Today marks the 2012 deadline for financial institutions to adhere to the new FFIEC guidelines. While I’ve spent a significant amount of time blogging on this critical guidance, I still feel compelled to help educate the need for an enterprise layered approach when thinking how to best authenticate your banking customers. Excluding the telephone channel in your overall security strategy, I strongly contend, would be leaving your organization and customers at risk.
There is no question that industry experts are recommending an enterprise approach. In a recent BankInfoSecurity article on the FFIEC authentication guidance, Joe Rogalski, information security officer and VP of First Niagara Bank, advocates an enterprise-level approach to security.
“It’s good to look beyond the requirements, to make sure you’re doing the best thing for your institution.”
The simple reality to fraud prevention is criminals will never stop searching for the weakest leak in your fraud defense. If you fail to evaluate your risks holistically, across all channels, it will always be an uphill battle against the crooks. A bigger risk would be if you fall behind your competition in setting the right course to prevent fraud. Criminals are constantly testing financial institutions, trying to locate the best opportunity to commit a crime. I think it’s safe to say that nobody wants to fall too far behind the industry in the ongoing battle to thwart fraud.
In my role at TrustID, I’ve been able to regularly monitor and evaluate the volumes coming through our systems. Without question, the criminals are stepping up their attacks via the telephone channel. This makes perfect sense when you consider the fact that the banking industry is so locked down on protecting the online channel that they’ve, by and large, ignored the telephone channel.
The fact is, you can gain access to many IVR’s with the account number, last four digits of the Social Security number, zip code or date of birth. Getting access to customer account data made available via the IVR is extremely valuable to criminals, who can also acquire other transactional level data that can be used in out-of-wallet questioning either online or when the call is transferred to a bank representative.
In the article, Gartner Research analyst and fraud expert, Avivah Litan, also made several notable comments and recommendations related to authentication:
Tackle the Basics. A lot of banks are busy implementing out-of-band authentication, Litan says. Yet, they’re still struggling to detect and prevent ACH and wire fraud. Rather than investing millions of dollars in out-of-band solutions, she recommends that institutions focus on core security requirements first. Address identified weaknesses with basic and well-understood solutions.
This is a key fundamental, but often overlooked, point. While out-of-wallet questions do have their place in the authentication process, they can be frustrating to customers, expensive (increasing average call handle times) and, over time, can be beat by criminals. Any fraud prevention tool that criminals can see, chances are they will ultimately test their way into.
A second important point in the article is:
Show Metrics of Progress. Experts agree that regulators won’t expect to see 100% conformance in 2012. But institutions must prove they will reduce risk over time. Even if more technology investments are needed, proof of progress will satisfy auditors. “I think institutions are not measuring the potential exposure they may have, and the potential losses which they’ve managed to mitigate against their existing losses. “If they can demonstrate that they have mitigated potential losses, even if exposure increased because of more attacks, then they can show that their measures of protection are improving. It demonstrates effectiveness.”
The reality is, authenticating customers has become problematic. Since Automatic Number Identification (ANI), the use of personally identifiable information (PII) and knowledge-based authentication (KBA) are no longer viable methods for validating caller identity, not to mention the fact that customers don’t like the interrogation that inherently comes along with these processes. As a result, financial institutions need to consider more innovative, cost-effective solutions rather than continually modifying old technologies or simply adding new security questions that challenge the trust and goodwill of their customers.
One of the primary benefits of the TrustID® network-based Physical Caller Authentication tool is how it is invisible to criminals and undetectable to upstanding customers. By non-intrusively identifying customers and knowing which inbound calls are high risk before a call is answered, banks gain a significant advantage in the fight against fraud without crooks even knowing it. With innovative thieves constantly on the prowl to identify new gaps or vulnerabilities in authentication systems, TrustID provides another layer of security to protect the telephone channel and help financial institutions fulfill the FFIEC’s multi-factor authentication recommendations for identifying customers.Tags: customer authentication, FFIEC guidance, KBA, knowledge-based authentication, multifactor authentication, out-of-wallet questions, personally identifiable information, Physical Caller Authentication, PII, TrustID