An integrated approach to information security creates value for customers and shareholders by improving capability, reducing cost, improving efficiency and delivering a Return on Investment (ROI). An integrated approach also provides a pathway for developing people into business and process leaders, and for enhancing their knowledge, skills and value to the business.
Reports of account takeover incidents have increased in the last 18 months, yet losses have remained steady, says former federal banking examiner Amy McHugh, who analyzes what security measures are working and what still needs to be done.
A key factor contributing to controlled account takeover losses, McHugh says, is that banking institutions have made big investments to improve online security as they've worked toward conforming to the Federal Financial Institutions Examination Council's updated authentication guidance.
"I was at a bank performing an examination when they had stopped a fraudulent ACH request," McHugh says during an interview with Information Security Media Group. Anomaly detection and behavioral analysis helped this institution flag the suspicious transaction before it resulted in fraud, she says.
"There is an increased awareness," says McHugh, a bank adviser who's a former IT examination analyst for the Federal Deposit Insurance Corp. "There's also an increased push by the regulatory agencies to ensure that the financial institutions are aware of the risks."
Steady losses despite rising account takeover incidents could be a sign that banking institutions are catching more incidents and stopping them, she adds.
But McHugh also notes that smaller banking institutions still have a lot of security work to do. "The very large institutions have robust programs for anomaly monitoring for electronic funds transfer, as well as increasing fraud awareness," she says. "So the fraudsters are moving down to the smaller institutions."
Out-of-Band Authentication
As a result, smaller banks and credit unions should be implementing more out-of-band authentication measures, such as transaction-verification call-backs, McHugh says. Unfortunately, too many are more concerned about inconveniencing the customer than improving security."Customer awareness is improving," she says. "But institutions need to push back on the clients and say there are certain security procedures that they are going to require. Dual controls, out-of-band confirmations - these are basic security controls. Also, the banks should implement some kind of anomaly monitoring or detection so that there is some awareness of the pattern of the customer's behavior."
During this second half of a two-part interview, McHugh discusses:
- The struggles smaller institutions face when it comes to anomaly detection practices and procedures;
- How working with Internet service providers can enhance security and reduce fraud losses;
- Why distributed-denial-of-service attacks are an increasing concern for smaller institutions being targeted for ACH/wire fraud.
No comments:
Post a Comment