03:30 PM
News
Security Management: An Ongoing Challenge for Banks
Banks face a difficult challenge in the area of security management. With a growing population of internal and external users accessing an increasing number of applications, the need has grown exponentially for banks to develop a new generation of security tools that can help them better comply with regulations, control access to confidential data and limit identity theft. At the same time, banks are challenged to institute security measures that satisfy users who are demanding both stronger security and ease of use and control -- often competing priorities.
In addition, security management is ever changing. The desire for greater functionality must constantly be supplemented with stronger security measures to offset the risks of each new capability. Moreover, these security measures must be highly nimble; they must be quickly deployed and evolve over time to anticipate and adapt to new threats and emerging risks, as well as satisfy a new generation of customers who want more-personal and customized experiences that match their lifestyles.
Lastly, the single largest security management challenge is the one most difficult to control. According to the 2007 Global Security Survey by Deloitte Touche Tohmatsu, "The greatest root cause of external breaches continues to be the human factor." In other words, banks need to continuously educate and engage customers about their online security. However, customer education is difficult at best because the group most likely to be duped is also the group most likely to not actively seek education or to ignore education initiatives altogether.
What does all of this mean? It means that truly effective security management will require the layering of a number of solutions that focus on people, process, technology and risk. Most important, the management of each layer will need to be based on its context among the diverse capabilities and limitations of the others. When all the layers are combined, it creates a powerful tool that can offer banks a much more successful way to manage their security challenges than any single stand-alone solution.
Why Security Management?
Over the past decade, as new online banking products and communication points were introduced, so were opportunities for fraudulent activity (see timeline below). It is reasonable to assume that new product introductions and the related security challenges will progress hand in hand. As functionality continues to grow, so will criminal initiatives to exploit it (see "Lesson Learned No. 1").
| Lesson Learned No. 1: Evolving Cybercrime
Over the past five years, banks have witnessed a major shift in fraudulent activity. Originally hackers would create worms and/or viruses, such as I Love You, Mamba and a host of others, with the intention of crashing systems and wreaking general havoc. Most of these programs were created as pranks with the purpose of proving to the world how smart the hackers were. Today the focus has shifted. Hackers are now aiming at specific targets with the intention of defeating their security, retrieving customer information and selling it online for a profit. In short, cybercrime has moved from destructive pranks to criminal intent. As a result, security managers have literally become the bank's security guards -- protecting customer identities and accounts in the same way that guards at a brick-and-mortar branch do. This trend has played a key role in security enhancement strategy at most banks. |
Large banks are a natural target due to their size and their maintenance of sensitive consumer information and assets. Banks are frequently the target of phishing and spoofing attacks and continue to witness new attacks, such as DNS poisoning (in which a maliciously created or unintended situation provides data to a domain name server that did not originate from authoritative DNS sources) and Man-in-the-Middle (in which the attacker makes independent connections with the victims and relays messages between them, making them believe they are talking directly to each other over a private connection when in actuality the conversation is controlled by the attacker), developed and shared through black market forums, almost weekly. Over the next year malware (software designed to infiltrate or damage a computer system without the owner's informed consent) is likely to become an even greater threat, and banks are already strengthening existing measures and building new measures to combat it.
Banks can ill afford any negative publicity about the security of their financial data. Customer confidence is paramount as persistent security concerns can quickly erode confidence in product channels, decrease profits and lead to defections. We are continuously challenged to find better ways to secure our systems and support our customers' assurance that their information is safe from predators. Developing and maintaining a top-notch authentication and security strategy is the key.
In essence, a security strategy is a road map for mitigating risks while complying with legal, statutory, contractual and internally developed requirements. Some of the basic components include defining control objectives, identifying and assessing approaches to meet those objectives, selecting controls, establishing metrics and benchmarks, testing and implementation, and performing ongoing maintenance. The ultimate goal is to increase customer confidence across online channels and reduce losses due to fraud and identity theft across the enterprise.
