Account takeover fraud remains a major problem for financial institutions and small businesses that are impacted. The FBI recently warned about increased Wire Transfer Fraud to Chinese Companies. Typically the hackers compromise the workstation of an employee who has the ability to initiate wire-transfers. Once the user logs on to their online banking the hackers steal the credentials and or take over the users session. Now that the hackers control the workstation and the account credentials they initiate a wire transfer from the customers account. The bank completes the wire transfer to an oversees account and the money is gone. Amounts range from 50k to 1 million dollars per transfer.
The FFIEC has recognized the problem and is working on new guidance for financial institutions to increase their security to prevent these types of attacks. A draft copy of the guidance was accidentally leaked by the NCUA in December 2010. Although the guidance has not been officially issued and may change, proactive organizations are already working on beefing up their security.
Some of the highlights from the draft guidance:
1. Increased risk assessments – Institutions need to periodically assess risk in their online banking solutions and respond accordingly. According to the FFIEC many financial institutions are not doing this frequently enough (if at all).
2. Authentication for High-Risk Transactions Institutions should determine which accounts/transactions are high risk and implement additional security (two factor authentication) in these cases.
3. Layered Security Institutions should have multiple layers of controls in place so that a failure of one layer can be caught at another layer. For example if a user name and password are compromised fraud could still be stopped if anomaly detection flags the transactions for review.
4. Effectiveness of Authentication Techniques Consider stronger device authentication and more difficult challenge questions.
5. Customer Education and Awareness Advice on specific areas of guidance that the Institution should consider providing to their customers.
While the guidance is not official yet, financial institutions would be wise to ensure they are completing appropriate risk assessments of their online banking and ensure that they address changes in the threat landscape. Getting ahead of this will help reduce the fraud and be one step ahead when the regulators release the final guidance.