When it comes to online banking fraud, the numbers tell the story:
$21 billion: The amount stolen due to identify fraud.
$3 billion: The amount stolen by cybercriminals from US banks, businesses and municipalities using financial malware.
39 percent: The amount of all computers infected with financial malware.
150 percent: The rate at which online banking account takeovers are growing each year.
It’s not all bad news. Banks are working hard to protect their organizations and their customers from growing cyber threats. Javelin Strategy recently came to the conclusion that “identity fraud is up, but banks are up for the challenge.”
Guidance from the Federal Financial Institutions Examination Council (FFIEC) is the major tool that’s helping banks fight against online fraud. In 2001, the growth of remote, electronic banking led to the first FFIEC guidance. The guidance recommends the best practices for accurately identifying new customer online enrollment, and verifying identities of returning customers. At the time, username and password (single-factor authentication) was still deemed “commercial reasonable.”
By 2005, the FFIEC had to update its guidance, since single-factor authentication was deemed “inadequate” due to “significant legal and technological changes with respect to the protection of customer information, increasing incidents of fraud, including identity theft; and the introduction of improved authentication technologies.” The FFIEC called for “multi-factor authentication.” But the previous guidance could not predict future technological advances or cyber threats. In 2011, the FFIEC responded to the changing security landscape with a Supplemental Guidance to the 2005 document. Several best practices are included in the guidance as it stands today:
- Man-in-the-Middle (MITM) and Man-in-the-Browser (MITB) threats to the simple OTP (one time password). A solution is to approve every large transaction with a unique signature.
- The focus on the risk assessment process – the threats to banks are continuously evolving.
- Emphasizing layered security. Banking security is not a one-size-fits-all proposition.
- Customer education helps customers be more diligent in regularly checking their accounts, and knowing the signs of phishing and other scams.
What’s next for the FFIEC? Some are anticipating more specific guidance for mobile banking. As a market that is growing quickly – Juniper Research estimates that by 2017, more than 1 billion mobile phone users will use their mobile devices for banking purposes. Gemalto along with many in the industry agree that mobile banking poses its own unique risks, and deserves guidance of its own. It is a topic we will be discussing from time to time on the blog, so make sure you revisit soon.