By Pete Hopkins
As more and more people go online to do their banking, more and more criminals see opportunities for theft in the form of unwary newcomers to online banking and increasingly sophisticated malicious software. Online theft is often carried out by large, well-organized criminal gangs, not lone hackers. The stakes are large and the threat is real.
Due to the variety of methods employed by criminals, there is no single solution for keeping them at bay. It’s best to use a wide spectrum approach, with multiple layers of security. Here are the top 10 best ways to safeguard your website.
Anti-virus measures and up-to-date software. Both end users and financial institutions should be using reliable software that protects against malware. This software should be continually updated to protect against the latest threats. Computers should also be updated with the security patches issued from the maker of your operating system and from the companies that make your office and financial software.
Customer and staff education. On a regular basis, include fraud education in your communications with account holders. Use a variety of media including web announcements, statement stuffers, emails, blogs, and social site announcements. Also, ensure employees are trained and tested in your security procedures.
Password security. Superior password protection requires three parts:
Expiration. The more frequently a user must change passwords, the less likely it is that a criminal can acquire them. Experiment with the appropriate balance between security and convenience for your customers.
Reuse. A good system will be able to specify when a previously used password is acceptable for use again. Usually this interval is measured by the number of times a person has changed passwords.
Length and strength. Your system should enable you to require a minimum number of characters and an alpha and numeric mix.
Multi-factor authentication. Multi-factor authentication (MFA) authenticates identity by using one factor a user knows, such as password log-on ID or challenge question, and another factor the user possesses, such as a token. A good MFA system will provide multiple levels of protection, connectivity protection, and risk score assignment to control access.
Risk rules. The above-mentioned risk score assignment is especially advantageous if it has modifiable rules and limits for scoring. That gives system administrators flexibility in deciding how stringent the rules are for log-in and online activities. For example, for first-time users of your site, you can require that the person create challenge questions. For users previously registered, you can set a relatively high risk score for log-in before the system will ask the challenge questions. For general payment activities, you can create a lower threshold before challenge questions are initiated.
Security tokens. This is a very secure option that significantly reduces risk. It usually comes in the form of a smart card, a small chip, or device on a key ring. Tokens in the form of cell phone software are likely to become more common in the future. A good token uses a one-time password. Each time you use it, or at set intervals, a new password is generated.
Restrictions on IP address and time. Some security software programs will enable you to establish a list of valid IP (Internet Protocol) addresses. An IP address is a unique numerical label assigned to each device that connects to a computer network. The system will check a whitelist of allowed IP addresses, and anyone attempting to log in from a different address will not be authorized. A time restriction will assign specific days and time periods to users and only enable access during those times.
Hold restrictions on new users. If a criminal manages to gain access to the credentials of a cash management administrator on your network, you could be in trouble. The fraudster can create a new, authorized cash management user and start originating transactions as that person. Avoid this scenario by using your fraud management tools to automatically put new users on hold. Set up a rule that the new user is not given authority until an employee at a specified management level approves.
Core processor settings for cash management. Your core system may enable security settings that keep a lid on dangerous activities. Examples are bank override settings that allow customization of certain settings to conform with the institution’s risk model; emails and notifications that alert administrators to specified account activities; company-level ACH parameters, setting validations for batch initiation, company-level and batch-level validation, and calendar validation; dual control settings that help ensure that a single user does not have the ability to create and initiate a batch; and manual batch notification settings that require customer notification through a separate notice – such as email, phone, SMS text message, or fax – to prevent batch initiation that is not authorized by the customer.
Standalone computer for cash management. Industry security experts recommend the use of a standalone computer to perform high-level cash management activities. Make certain that the computer is secure and not used for web surfing or email.
The value of
Most of these strategies for website security are simple to implement and are common sense precautions. Others may require a technology or software upgrade. Your return on investment in this area is usually obvious regarding the time, trouble, and cost of fraud.
When you take steps to prevent fraud, you’re also preserving customer trust. The value of customer confidence can be hard to quantify, but you know you’ve got to have it to attract and retain customers and realize your business and growth goals.
Pete Hopkins is the general manager of Internet Solutions for Jack Henry & Associates, Inc. He can be reached at firstname.lastname@example.org.