Like many large banks, Bank of America has developed a logical delivery road map to drive the evolution of its authentication and security programs. Our strategy involves easy-to-use layers of overlapping security systems across our online space, as well as programs for educating customers to improve prevention, detection and resolution. It also includes strong risk management/compliance features surrounding the overall design to ensure that the right measures are placed in the right areas and are updated as necessary. Such a road map includes several components:
Use a Multilayered Approach
To effectively manage security, banks need to develop an easy-to-use, multilayered system that can be leveraged across the enterprise. This can be accomplished by creating a weave of mandatory and optional channel authentication to successfully identify customers in each system, along with covert risk analysis to help determine the optimal deployment of authentication for those systems.
1. Channel authentication
Channel authentication involves identifying and controlling access within a system by associating rights and restrictions for each user. Many banks use identity management software to automate this administrative task and enable users to reset their own passwords to improve cost savings (since many help desk calls are password-related). Further, passwords can be synchronized for a single sign-on that can be used to access a wide range of systems.
Some authentications should be mandatory, while others can be optional. At Bank of America, we use a mandatory authentication technology called SiteKey. SiteKey employs a two-step process that clearly identifies both the customer and the bank when online applications are accessed. First, the bank uniquely identifies the customer's device or, if the customer is using an unrecognized device, prompts the customer to go through additional security steps (such as security questions). Once the bank has established the customer's identity, it presents an image and phrase (previously selected by the customer) to identify the bank to the customer (see "Lesson Learned No. 2").
| Lesson Learned No. 2: Improving Identity Management
One lesson learned from using a tool like SiteKey is that it drives customers to be more-active participants in identifying fraud. In many cases, when customers do not recognize their SiteKey image, they contact us to report it. We are then able to take measures to combat the potential hazard and warn other customers. Active customer involvement helps us better identify and react to fraudulent activity. |
Bank of America offers customers a second layer of authentication -- usually optional and associated with additional activities. First is ,a href="https://www.bankofamerica.com/privacy/index.cfm?template=learn_about_safepass" target="_blank">SafePass, which, during the transaction of sensitive activities, triggers a six-digit, one-time-use code that is sent to customers as a text message. Customers must then use that code to complete their activity. The bank also offers customers both automatic and account security alerts via e-mail and/or text message. Automatic alerts notify customers of account changes that potentially indicate fraud. Account alerts notify customers about specific balance, payment and transaction activity that may be suspicious.
2. Covert risk-based authentication
Risk-based authentication means tailoring authentication to the risk analysis of a customer activity. In short, we match the level of authentication to the riskiness of the device being used, the transaction being made and the behavior of the customer. Once the level of risk is established, we then decide which authentication method is most appropriate and how it should be deployed. At the same time, we strive to strike a balance between the selected authentication and a positive online customer experience.
We also rely on an array of other effective tools behind the scenes that are designed to detect and pinpoint fraudulent activity at the device, transaction and customer behavior levels. This toolbox includes capabilities that are designed to provide a higher level of service in protecting our customers and increasing the security of their information and accounts.
Integrate Cross-Channel
To increase the benefits of the multilayered security approach, the logical next step would be to extend and integrate it cross-channel. Banks need to align their efforts at multiple levels to deliver a standardized authentication and authorization experience. Strong security demands technology that can easily be integrated. This is no easy task when many organizations use a wide range of hardware and software for different business requirements.
Integration should be a critical consideration when selecting security systems. At Bank of America, we design our systems to come together into one integrated environment to create a common operating picture for easier and faster access to information when and where it is needed. We strive to select and deploy the right systems that not only get the job done, but also work together seamlessly. Advantages include reduced costs, improved business processes and a scalable, integrated enterprise architecture that grows with our organization.
Educate and Engage Customers
As noted earlier, perhaps the best way banks can protect their customers is to better educate them about security. Most of the actions necessary to protect customers from fraudsters must be initiated by the customers themselves. Banks can help ease this process by continuously educating customers on potential hazards, by providing increased authentication options, personalization and customization of the security experience, and alerts, e-mails and/or tips for better prevention (see list at right).
