Personal Browser for Online Fraud Prevention
Despite the best efforts of financial institutions around the globe, online fraud continues to happen. Traditional prevention approaches, including the detection and prevention of suspicious logins, data mining for transaction anomalies and real-time monitoring of account activity, stops some of the fraud, some of the time. Yet, even with a multi-layered detection and prevention approach in place, cybercriminals continue to make millions.
When losses result, customers often believe that regardless of their inability, or unwillingness to implement secure online banking practices, the bank will reimburse their account for the entire loss. Depending on the size of the loss, the customer may, in fact, be correct. It may make more sense for the bank to reimburse a small loss than dedicate the time and effort needed to deny the claim. Over time, losses mount while customers continue to expose their personal information to cybercriminals.
In a recent case involving Choice Escrow Land Title LLC and BancorpSouth, the court sided with the bank regarding a $440,000 loss associated with the theft of the company’s online banking credentials and subsequent fraudulent wires. The court based its ruling on the fact that Choice Escrow previously declined to use a process recommended by the bank requiring two employees to approve wire transfers, aka “dual control.” However, in two separate, highly publicized cases involving Comerica and People’s United Bank, the courts ruled in favor of the customer in both cases.
Given the verdicts to date, and the degree of unpredictability associated with any legal action, there is no guarantee that a court will rule in favor of the bank – regardless of the degree to which the customer failed to protect their online credentials from compromise.
Never-ending Education Chore
Financial institutions have long embraced customer education as an effective fraud prevention tool. In fact, walk in to most branches and you will see a poster in the lobby detailing online fraud prevention best practices. Unfortunately, consumer education is a never-ending chore that is usually destined to failure.
Every day, companies bombard consumers with “urgent” messages that are all too easy to ignore. Not surprisingly, regardless of the frequency and sense of urgency associated with a bank’s fraud prevention campaign, customers often ignore the message. Even in the rare event that the customer does pay attention, they may only retain the information for a relatively short period. The shelf life of an anti-fraud campaign is far shorter than banks would like to admit.
In order to prevent online fraud, the FBI and the American Bankers Association (ABA) recommend designating one computer for all online banking that the user never uses to open email or browse the internet. The rationale is that by limiting exposure to the internet, the machine will remain virus free. While this sounds logical, the primary benefit that online banking provides the customer is convenience. Limiting online banking to one computer removes much of the convenience factor.
Further, if the customer dedicates a single computer for online banking, they may be lulled into a false sense of security. Without taking additional steps, such as assigning a static IP address and installing the latest anti-malware software, even a dedicated machine is subject to compromise.
When given the choice, customers will routinely opt for the “path of least resistance” when conducting business online. The more complex the process, the less likely the customer will be to comply. Attempting to shift too much of the compliance burden to the customer will meet with resistance, and ultimately rejection. The last thing that a bank wants to do is make their online banking channel so unappealing to their customers that they leave in droves for a financial institution with less stringent online security.
Unless customers are provided with a minimally invasive approach to secure their online banking activity, they will continue to engage in reckless behavior that exposes their personal information to cybercriminals.
Achilles Heel of Online Fraud
To date, fraud prevention technology has overlooked the primary point of failure – the end user’s computer. Extending fraud prevention to the end user’s computer in the form of a secure browsing platform can dramatically reduce fraud-related losses. Such a browser, typically delivered on a USB device, creates a protected connection to the financial institution’s website. Since transactions can only take place via the personal browser and a secure proxy server, any malware that exists on the user’s computer is “blind” to the exchange of customer information.
Using this approach, the exchange of critical information in the transaction takes place at the server level, instead of at the user’s machine. A secure personal browser also thwarts more sophisticated tactics such as pharming, man-in-the-middle (MITM) and man-in-the-browser (MITB) attacks. Essentially, the device turns the user’s computer into a dedicated machine for online banking that isolates critical data from the cybercriminal’s prying electronic eyes. Such an approach is effective, yet does not place an excessive or unrealistic compliance burden on the customer.
As part of a bank’s multi-factor authentication process, the USB device can also function as another “factor” that must be present, or in this case, plugged into the user’s computer to allow online banking access. This comes on top of a bank’s existing requirements, such as security images, challenge questions and one-time passwords.
It is time that banks look beyond their own infrastructure and provide customers with the tools that they need to safely bank online. It is in everyone’s best interests to ensure the safety and security of the online banking channel, starting with the security of the end user’s browser.
Mr. Ingevaldson is chief technology officer for Sunrise, Fla.-based Easy Solutions, a security vendor focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. He can be reached at [email protected].