Snippet: While online banking fraud is not new, the losses that stem from it continue to increase year after year, as if today’s institutions are either unaware or unconcerned with the problem.

While online banking fraud is not new, the losses that stem from it continue to increase year after year, as if today’s institutions are either unaware or unconcerned with the problem.

A 2013 report from RSA Security cites a 59 percent increase in phishing attacks, which leads many experts to anticipate a continued increase in fraud attacks without swift action from banks. With RSA reporting that fraud now represents a staggering $1.5 billion loss in revenue for financial institutions and experts seeing no end in sight, why isn’t more being done to combat the issue?

In an effort to decrease Internet banking fraud, the Federal Financial Institutions Examination Council (FFIEC) updated guidance on its “Authentication in an Internet Banking Environment.” In addition to requiring financial institutions to perform periodic risk assessments to ensure they are protecting their customers against new and evolving threats to online accounts, they are now required to adopt a layered approach to online banking security. The layered approach is designed to strengthen the overall security of Internet-based services, protect sensitive customer information, prevent identity theft, and reduce account takeovers and the resulting financial losses. 

Although the updated guidance from the FFIEC is a step in the right direction, the standards do not adequately protect banks and their customers. While it requires banks to build higher walls of security, cybercriminals are constantly finding new ways to breach those walls. Too many institutions are simply opting to meet the compliance requirements to avoid penalties or fines from examiners. But simply checking the compliance box is not enough – banks are still experiencing online banking attacks and can still be held responsible for losses incurred from inadequate security. 

In the United States, courts are now finding banks liable for fraud, even when the bank was compliant with FFIEC standards. For example, PATCO Construction, Inc. recently settled a lawsuit with Peoples United over a $500,000 account takeover incident from 2009. In its ruling, the court described the bank's security procedures as "commercially unreasonable," and said the bank should have detected and stopped the fraudulent transactions that hit PATCO's account. The ruling also claimed the bank increased PATCO's fraud risk by relying on unsecure authentication methods for high-dollar transactions.

A simple procedure to provide stronger authentication of transactions would have saved both the bank and the company thousands of dollars in legal fees and years of time spent determining who was responsible for the loss, not to mention the reputational damage.

There are readily available technologies to replace one-time passwords and challenge questions, and augment analytics that can effectively combat the increasing sophistication of the cybercriminals. Deploying industry-standard digital certificates to a mobile phone uniquely identifies it and its user, and creates an isolated communication channel between the device and the financial institution, avoiding reliance on the open Internet for user and transaction verification. 

Utilizing these technologies enables financial institutions to not only meet the full guidelines suggested by the FFIEC, but go beyond traditional practices to ensure positive growth and adequately protect customers. Implementing completely out-of-band authentication that uses cryptography to sign every transaction is the most secure approach to protecting accounts. Using the mobile phone as the delivery mechanism also serves as the most convenient solution for customers.

Subscribe to our blog.

Entersekt editor

Entersekt editor

An avid scowler and violent sharpener of pencils, Editor’s bark is worse than her bite. Every scrap of writing that crosses her desk she treats with the same care she would her own privately published comic verse. Any orphans and misfits, she takes under her wing. After hours, she practices amateur type design and represents her local library in extreme kerning competitions.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.