The five layers of online banking security
By Christy SerratoFeatures Opinion
It is becoming increasingly critical that financial institutions ensure their consumer and corporate banking customers are able to access their accounts with the highest reasonable security, using a process that is very straightforward and approachable.
There have been significant changes in the threat landscape for online banking. In order to protect customers using Internet-based products and services, such as applications, the Federal Financial Institutions Examination Council (FIEC) in the U.S. and other regulators have instituted significantly more stringent requirements for financial institutions. Ensuring a compliant security program requires the execution of a good, multi-faceted authentication solution.
The best approach for online banking security is a layered one. By using a layered approach, financial institutions can apply the appropriate level of risk mitigation to each of its many customer segments. This includes choosing the appropriate solution for consumers, as opposed to corporate customers. Making the right decisions and creating a well-thought-out security policy has never been more important. Consider the threat posed by pieces of malware such as the recently discovered Operation High Roller. Fully automated, Operation High Roller is aimed directly at online banking. Defending against it and other threats requires a security strategy with the following layers:
First Layer: User authentication – The best approach is a multi-factor authentication solution that provides the cornerstone of a five-layer strategy. This layer should combine:
– Something the user knows, such as a password
– Something the user has, which can be deviceless, such as mobile and web tokens
– Something the user is, as shown through a biometric or behaviormetric solution
Second Layer: Device authentication – Following user verification, the next step is to verify that the person is not just who he or she claims to be, but is also on a “known” device. This is done through a combination of endpoint device identification and profiling, proxy detection and geo-location.
Third Layer: Browser protection – It’s not enough to verify the user, and that the user is on a known device. The next step is to ensure that the browser being used is part of a secure communication channel. This might be accomplished through simple passive malware detection. Better protection can be achieved by using a proactive hardened browser with mutual secure socket layer connection to the bank application. This approach delivers strong endpoint security.
Fourth Layer: Transaction authentication/pattern-based intelligence – Some transactions are particularly sensitive, including signing contracts and transferring large funds. These transactions require an additional layer of security. The transaction authentication layer can include Out-Of-Band (OOB) transaction verification, transaction signing for non-repudiation, transaction monitoring, and behavioral analysis. Each can be a significant part of the mix.
Fifth Layer: Application security – This is particularly important with the increased prevalence of mobile banking. This layer ensures the security of the applications on mobile devices that are used to deliver sensitive information. Ensuring this security requires that the application be architecturally hardening and capable of executing mutual authentication. With this layer in place, data theft becomes significantly more complex and costly for hackers.
Each day brings new and more sophisticated malware, raising the stakes for financial institutions that are attempting to increase their security efforts against cyber crimes. A five-layered approach will deliver the necessary in-depth defense that ensures banking customers will remain loyal, secure and safe as they conduct banking transactions from more locations, and on more types of devices, than ever before.
Christy Serrato is identity assurance solutions marketing executive for financial services, HID Global.
Print this page