10:55 AM
Connect Directly

Fraud: Social Media Heightens New Threats

As fraudsters increasingly seek to exploit weaknesses in consumers' defenses through social engineering schemes rather than hack vulnerabilities in banks' security systems, the need for enterprisewide solutions to detect fraud across channels is greater than ever.

In response the bank has added security layers to its credentialing process. First, Bank of Hawaii mandated dual control for its commercial clients -- requiring two users to each provide credentials to initiate a transaction such as an ACH or wire transfer, according to Alama.

The bank also has rolled out hardware tokens that generate one-time passwords to thwart social engineering fraud attacks, Alama adds. The hardware tokens are distributed to users in the form of an RSA key fob, which contains a small keyboard on which a user types a PIN. The key fob then generates a one-time, six-digit pass code that the user reenters when signing on to Bank of Hawaii's online applications.

Many of Bank of Hawaii's enhanced security measures have been put in place with an assist from Atlanta-based Online Banking Solutions' (OBS) Online Messenger version 3.0 and M-Secure Banking Suite products, Alama reports. Implementation, he relates, began late last year, and the solutions went live in the third quarter of 2009.

In addition to other OBS tools -- including a secure browser that clients can use to access the bank's online applications -- Bank of Hawaii leverages the vendor's M-Secure Virtual Keyboard, software that provides an additional layer of security by limiting account access to a specific computer or other device. Alama describes the virtual keyboard as a "soft token" that uses the same strategy as a hardware token.

Essentially, he explains, a customer uses his or her mouse to enter login information and a PIN number via an on-screen keyboard (as opposed to a physical keyboard) to generate a one-time pass code that automatically is sent to the bank for credentialing. The process eliminates physical keystrokes, greatly reducing the effectiveness of key-logging malware. "The majority of the problems that are out there today are customers that have malware downloaded on their computers that is capturing all their keystrokes and passing that off to a foreign computer somewhere else," Alama says.

Unfortunately, Alama acknowledges, while the new controls have helped to prevent fraud, they also have limited the convenience factor of the online banking channel. "In the end, the applications have gotten a bit more cumbersome to use, especially for the smaller business, because of the dual controls and other security features we've had to implement to protect [clients] from some of the key-logging efforts," he concedes.

Worth the Inconvenience

That said, push back from the bank's customer base has been tempered by the growing awareness of identity theft and other social engineering fraud schemes. "Initially, a couple years ago, it was difficult," Alama says of the effort to partner with customers to prevent fraud. "[But] our customers are actually appreciative that we're going through the effort to try and protect them, even though it may require additional effort on their part."

The balance between convenience and security was central to fraud mitigation efforts at Addison Avenue ($2.2 billion in assets), a Palo Alto, Calif.-based federal credit union serving select employee groups (SEGs) at technology companies such as Hewlett-Packard. With a globally dispersed customer base, Addison considers the online channel to be a top priority. In fact, the credit union aims to provide online banking services that can support any transaction that a member can perform in a physical branch, according to Addison Avenue CIO Blanca Guerrero.

3 of 4
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.