Those online services extend all the way to enabling a customer to open an account online with an electronic signature. "We may open an account with a member and never see their face," Guerrero relates. "The risk is high, but we have measures in place [to ensure] that the person who is applying for a loan or a new account is who they say they are."
In 2006 the company started working with VeriSign to implement the vendor's fraud detection system. The VeriSign solution monitors traffic that comes through the online banking site and develops behavioral patterns for members based on factors such as transaction types and where and when they access their account, explains Sri Balaji, a solutions design and development manager at Addison Avenue. "Everybody has a unique behavioral map. Whenever the system detects a deviation from that existing map, it challenges the member to authenticate themselves," says Balaji, who managed the team that implemented the VerSign solution.
On top of the behavior engine, the VeriSign solution allows Addison to provide rules to, for example, target specific high-risk transactions for additional authentication. "Everything is happening in this online system, so we really want to put a lot of rigor in place in terms of validating and authenticating the user who is submitting those requests," Balaji comments.
Addison Avenue's enterprisewide fraud mitigation practices are augmented by specific security layers that aim to ensure users are who they are purporting to be. Like Bank of Hawaii, the credit union introduced one-time pass codes to the authentication process. According to Balaji, when additional credentials are required the company sends users the one-time pass code via phone, e-mail or SMS text message.
Addison also rolled out hardware tokens that generate random one-time pass codes, Balaji adds. The tokens are available to members in various form factors, including key fobs and a credit card-size device. BlackBerry and iPhone users can download software to their mobile devices that serves the same function as the hardware token.
Addison first went live with the VeriSign solution in late 2006 and since the initial deployment has continually updated the system's functionality, adding features such as rules, phone OTP (one-time password) and SMS OTP, Balaji reports. The most recent addition, she notes, was the hardware token rollout, which went live in June 2009.
That progression perhaps best sums up the constantly evolving battle financial institutions face when it comes to fighting fraud. Yesterday's secure practice can become tomorrow's security liability, especially with the advent of cross-channel threats.
"It's a constantly evolving landscape, and our own evolution with the [VeriSign] system speaks to that. When we started off, sending a one-time code to an e-mail was acceptable. Now you have Trojan [horse viruses] and key-loggers, and people's e-mail accounts are getting compromised," Balaji says. "There isn't any one answer that is going to lead to complete security. We have to constantly tweak rules and work toward the next generation [of security solutions] to try and keep up with the hackers."