ABA Banking Journal - November 2010 - (Page 46)
special advertising section
ABA Banking Journal’s White Paper for November 2010: Technology Solutions E x E c u t i v E S u m m A ry For the full article go to http://www.ababj.com/white-papers-2010
Combating Online Banking Fraud with Out-of-Band Authentication
By Sarah Fender Vice President, PhoneFactor 877-688-6536 www.phonefactor.com ecent forecasts predict $1 billion in online banking fraud losses in the US this year. As the incidence of online banking fraud rises to an unprecedented level, retail and commercial banking customers are growing increasingly dependent on their trusted service providers to insulate them from these threats. In addition, more sophisticated threats have emerged that redefine established security best practices and make many of the security measures in place today obsolete. While password phishing attacks continue to be prevalent, the greatest risk today is posed by online banking trojans used to harvest credentials and launch Man-In-The-Middle (MITM) attacks. The magnitude of their infiltration into the financial services sector is astounding. Today, online banking trojans are responsible for millions of dollars in fraudulent financial transactions each month. The ZeuS trojan alone is said to have infected hundreds of thousands of computers and penetrated 90% of the Fortune 500. Because online banking trojans run on the same computer that is used for online banking, the trojan can hijack a user’s banking session without detection by the online banking application or the end user. The user logs in as he normally would with a username and password. Once the user is authenticated, so is the attacker. The attacker can initiate new transactions, such as ACH or wire transfers, and reroute the user’s valid transactions to “mule” accounts. In some cases, the attacker just takes over the user’s session and displays a message to the user that the banking website is currently unavailable.
46 | ABA BANKING JOURNAL | november 2010
Online banking trojans are impervious to one-time passcode technologies and most other strong authentication methods available today. Security tokens and SMS text methods that require a user to enter a one-time-passcode into the banking website are easily defeated by MITM attacks. The trojan simply intercepts the passcode or injects itself into the banking session after the passcode has been entered. To protect customers against MITM attacks from online banking trojans, as well as provide the strong authentication needed to prevent the use of account credentials gained through phishing and other means, an additional layer of authentication must occur through a separate out-of-band channel. The telephone network is an ideal second channel for authentication. An automated phone call or text message provides an instant and easy-to-use method for confirming online banking logins and verifying ACH and wire transfers. The user simply answers the call and presses # or replies to the text message to authenticate. Because the authentication is completed through the telephone network (there are no passcodes to enter into the banking website), the process is completely out-of-band and not vulnerable to MITM attacks. By leveraging a ubiquitous device, phone-based out-of-band methods are easy for end users, scalable for IT departments, and cost-effective for financial institutions. This whitepaper will look at how these threats affect online banking, customer perceptions about risk and financial responsibility, and the role of outof-band authentication in protecting against online banking fraud. v
If you would like to try to load the digital publication without using Flash Player detection, please click here.