ABA Banking Journal - December 2010 - (Page 24)
tech topics | digital branch banking and capital markets at Microsoft. “What it does is aggregate information and acts as a portal to pull information from those back-end systems.” Harland Financial Solutions is yet another player, with its Active:View Content Management system. [For further vendor references, check with Lisa Gold Schier, lgoldsch@aba.com, 202-663-5098, with ABA’s Corporation for American Banking; Bill Kroll, bkroll@ aba.com, 202-663-5574, who heads ABA Business Solutions; and with Jamie Fitzsimmons, 202-663-5227, jfitzsim@aba.com, contact person for ABA Service Members. Or select the “Products” pulldown on aba.com.] Simple is the way to get going Most people are under the misconception that you have to do everything at once when you move into a paperless environment. “It’s important that they dissect all the processes and implement them one at a time,” says Wausau Financial System’s Pitzo.” Generally speaking, paperless conversion should start from simplest to more complex. This could go from automating signature cards to keeping track of safety deposit usage. Then could come new-account opening and trust account opening. The more advanced applications would begin with consumer lending, then mortgages, and finally commercial lending. Also important is recognizing that there is a cultural shift involved. “I can remember when, years ago, we implemented loan-file imaging and we had to fight the lenders from keeping ‘shadow files’ in their desks,” recounts Paul Cornell of SpiritBank, “which defeated the [whole thing.] It takes time for people to have confidence in the system,” he adds. “Old habits are hard to break.” n TechnoFILE Online fraud: new threats, better deterrents A s online transactions have soared, so has malware. According to an Online Banking Security Survey by PhoneFactor, a provider of two-factor authentication, 69% of respondents indicated an increase in attacks over the past 12 months. About half (51%) cited realtime attacks from online banking trojans as the greatest threat. Password phishing came in second at 24%. Trojans like ZeuS, are said to have infected 90% of the Fortune 500, and more recent threats like SpyEye are emerging, so these fears are not ungrounded. ZeuS and similar malware threats work by installing themselves underneath the user’s web browser. From this position, they can steal passwords or even inject unrequested transactions without the true user being aware of them. This browser-based malware targets ACH transactions and wire transfers especially. Since 2005, Federal Financial Institutions Examination Council (FFIEC) guidelines have been in place to ensure that banks are using layers of security to combat fraud threats. Doug Johnson, vice-president of Risk Management Policy at ABA, expects these guidelines to be revised to better fit more recent authentication measures. “Our desire is to assist the agencies in understanding what measures banks are utilizing so the guidance is reasonable from a business as well as from a security standpoint, he says. ” Some of the recent authentication measures include two-factor authentication. “Banks, to varying degrees, have some two-factor deployed to at least a small subset of their customers, says Sarah Fender, ” vice-president of Marketing & Product Management for PhoneFactor. This subset is comprised primarily of commercial customers, and the two-factor system typically includes tokens, which dispense a one-time pass code to holders. Tokens do little to ward off malware, which can steal pass codes from browsers, according to Fender. To better combat this fraud, “outof-band” authentication measures have emerged. This approach uses a different channel from the one the transaction is using. PhoneFactor, for example, uses the telephone channel. When users attempt to make a transaction online, an automated call or text asks them to confirm the transaction by voice (checked by biometrics) or by sending a text message back. Improved customer knowledge can help, as well. “It’s time for commercial banks to get to know their customers better, says Brian Krebs, of ” KrebsOnSecurity.com. “One way to adopt that stance is to shift the focus of customer authentication from authenticating the user to trying to authenticate their activity. This can take the form of profiling transactions, profiling the customer’s website usage habits, etc. ” By recognizing and authenticating client activity, banks can flag unusual activity and intercept a fraudulent transaction. Of course, customers need to make efforts to protect themselves from fraud, as well. “It’s not that there’s a problem with the [online] channel, says Lin Abbot, CISM, chief information ” security officer for $10.5 billion-assets Citizens Republic Bancorp, Flint, Mich. “The key is that people understand how different internet usage behaviors can make them more exposed, and how to protect themselves by changing their behaviors. ” — Ashley Bray, contributing editor 24 | ABA BANKING JOURNAL | december 2010
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.