12:15 PM
Connect Directly

Javelin Finds More Banks Using Multi-factor Authentication

Javelin study finds more banks using multifactor authentication.

ith the FFIEC deadline for implementing multifactor authentication now but a memory, banks have improved their efforts to secure customers' information, according to a study by Javelin Strategy & Research. However, there is more banks can do, notes Javelin founder James van Dyke.

"We saw a big shift toward banks using multifactor authentication [MFA]," Van Dyke says, crediting the FFIEC for prompting banks to improve security measures. "Last year, the numbers were very low, with about 20 percent of banks in the survey using MFA. This year, 88 percent of banks have this in place."

The Pleasantville, Calif.-based research and advisory firm's 2007 Banking Identity Safety Scorecard ranks banks and credit unions on their customer-facing identity-fraud prevention, detection and resolution capabilities. Javelin has been issuing the scorecard for the past four years, steadily increasing the criteria by which it measures financial institutions' security procedures. Twenty-five institutions are included in the 2007 study, representing half of the U.S. market by dollar value of deposits, according to the FDIC.

Of the three measures examined in the study, the area in which Javelin saw the greatest improvement was in banks' after-the-fact fraud resolution. This year, the average institution met 77 percent of Javelin's criteria for fraud resolution, compared with 67 percent in 2006. The average institution met 51 percent of the criteria for fraud detection, compared with 49 percent in 2006.

While the percent of prevention criteria met by the average institution actually dropped from 50 percent in 2006 to 44 percent in this year's scorecard, Van Dyke emphasizes that the decline doesn't necessarily mean banks are less safe -- it's more a matter of Javelin toughening its criteria. "Banks need to go to the next step and adopt best practices, such as stop using customers' full Social Security numbers for authentication," he explains. "Seventy-six percent of banks still do this to identify customers. Only 24 percent prohibit the use of SSNs. ... Why isn't it 100 percent at this point in time?"

Deputizing Customers

Perhaps the No. 1 best practice for banks to adopt, according to Van Dyke, is the need to deputize their customers in the war on fraud. For instance, he says, one in two cases of identity fraud is detected by the victim. Further, "The majority of data leakage points are under the customers' control, like lost or stolen wallets, mailboxes and unsecured PCs," Van Dyke notes. "We're not blaming the consumers, but banks are pretty safe organizations."

The safe bank of the future, Van Dyke stresses, will be one in which consumers and the institution partner with one another. Customers can be "unpaid allies" in the battle against criminals, he says. They just need the tools, such as proper authentication procedures and the ability to receive electronic statements.

It's no surprise that the bank ranked No. 1 for overall security by Javelin -- Bank of America (Charlotte, N.C.; $1.3 trillion in assets) -- provides consumers with a number of security tools, including several authentication methods. "Online security is a top priority at Bank of America," says Betty Reiss, a bank spokeswoman. "We provide a number of security features to help protect customers," including automatic e-alerts; the ability to create unique, temporary account numbers for online purchases; a zero-liability guarantee; and online information on fraud scams.

Of course, achieving optimal security measures comes with a price. "There is a cost to doing this, but the cost will be outweighed by lower losses and higher adoption," Javelin's Van Dyke contends. "This concept is a net profit maker," he adds. "But if you look at their systems, this is not a trivial undertaking at all."

BANKS ARE USING SECURITY to increase consumer trust and boost their bottom lines

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.