Why authentication isn’t enough
In a previous post, we discussed the following four reasons why authentication often fails to protect customers and credit union members against account takeover attacks:
- Basic authentication is trivial to bypass.
- Advanced authentication is too expensive to roll out to the majority of accounts.
- Cybercriminals continue to evolve techniques to circumvent security controls.
- Ultimately, if your customers can get to their accounts online, so can cybercriminals.
What can financial institutions do to reduce their risk exposure?
Here are some best practices to consider:
- Constantly educate your customers – even incremental improvements to the “human firewall” of your customer base can yield significant risk reduction. Treat customers as one of your first lines of defense and invest in ongoing educational programs that frequently remind them of good internet hygiene practices and how to spot potential scams. At a minimum, have a dedicated webpage on your site for educational content as well as clear, simple-to-follow instructions on reporting suspicious activity. Consider sending out regular newsletters reminding customers and members about common account takeover tactics and provide security awareness materials in documentation that customers are most likely to read, such as new account documents.
- Ensure that your business practices match and do not enable account takeover tactics. For example, make sure that the policy dictates that account login URLs are never sent via email; be sure that policy is well-communicated internally and to your customers so they will be more wary of links in emails purporting to be from your institution.
- Have clearly articulated response plans for phishing, vishing, SMiShing, and other attacks that target your customers directly. It is critical to respond quickly and decisively to minimize the immediate impact of an attack. The longer an attack is active (phishing site is up, emails distributed, active phone numbers or text messages distributed), the greater the risk of stolen credentials.
- Build relationships with external authorities, service providers, and partners such as PhishLabs to support response to attacks. Account takeover attacks typically rely on compromised infrastructure that is managed by legitimate organizations and that infrastructure can be located anywhere in the world. Working with experienced partners with well-established networks will speed mitigation of account takeover attacks.
- Adopt a proactive and offensive anti-fraud strategy. While it’s important to have good controls in place that make it more difficult for cybercriminals to carry out fraud, their effectiveness is limited (see the prior post). Institutions should invest in capabilities for proactively detecting attacks targeting their customers and aggressively disrupting the cybercrime systems and tools used against them.
Join us for a live webinar on November 18, 2014 to learn more about Powerful Strategies for Account Takeover Fraud Prevention.
During the webinar participants will learn:
- How fraudsters hijack accounts and circumvent common anti-fraud controls.
- Why current measures are ineffective at stopping ATO fraud.
- New strategies that go beyond authentication to fight and prevent online fraud.