Professional Documents
Culture Documents
With a
growing population of internal and external users accessing an increasing number
of applications, the need has grown exponentially for banks to develop a new
generation of security tools that can help them better comply with regulations,
control access to confidential data and limit identity theft. At the same time,
banks are challenged to institute security measures that satisfy users who are
demanding both stronger security and ease of use and control -- often competing
priorities.
Related Resources
• Governance, Risk, and Compliance Services from SAP: Addressing Risk and Achieving
Regulatory Compliance
• Strategy Guide to Business Risk Mitigation for Financial Services
Lastly, the single largest security management challenge is the one most difficult
to control. According to the 2007 Global Security Survey by Deloitte Touche
Tohmatsu, "The greatest root cause of external breaches continues to be the
human factor." In other words, banks need to continuously educate and engage
customers about their online security. However, customer education is difficult at
best because the group most likely to be duped is also the group most likely to
not actively seek education or to ignore education initiatives altogether.
What does all of this mean? It means that truly effective security management
will require the layering of a number of solutions that focus on people, process,
technology and risk. Most important, the management of each layer will need to
be based on its context among the diverse capabilities and limitations of the
others. When all the layers are combined, it creates a powerful tool that can offer
banks a much more successful way to manage their security challenges than any
single stand-alone solution.
Over the past decade, as new online banking products and communication points
were introduced, so were opportunities for fraudulent activity (see timeline
below). It is reasonable to assume that new product introductions and the related
security challenges will progress hand in hand. As functionality continues to grow,
so will criminal initiatives to exploit it (see "Lesson Learned No. 1").
Over the past five years, banks have witnessed a major shift in
fraudulent activity. Originally hackers would create worms and/or
viruses, such as I Love You, Mamba and a host of others, with the
intention of crashing systems and wreaking general havoc. Most of
these programs were created as pranks with the purpose of proving to
the world how smart the hackers were. Today the focus has shifted.
Hackers are now aiming at specific targets with the intention of
defeating their security, retrieving customer information and selling it
online for a profit. In short, cybercrime has moved from destructive
pranks to criminal intent. As a result, security managers have literally
become the bank's security guards -- protecting customer identities and
accounts in the same way that guards at a brick-and-mortar branch do.
This trend has played a key role in security enhancement strategy at
most banks.
Large banks are a natural target due to their size and their maintenance of
sensitive consumer information and assets. Banks are frequently the target of
phishing and spoofing attacks and continue to witness new attacks, such as DNS
poisoning (in which a maliciously created or unintended situation provides data to
a domain name server that did not originate from authoritative DNS sources) and
Man-in-the-Middle (in which the attacker makes independent connections with
the victims and relays messages between them, making them believe they are
talking directly to each other over a private connection when in actuality the
conversation is controlled by the attacker), developed and shared through black
market forums, almost weekly. Over the next year malware (software designed
to infiltrate or damage a computer system without the owner's informed consent)
is likely to become an even greater threat, and banks are already strengthening
existing measures and building new measures to combat it.
Banks can ill afford any negative publicity about the security of their financial
data. Customer confidence is paramount as persistent security concerns can
quickly erode confidence in product channels, decrease profits and lead to
defections. We are continuously challenged to find better ways to secure our
systems and support our customers' assurance that their information is safe from
predators. Developing and maintaining a top-notch authentication and security
strategy is the key.
In essence, a security strategy is a road map for mitigating risks while complying
with legal, statutory, contractual and internally developed requirements. Some of
the basic components include defining control objectives, identifying and
assessing approaches to meet those objectives, selecting controls, establishing
metrics and benchmarks, testing and implementation, and performing ongoing
maintenance. The ultimate goal is to increase customer confidence across online
channels and reduce losses due to fraud and identity theft across the enterprise.
Like many large banks, Bank of America has developed a logical delivery road
map to drive the evolution of its authentication and security programs. Our
strategy involves easy-to-use layers of overlapping security systems across our
online space, as well as programs for educating customers to improve prevention,
detection and resolution. It also includes strong risk management/compliance
features surrounding the overall design to ensure that the right measures are
placed in the right areas and are updated as necessary. Such a road map includes
several components:
Related Resources
• Governance, Risk, and Compliance Services from SAP: Addressing Risk and Achieving
Regulatory Compliance
• Strategy Guide to Business Risk Mitigation for Financial Services
1. Channel authentication
One lesson learned from using a tool like SiteKey is that it drives
customers to be more-active participants in identifying fraud. In many
cases, when customers do not recognize their SiteKey image, they
contact us to report it. We are then able to take measures to combat the
potential hazard and warn other customers. Active customer
involvement helps us better identify and react to fraudulent activity.
