using an effective online banking data-security method customers view as nonintrusive represents the best option for financial institutions as fraud-prevention capabilities increasingly become key factors in consumer choice, a fraud expert suggests in a recent study report.
“Corporate clients are the key for the banks, and they have to convince those clients that the bank is secure,” says Julie Conroy McNelley, senior analyst with Aite Group and author of “Online Fraud Mitigation: Tools of the Trade.”
Banks face “a balancing act” in how they inform a prospect about data-security methods because there is a danger of scaring them off if they view the methods as too complex or too lackadaisical, McNelley tells PaymentsSource.
“No one has perfected the equation yet,” she adds.
“Online Fraud Mitigation” represents an overview of the effectiveness of various fraud-protection devices banks use to protect customers’ online-banking sessions. McNelley interviewed fraud-management executives from 32 North American financial institutions to compile the second of five parts of a cybercrime report Boston-based Aite Group will release through early 2012.
The report examines behavior analysis, knowledge-based authentication, one-time password tokens, complex device printing, and out-of-band authentication as key online fraud-prevention measures.
Of those measures, financial institutions viewed behavior analytics and out-of-band authentication as effective and controllable measures, the report states.
Banks favor behavior analytics, which monitors what a customer tends to do during an online-banking session and establishes guidelines for that expected behavior, because it is effective and there is no intrusion on the customer, McNelley says.
“If someone comes online and tries to change a user name and then transfers money to that new user, then the bank knows that’s a problem,” McNelley says.
In using out-of-band authentication, the customer enters a one-time password when prompted during the online session and sends it to a mobile device or initiates a voice call to a mobile phone, McNelley explains.
The process shows interaction between two devices owned by the accountholder, and it would alert the owner if there is a problem if a message shows up that he did not send, McNelley adds.
“It’s a great technology and highly effective,” McNelley says.
Though one participating financial institution called out-of-band a “must have,” others said it may be too difficult for customers to execute, and its effectiveness must be balanced with usability, the report states.
One of the original forms of online banking data security, knowledge-based authentication, in which the customer submits answers to personal questions only he would know, remains a popular choice, the report states.
Complex device printing, software that documents the parameters of the customer’s laptop computer to create a “fingerprint” of that device as the computer to be authenticated for an online banking session, is not as prevalent, especially among smaller banks, the report states.
In general, mid-size financial institutions are struggling to keep up with the costs of fraud technology, McNelley says.
“It’s a tough situation for them, and in some cases they need to seal the gaps with manual oversight, but that can get costly, too,” McNelley adds. “The one thing they can’t do is ... do nothing.”
Regardless of which defense method a financial institution views as the most effective, the key strategy remains a layered method in which strong authentication occurs at login and fraud controls exist at the point of the transaction, the report emphasizes.
In addition, financial institutions should avoid certain practices, McNelley contends.
“I was at conference recently, and numerous attendees got a similar text message sent to them saying their credit card was deactivated and they should call a certain number,” McNelley says.
“The consumer should never call a number like that, and a financial institution should never set up a message like that. So this was ‘smishing’ or phishing via short message service text messaging by cybercriminals,” she adds.
In another instance, McNelley noticed a bank sent an email in which tiny print at the bottom stated, “If you are concerned about the authenticity of this email, click here.”
“If you are uncertain about something being authentic, you should never click anything. And it turns out this was a legitimate bank ad, so the marketing people slipped one by in this case,” McNelley says.
As communication channels between a financial institution and its customers grow, the problem of assuring whether something is authentic will get more complicated, McNelley suggests.
What do you think about this? Send us your feedback.
