In response the bank has added security layers to its credentialing process. First, Bank of Hawaii mandated dual control for its commercial clients -- requiring two users to each provide credentials to initiate a transaction such as an ACH or wire transfer, according to Alama.
The bank also has rolled out hardware tokens that generate one-time passwords to thwart social engineering fraud attacks, Alama adds. The hardware tokens are distributed to users in the form of an RSA key fob, which contains a small keyboard on which a user types a PIN. The key fob then generates a one-time, six-digit pass code that the user reenters when signing on to Bank of Hawaii's online applications.
Many of Bank of Hawaii's enhanced security measures have been put in place with an assist from Atlanta-based Online Banking Solutions' (OBS) Online Messenger version 3.0 and M-Secure Banking Suite products, Alama reports. Implementation, he relates, began late last year, and the solutions went live in the third quarter of 2009.
In addition to other OBS tools -- including a secure browser that clients can use to access the bank's online applications -- Bank of Hawaii leverages the vendor's M-Secure Virtual Keyboard, software that provides an additional layer of security by limiting account access to a specific computer or other device. Alama describes the virtual keyboard as a "soft token" that uses the same strategy as a hardware token.
Essentially, he explains, a customer uses his or her mouse to enter login information and a PIN number via an on-screen keyboard (as opposed to a physical keyboard) to generate a one-time pass code that automatically is sent to the bank for credentialing. The process eliminates physical keystrokes, greatly reducing the effectiveness of key-logging malware. "The majority of the problems that are out there today are customers that have malware downloaded on their computers that is capturing all their keystrokes and passing that off to a foreign computer somewhere else," Alama says.
Unfortunately, Alama acknowledges, while the new controls have helped to prevent fraud, they also have limited the convenience factor of the online banking channel. "In the end, the applications have gotten a bit more cumbersome to use, especially for the smaller business, because of the dual controls and other security features we've had to implement to protect [clients] from some of the key-logging efforts," he concedes.
Worth the Inconvenience
That said, push back from the bank's customer base has been tempered by the growing awareness of identity theft and other social engineering fraud schemes. "Initially, a couple years ago, it was difficult," Alama says of the effort to partner with customers to prevent fraud. "[But] our customers are actually appreciative that we're going through the effort to try and protect them, even though it may require additional effort on their part."
The balance between convenience and security was central to fraud mitigation efforts at Addison Avenue ($2.2 billion in assets), a Palo Alto, Calif.-based federal credit union serving select employee groups (SEGs) at technology companies such as Hewlett-Packard. With a globally dispersed customer base, Addison considers the online channel to be a top priority. In fact, the credit union aims to provide online banking services that can support any transaction that a member can perform in a physical branch, according to Addison Avenue CIO Blanca Guerrero.