03:30 PM
James M. Ashfield, SVP, and David Shroyer, SVP, e-Commerce Products, Bank of America
James M. Ashfield, SVP, and David Shroyer, SVP, e-Commerce Products, Bank of America
Connect Directly

Security Management: An Ongoing Challenge for Banks

Effective security management requires a layering of multiple solutions focusing on people, process, technology and risk.

In essence, a security strategy is a road map for mitigating risks while complying with legal, statutory, contractual and internally developed requirements. Some of the basic components include defining control objectives, identifying and assessing approaches to meet those objectives, selecting controls, establishing metrics and benchmarks, testing and implementation, and performing ongoing maintenance. The ultimate goal is to increase customer confidence across online channels and reduce losses due to fraud and identity theft across the enterprise.

Like many large banks, Bank of America has developed a logical delivery road map to drive the evolution of its authentication and security programs. Our strategy involves easy-to-use layers of overlapping security systems across our online space, as well as programs for educating customers to improve prevention, detection and resolution. It also includes strong risk management/compliance features surrounding the overall design to ensure that the right measures are placed in the right areas and are updated as necessary. Such a road map includes several components:

Use a Multilayered Approach

To effectively manage security, banks need to develop an easy-to-use, multilayered system that can be leveraged across the enterprise. This can be accomplished by creating a weave of mandatory and optional channel authentication to successfully identify customers in each system, along with covert risk analysis to help determine the optimal deployment of authentication for those systems.

1. Channel authentication

Channel authentication involves identifying and controlling access within a system by associating rights and restrictions for each user. Many banks use identity management software to automate this administrative task and enable users to reset their own passwords to improve cost savings (since many help desk calls are password-related). Further, passwords can be synchronized for a single sign-on that can be used to access a wide range of systems.

Some authentications should be mandatory, while others can be optional. At Bank of America, we use a mandatory authentication technology called SiteKey. SiteKey employs a two-step process that clearly identifies both the customer and the bank when online applications are accessed. First, the bank uniquely identifies the customer's device or, if the customer is using an unrecognized device, prompts the customer to go through additional security steps (such as security questions). Once the bank has established the customer's identity, it presents an image and phrase (previously selected by the customer) to identify the bank to the customer (see "Lesson Learned No. 2").

Lesson Learned No. 2: Improving Identity Management

One lesson learned from using a tool like SiteKey is that it drives customers to be more-active participants in identifying fraud. In many cases, when customers do not recognize their SiteKey image, they contact us to report it. We are then able to take measures to combat the potential hazard and warn other customers. Active customer involvement helps us better identify and react to fraudulent activity.

Bank of America offers customers a second layer of authentication -- usually optional and associated with additional activities. First is ,a href="" target="_blank">SafePass, which, during the transaction of sensitive activities, triggers a six-digit, one-time-use code that is sent to customers as a text message. Customers must then use that code to complete their activity. The bank also offers customers both automatic and account security alerts via e-mail and/or text message. Automatic alerts notify customers of account changes that potentially indicate fraud. Account alerts notify customers about specific balance, payment and transaction activity that may be suspicious.

2. Covert risk-based authentication

Risk-based authentication means tailoring authentication to the risk analysis of a customer activity. In short, we match the level of authentication to the riskiness of the device being used, the transaction being made and the behavior of the customer. Once the level of risk is established, we then decide which authentication method is most appropriate and how it should be deployed. At the same time, we strive to strike a balance between the selected authentication and a positive online customer experience.

We also rely on an array of other effective tools behind the scenes that are designed to detect and pinpoint fraudulent activity at the device, transaction and customer behavior levels. This toolbox includes capabilities that are designed to provide a higher level of service in protecting our customers and increasing the security of their information and accounts.

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.