Effective Online Fraud Management

By Tom Schmidt

For financial institutions, it's a disturbing fact of life: the identity theft problem is driving clients offline in droves. According to various industry surveys, 14% of Internet users no longer pay bills online, 4% no longer use Internet banking at all, and the growth rate of online banking is predicted to drop from 7% currently to 4% by 2010. For financial institutions that are increasingly committed to online banking, these numbers are more than a little dismaying.

But the prospects for online banking may be changing.

In a move widely cited as a possible harbinger for improved online banking security, Bank of America earlier this year announced that it will offer software solutions to its online banking customers. Under the agreement, Bank of America Internet banking customers will be offered a 90-day free trial and discounted subscriptions to help them protect their computers against threats from viruses, spyware, phishing scams and other online attacks.

The security software has the following features:

• Automatically detects and blocks viruses, spyware and worms
• Advanced phishing protection identifies and blocks a wide variety of fraudulent Web sites.
• Smart firewall helps block hackers and stops spyware transmitting unauthorized information.
• Intrusion prevention automatically shields newly discovered security vulnerabilities.
• Network protection configures security settings when logged on at home or on public networks.
• Full system scan performs a deep scan to remove existing viruses, spyware and other threats.

As Bruce Cundiff, a senior analyst with Javelin Strategy & Research told Bank Systems & Technology in August, the deal represents a banking best practice whose time has come.

"Deputizing the customer -- bringing them into the security process ... adds layers of security," Cundiff said.

No matter how strong a bank's security measures may be, end users' PCs end up being the weak links in the security chain, he continued. So it is in the banks' best interest to engage consumers.

How the banks rank
Cundiff's contention would appear to be borne out by recent research. In a report released in November, Javelin Strategy & Research ranked Bank of America the highest among U.S. banks in identity fraud protection, detection and resolution. The study of the top 25 U.S. banks found that, this year, financial institutions showed strength in resolution practices, but vulnerability in prevention and detection.

Bank of America earned 78 points out of a total possible score of 100. Tied in second place were JP Morgan Chase, Washington Mutual and Wells Fargo, each earning 70 points. Citibank ranked third with 69 points; BB&T and Wachovia earned the fourth and fifth highest scores.

Javelin's 2007 Scorecard revealed a growing trend in identity theft prevention and detection: "empower the customer." Among the other findings:

• Multi-factor authentication (MFA) systems in online channels are active in 88% of banks.
• User-Defined Limits and Prohibitions (UDLAP) are available in 36% of surveyed financial institutions.
• 76% of banks and credit unions require the use of full Social Security numbers.
• 80% of surveyed banks offer account-related alerts, and 49% offer personal information change email alerts.
• 28% of financial institutions offer text message alert capabilities.
• 94% of banks maintain a zero liability identity fraud policy.
• 24/7 account suspension is available in 60% percent of surveyed banks.

What the crooks are up to
By all accounts, "empowering the customer" will be essential to financial services organizations' ongoing efforts to retain customers' trust and minimize their own risk to online fraud scams.

The types of goods that are most frequently offered for sale on so-called underground economy servers during the first half of 2007 included credit cards, which were the most frequently advertised item, making up 22% of all goods advertised on underground economy servers. Bank account numbers represented the second most frequently advertised item, accounting for 21% of all goods advertised.

At the same time, phishing activity continues to be brisk. Most of the organizations whose brands were used in phishing attacks in the first six months of 2007 were part of the financial services sector. Organizations in that sector accounted for 79% of the brands that were used for phishing during this period.

Small wonder, then, that customer confidence in online banking has eroded.

The Secure Internet Banking Alliance
To rectify this situation, the Secure Internet Banking Alliance (SIBA), a program designed to unite online financial institutions to collaborate in combating threats to online transaction security, was created last year. By joining SIBA, financial institutions gain an enhanced barrier to online security risks to protect their reputation.

The centerpiece of the Alliance is an online transaction security solution that authenticates a bank's Web site at every log-in so customers know they're on a legitimate site; it also alerts customers if they've arrived at a phishing site. (If banking customers click on a link from within a phishing email, a red warning banner appears to inform them that the site is fraudulent, and they are blocked from accessing the phishing page.) Transaction security protects customers when they enter passwords, make purchases or bank online.

Online fraud protection
For their part, banks (and enterprises) need to approach online fraud protection as a program that includes the following key elements:

• Ensures end user confidence by enforcing an anti-phishing solution, endpoint protection and strong authentication.
• Provides brand protection so that the brand is not masqueraded.
• Ensures that the back-end system is not compromised in view of new  types of attacks, which need a strong policy management framework and counter-measure.
• Banks/enterprises need to look at potential issues associated with the data loss ensuring that no customer data is accidentally compromised.
• Analysis of online fraud trends is a critical requirement (to make sure no suspicious transaction is authorized).

In addition, banks and enterprises need an expert who can deal with the variety of point solutions listed above.

Conclusion
Customers trust their banks to provide a safe and secure environment. When customer trust is broken, there is a negative impact on the institution's brand equity, consumer confidence, brand loyalty and customer service costs.

Through techniques such as brand spoofing and phishing, identity thieves are convincing online consumers to surrender personal information. With consumer concerns about identity theft at an all-time high and criminal techniques becoming more sophisticated, banks need to take aggressive steps to protect their online customers.

Mitigating online fraud requires a combination of measures, including fraudulent email detection and blocking, consumer education, desktop computer security assessment and increased protection.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.