Accordingly, we partner closely with our customers to provide the education they require to avoid fraud. This includes proactively informing customers how to circumvent fraudulent activity and adhere to the latest safety tips and guidelines outlined by such consumer protection groups as the Federal Trade Commission and the Better Business Bureau, among others.
There are many reasons why Bank of America invests heavily in this area. First, as a service company, we feel it's our duty to serve our customers to the fullest extent possible, including fraud education. Second, educated customers are better able to serve as our eyes and ears in the marketplace -- helping us identify phishing and spoofing attacks and having them quickly shut down. Third, we believe that if we go the extra mile to protect our customers, as well as offer a zero-liability guarantee for unauthorized transactions, we can generate a greater level of trust and confidence in our systems and build a more loyal customer base. Finally, with every security effort, we help reduce our financial liability costs all around (see "Lesson Learned No. 3").
| Lesson Learned No. 3: Speeding Response Time
One of the biggest challenges banks face is the ability to react as quickly as fraudsters, whose tactics change and evolve almost daily. One way is to focus on the many "threat vectors" (i.e., potential paths of attack) in the marketplace and proactively ramp up efforts to react to them. Fast response is paramount to thwarting fraudsters and is one of the key reasons that Bank of America partners with customers. The earlier we receive warning of fraudulent activity, the faster we can respond to shut it down. |
Maintain Strong Risk Management and Compliance
A sound security strategy has several lines of defense -- from the individuals in each line of business to the executives in charge of the enterprise. All must be involved in the risk management process. All must evaluate the associated risks in doing business. Their continuing efforts help ensure compliance.
At Bank of America, our teams review information security for potential risk during the product life cycle and stay current with the latest developments so they can adjust security measures as necessary. At the same time, they monitor ongoing activity to help ensure that both process and policies are being correctly followed.
Strong policies are the backbone of security strategy. They guide the decisions made by users, managers and administrators and remind those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance for successfully acquiring, configuring and auditing security systems. These should be developed in accordance with the size and complexity of the institution and be sufficiently flexible to allow for timely updates to keep pace with changes in technology as well as fraudulent activity.
Create a Win-Win Scenario
There are two certainties that banks and their customers must face: New/improved financial products will continue to be introduced to the marketplace; and those products will continue to be attacked by fraudsters attempting to expose customer information. This danger is real, and a solid authentication and security strategy is critical to keeping customer information safe. Moreover, both banks and their customers win from this effort. Such security measures can help increase customer confidence in the bank's online products and reduce the cost of fraud and identity theft across the enterprise.
How have we done so far? Bank of America has continually received a top ranking for online security from Bank Monitor and ranked No. 1 in Javelin's Online Identity Safety Scorecard and Online Card Safety Scorecard. We intend to continue down this path and will invest the necessary time and resources to maintain this leadership. We feel that our recognition as an industry leader in online security and the confidence we instill in our customers are key contributors to maintaining our 25 million online banking customers.
Customers want a high level of assurance that their online transactions are safe, and strong security measures can go a long way in giving them peace of mind. Increasing customer confidence can help increase online usage, which in turn can lead to more opportunities, better growth and competitive advantage. With more-effective security management, we can help both our customers and ourselves realize the full power of the Internet.
James Ashfield is the SVP for authentication and security management for global consumer and small-business banking e-commerce/ATM at Bank of America. Ashfield develops and manages the authentication and security strategies and product development for online and mobile banking.
David Shroyer is an SVP and product manager for online security and enrollment for Bank of America's e-commerce division, supporting 25 million online banking customers. His team's responsibilities include product management for online banking authentication, authorization, privacy and security customer education, identity management, and enrollment. Shroyer also manages the e-mail security strategy for e-commerce and acts as an expert on online threats and fraud at the enterprise level.