A number of recent court cases have ruled against banks for failing to prevent fraudulent bank transfers. While you would think this type of liability would help motivate financial institutions to implement a multi-layered security system that meets the Federal Financial Institutions Examination Council’s (FFIEC) regulations, banks still operate without complying with the new multi-factor authentication recommendations.
In the article, “Coping with the Threat of Fraudulent Funds Transfers,” three banks that have falling victim to fraud may have to pay upwards of $460,000 in damages. That’s a steep price for not implementing adequate security measures to stop the vast scope of criminal schemes like stolen credentials, account takeovers and social engineering that target the financial services industry.
If today’s dangerous cyber attacks or costly court rulings aren’t enough to get banking institutions to comply with the FFIEC guidelines, I don’t know what will.
From an authentication perspective, any financial institution operating today should either be in the process of either implementing or evaluating their current security strategy because that’s what it takes to protect their multiple banking channels against the growing list of fraud attacks. Making sure your bank has the strongest fraud detection solutions in place is essential to building a multi-layered defense that’s needed in today’s quickly changing banking environment.
This means employing at least two of the three types of authentication procedures recommended by the FFIEC for identifying banking customers across multiple banking channels, including online banking and the telephone channel. The three factors include: 1) something the user knows [e.g., password, PIN], 2) something the user has [e.g., ATM card, telephone], and 3) something the user is [e.g., biometric, fingerprint].
For financial institutions that perform high-risk transactions, this is a must. According to a legal memorandum recently published on the NC Bankers Association website, customer authentication that employs a single-factor authentication such as the widely used challenge questions (otherwise known as the knowledge-based authentication (KBA) method), or even two factors of authentication that fall under the same category as defined by the FFIEC, can be defeated by today’s advanced fraud tactics, leaving customer accounts and confidential banking information susceptible to fraud.
Challenge questions are not always effective. When frequently repeated, they are more likely to be exposed to fraudsters. FFIEC guidance notes that a search engine is all it takes to discover the answer to many challenge questions, such as mother’s maiden name or year of graduation. Due to the amount of information available on the Internet, the FFIEC no longer views these basic challenge questions to be an effective risk mitigation technique.
The ability to prevent various types of fraud attacks across all banking channels requires financial institutions to deploy multiple fraud-fighting solutions that help achieve the FFIEC’s three critical authentication factors. The TRUSTID® Physical Caller Authentication tool is a complementary customer authentication solution that fulfills the important “something the user has” category. Using undetectable network-based caller authentication to validate the Caller ID and ANI, TRUSTID helps financial institutions secure the telephone channel from fraudulent bank transfers.