03:30 PM
James M. Ashfield, SVP, and David Shroyer, SVP, e-Commerce Products, Bank of America
James M. Ashfield, SVP, and David Shroyer, SVP, e-Commerce Products, Bank of America
Connect Directly

Security Management: An Ongoing Challenge for Banks

Effective security management requires a layering of multiple solutions focusing on people, process, technology and risk.

Integrate Cross-Channel

To increase the benefits of the multilayered security approach, the logical next step would be to extend and integrate it cross-channel. Banks need to align their efforts at multiple levels to deliver a standardized authentication and authorization experience. Strong security demands technology that can easily be integrated. This is no easy task when many organizations use a wide range of hardware and software for different business requirements.

Integration should be a critical consideration when selecting security systems. At Bank of America, we design our systems to come together into one integrated environment to create a common operating picture for easier and faster access to information when and where it is needed. We strive to select and deploy the right systems that not only get the job done, but also work together seamlessly. Advantages include reduced costs, improved business processes and a scalable, integrated enterprise architecture that grows with our organization.

Banks must educate consumers on fraud hazards for better prevention.Educate and Engage Customers

On the operations side, there are great benefits from a fully integrated security system. A single, system-wide control interface for multiple systems means fewer maintenance headaches when upgrades or patches are required. Perhaps more important, in the event of a security breach it's easier to alter the appropriate systems and devices automatically to prevent further fraud.

As noted earlier, perhaps the best way banks can protect their customers is to better educate them about security. Most of the actions necessary to protect customers from fraudsters must be initiated by the customers themselves. Banks can help ease this process by continuously educating customers on potential hazards, by providing increased authentication options, personalization and customization of the security experience, and alerts, e-mails and/or tips for better prevention (see list at right).

Accordingly, we partner closely with our customers to provide the education they require to avoid fraud. This includes proactively informing customers how to circumvent fraudulent activity and adhere to the latest safety tips and guidelines outlined by such consumer protection groups as the Federal Trade Commission and the Better Business Bureau, among others.

There are many reasons why Bank of America invests heavily in this area. First, as a service company, we feel it's our duty to serve our customers to the fullest extent possible, including fraud education. Second, educated customers are better able to serve as our eyes and ears in the marketplace -- helping us identify phishing and spoofing attacks and having them quickly shut down. Third, we believe that if we go the extra mile to protect our customers, as well as offer a zero-liability guarantee for unauthorized transactions, we can generate a greater level of trust and confidence in our systems and build a more loyal customer base. Finally, with every security effort, we help reduce our financial liability costs all around (see "Lesson Learned No. 3").

Lesson Learned No. 3: Speeding Response Time

One of the biggest challenges banks face is the ability to react as quickly as fraudsters, whose tactics change and evolve almost daily. One way is to focus on the many "threat vectors" (i.e., potential paths of attack) in the marketplace and proactively ramp up efforts to react to them. Fast response is paramount to thwarting fraudsters and is one of the key reasons that Bank of America partners with customers. The earlier we receive warning of fraudulent activity, the faster we can respond to shut it down.

Maintain Strong Risk Management and Compliance

A sound security strategy has several lines of defense -- from the individuals in each line of business to the executives in charge of the enterprise. All must be involved in the risk management process. All must evaluate the associated risks in doing business. Their continuing efforts help ensure compliance.

At Bank of America, our teams review information security for potential risk during the product life cycle and stay current with the latest developments so they can adjust security measures as necessary. At the same time, they monitor ongoing activity to help ensure that both process and policies are being correctly followed.

Strong policies are the backbone of security strategy. They guide the decisions made by users, managers and administrators and remind those individuals of their security responsibilities. Policies also specify the mechanisms through which responsibilities can be met, and provide guidance for successfully acquiring, configuring and auditing security systems. These should be developed in accordance with the size and complexity of the institution and be sufficiently flexible to allow for timely updates to keep pace with changes in technology as well as fraudulent activity.

Create a Win-Win Scenario

There are two certainties that banks and their customers must face: New/improved financial products will continue to be introduced to the marketplace; and those products will continue to be attacked by fraudsters attempting to expose customer information. This danger is real, and a solid authentication and security strategy is critical to keeping customer information safe. Moreover, both banks and their customers win from this effort. Such security measures can help increase customer confidence in the bank's online products and reduce the cost of fraud and identity theft across the enterprise.

How have we done so far? Bank of America has continually received a top ranking for online security from Bank Monitor and ranked No. 1 in Javelin's Online Identity Safety Scorecard and Online Card Safety Scorecard. We intend to continue down this path and will invest the necessary time and resources to maintain this leadership. We feel that our recognition as an industry leader in online security and the confidence we instill in our customers are key contributors to maintaining our 25 million online banking customers.

Customers want a high level of assurance that their online transactions are safe, and strong security measures can go a long way in giving them peace of mind. Increasing customer confidence can help increase online usage, which in turn can lead to more opportunities, better growth and competitive advantage. With more-effective security management, we can help both our customers and ourselves realize the full power of the Internet.

James Ashfield is the SVP for authentication and security management for global consumer and small-business banking e-commerce/ATM at Bank of America. Ashfield develops and manages the authentication and security strategies and product development for online and mobile banking.

David Shroyer is an SVP and product manager for online security and enrollment for Bank of America's e-commerce division, supporting 25 million online banking customers. His team's responsibilities include product management for online banking authentication, authorization, privacy and security customer education, identity management, and enrollment. Shroyer also manages the e-mail security strategy for e-commerce and acts as an expert on online threats and fraud at the enterprise level.

3 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.