Ensuring both consumer and corporate banking customers can access their accounts with the highest reasonable security and with an approachable process is a primary concern for financial institutions worldwide.
The threat landscape for online banking has changed dramatically. Regulators, such as the FFIEC, have heightened requirements for financial institutions to protect customers using their internet-based products and services.
We believe in a layered approach to online banking security, one which gives the banks the ability to choose which layers they prefer for varying customer bases, and apply the appropriate level of risk mitigation for this customer segment. This ensures the flexibility of choosing which solutions fit for their consumer banking versus corporate customers, who may require additional layers of authentication due to the size of their transactions, for example.
The recent discovery of Operation High Roller, a piece of malware that is fully automated and aimed directly at online banking, is an excellent example of just how important having a well-thought out security strategy is.
A layered security strategy is a perfect example, and this is what we deem to be an appropriate level of security for today's online banking:
Layer 1: User authentication – This step, which typically consists of a multi-factor authentication solution, is the cornerstone upon which the five layers are built. A good approach for this layer will be a combination of: something you know, such as a password; something you have, which can be device-less, such as mobile and web tokens; and something you are, such as a biometric or behaviour-metric solution.
Layer 2: Device authentication – Once the user is verified, it's important to verify that they are on a recognised device. This is done through endpoint device identification and profiling, proxy detection and geo-location.
Layer 3: Browser protection – We now know which device is being used and have verified the user. This step ensures that the browser being used is a secure communication channel. Protection can range from passive malware detection requiring no client install, to a proactive hardened browser with mutual secure socket layer connection to the bank application for strong endpoint security.
Layer 4: Transaction authentication/pattern-based intelligence – For specifically sensitive transactions, including the signing of contracts and transferring of large funds, it becomes important to consider this additional layer of security, which includes out-of-band transaction verification, transaction signing for non-repudiation, transaction monitoring and behavioural analysis.
Layer 5: Application security – With the increase in mobile banking, it is imperative to ensure that the applications used to deliver sensitive information on mobile devices are secure, by architecturally hardening the application and requiring mutual authentication. This process can make online frauds and data theft significantly more complex and costly for hackers.
With new, more sophisticated malware coming to light on a near daily basis, it is important for financial institutions to remain vigilant in their security efforts, both for their own benefit, as well as that of their customers.
We believe this layered approach will deliver the defence in-depth necessary to ensure that banking customers of all stripes remain loyal, secure and safe as they engage in banking from more locations and types of devices, than ever before.
Christy Serrato is solutions marketing and global business development executive for financial services at ActivIdentity, part of HID Global