Rolling Thunder: Banks, cybercriminals wage 'war of escalation'

“The bad guys only have to create one transaction that generates value, whereas the good guys have to protect every transaction”, Tapling told Infosecurity. Banks face a dilemma: “How do I preserve a quality experience for my customers the 99% plus times these transactions are valid and, at the same time, find the fraction of transactions that are suspicious or nefarious?”

One approach to address this dilemma is out-of-band authentication, which is the use of two separate networks working simultaneously to authenticate a user – for example, a phone call to verify the identity of a banking customer engaged in a web transaction.

According to a recent survey sponsored by Authentify, one-third of banks said they have plans to invest in out-of-band authentication in the upcoming year, while 70% of respondents indicated that stronger authentication layers have already been implemented.

Authentify’s 2CHK service enables banks to put fraud monitoring tools in the hands of their customers. Using the 2CHK app on their smartphone or PC, account owners can review and approve or cancel transactions that are about to execute against their accounts.

2CHK is used to combat attacks that intercept and change transaction details without the user’s knowledge. The heart of 2CHK is its secure, separate communication channel, verified through an automated phone call.

By helping banks maintain layered security controls, the 2CHK service assists them in complying with the Federal Financial Institutions Examination Council (FFIEC) authentication guidance, according to Authentify.

In June of last year, the FFIEC, a US government interagency body, issued a supplement to its 2005 authentication guidance for financial institutions, which called for beefed up risk management in terms of customer authentication, layered security, and other controls.

The supplement “establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program”, the FFIEC said.

What’s Hot on Infosecurity Magazine?