We also rely on an array of other effective tools behind the scenes that are
designed to detect and pinpoint fraudulent activity at the device, transaction and
customer behavior levels. This toolbox includes capabilities that are designed to
provide a higher level of service in protecting our customers and increasing the
security of their information and accounts.
Integrate Cross-Channel
To increase the benefits of the multilayered security approach, the logical next
step would be to extend and integrate it cross-channel. Banks need to align their
efforts at multiple levels to deliver a standardized authentication and
authorization experience. Strong security demands technology that can easily be
integrated. This is no easy task when many organizations use a wide range of
hardware and software for different business requirements.
Related Resources
• Governance, Risk, and Compliance Services from SAP: Addressing Risk and Achieving
Regulatory Compliance
• Strategy Guide to Business Risk Mitigation for Financial Services
Accordingly, we partner closely with our customers to provide the education they
require to avoid fraud. This includes proactively informing customers how to
circumvent fraudulent activity and adhere to the latest safety tips and guidelines
outlined by such consumer protection groups as the Federal Trade Commission
and the Better Business Bureau, among others.
There are many reasons why Bank of America invests heavily in this area. First,
as a service company, we feel it's our duty to serve our customers to the fullest
extent possible, including fraud education. Second, educated customers are
better able to serve as our eyes and ears in the marketplace -- helping us identify
phishing and spoofing attacks and having them quickly shut down. Third, we
believe that if we go the extra mile to protect our customers, as well as offer a
zero-liability guarantee for unauthorized transactions, we can generate a greater
level of trust and confidence in our systems and build a more loyal customer
base. Finally, with every security effort, we help reduce our financial liability costs
all around (see "Lesson Learned No. 3").
A sound security strategy has several lines of defense -- from the individuals in
each line of business to the executives in charge of the enterprise. All must be
involved in the risk management process. All must evaluate the associated risks
in doing business. Their continuing efforts help ensure compliance.
At Bank of America, our teams review information security for potential risk
during the product life cycle and stay current with the latest developments so
they can adjust security measures as necessary. At the same time, they monitor
ongoing activity to help ensure that both process and policies are being correctly
followed.
Strong policies are the backbone of security strategy. They guide the decisions
made by users, managers and administrators and remind those individuals of
their security responsibilities. Policies also specify the mechanisms through which
responsibilities can be met, and provide guidance for successfully acquiring,
configuring and auditing security systems. These should be developed in
accordance with the size and complexity of the institution and be sufficiently
flexible to allow for timely updates to keep pace with changes in technology as
well as fraudulent activity.
There are two certainties that banks and their customers must face:
New/improved financial products will continue to be introduced to the
marketplace; and those products will continue to be attacked by fraudsters
attempting to expose customer information. This danger is real, and a solid
authentication and security strategy is critical to keeping customer information
safe. Moreover, both banks and their customers win from this effort. Such
security measures can help increase customer confidence in the bank's online
products and reduce the cost of fraud and identity theft across the enterprise.
How have we done so far? Bank of America has continually received a top ranking
for online security from Bank Monitor and ranked No. 1 in Javelin's Online Identity
Safety Scorecard and Online Card Safety Scorecard. We intend to continue down
this path and will invest the necessary time and resources to maintain this
leadership. We feel that our recognition as an industry leader in online security
and the confidence we instill in our customers are key contributors to maintaining
our 25 million online banking customers.
Customers want a high level of assurance that their online transactions are safe,
and strong security measures can go a long way in giving them peace of mind.
Increasing customer confidence can help increase online usage, which in turn can
lead to more opportunities, better growth and competitive advantage. With more-
effective security management, we can help both our customers and ourselves
realize the full power of the Internet.
James Ashfield is the SVP for authentication and security management for global
consumer and small-business banking e-commerce/ATM at Bank of America.
Ashfield develops and manages the authentication and security strategies and
product development for online and mobile banking.
David Shroyer is an SVP and product manager for online security and enrollment
for Bank of America's e-commerce division, supporting 25 million online banking
customers. His team's responsibilities include product management for online
banking authentication, authorization, privacy and security customer education,
identity management, and enrollment. Shroyer also manages the e-mail security
strategy for e-commerce and acts as an expert on online threats and fraud at the
enterprise level.