However, the court ruled that the bank has a responsibility to protect its customers through the use of fraud detection mechanisms.
For most banks this just means doing what they do already. The fraud detection systems used today are comprehensive – looking at payments from different organizations, across different channels, all day every day, and spotting anything that seems even slightly out of the ordinary. As an industry we share information about types of fraudulent attacks, or even the IP addresses used by criminals to try to gain access to online bank accounts, and the fight never stops to stay one step ahead of the fraudsters.
If banks want to check that they are promoting reasonable efforts to prevent and detect online banking fraud protection for their customers, we have produced a checklist of ten of the most important features of successful fraud prevention and detection:
- Apply multi-factor logon authentication for online banking systems – such as tokens with one-time password or Adaptive Authentication (risk-based authentication).
- Utilize real-time analytics – monitor transactional behavior to determine whether activity is standard or anomalous for that customer. When high-risk activity is detected, action can be taken in real time or near-real time to stop the transfer of funds from the customer’s account. Funds can also be held until customer validation can take place (see #4 below)
- Employ profiling – include non-financial information (IP address, login activities, and device characteristics) to build customer profiles which can be stored to monitor ongoing behavior.
- Make use of out of band notification methods – utilize phone call, text message, e-mail, etc to confirm activity with customers before transactions can be completed.
- Maintain anti-virus software – Be sure to recommend your customers keep it current on end-user machines. While not fool-proof, it can stop lesser forms of intrusion.
- Maximize password management – Ensure password management best practices are enacted (e.g. change password every ninety days, minimum length, combination alpha-numeric, varying history, etc.)
- Leverage dual approval and limit management capabilities in your online banking tool – End-users with transaction initiation or approval entitlements should not also have administrative rights.
- Implement token management at ACH or Wire release – this approach provides another layer of authentication prior to finalizing the transaction.
- Employ a prescriptive, layered approach to security – utilize security tools within your online banking solution (e.g. multi-factor authentication, limit management, etc) with a fraud prevention and detection solution (e.g. profiling, analytics, etc.
- Education – keep it simple but constant. Partner with your customers to ensure they are aware of today’s threats and know what tools are available today to protect themselves.