Don't Underestimate the Online Fraudster
From the beginning, banks have protected their online banking businesses with basic authentication methods that required users to log-in with a username / ID number and a password to verify their identity. However, fraudsters quickly started to evade these early online fraud prevention methods by obtaining users’ passwords using social engineering techniques, keyloggers, or any number of other tools.
As a result, banks moved to multifactor authentication that required users to apply more than one form of authentication to verify the legitimacy of their log-on. However, ‘man-in-the-middle’ attacks allowed fraudsters to intercept traffic and route funds to accounts controlled to them. To combat this, banks turned to tools such as IP profiling which identified the actual IP address of the computer being used to access an online bank account, to check it against a known blacklist of suspicious addresses, and also to see if it matches the user’s standard pattern of access.
Once fraudsters realised they couldn’t connect directly with a banks system without being detected, they began to focus more on hijacking a legitimate user’s machine by implanting code in the user’s browser to gain control of the banking session. These ‘man-in-the-browser’ attacks are capable of moving funds out of a customer’s account without the bank or the user being aware. The attacker also uses techniques to spoof windows in the real browser on a given computer meaning that the user can be completely fooled into believing their actual transaction has occurred. The presence of the Trojan is not visible to the user, as it does not interfere with normal use of the browser when visiting websites and engaging in transactions on those sites.
Banks can tackle this threat through a layered fraud prevention approach – one that analyses the log-in, the transactions, and risky sequences of events. This gives them the best chance to minimise online banking fraud and enables them to capture a broader view of customer activity to gain a complete understanding of a particular customer’s profile. This expanded view, coupled with additional fraud prevention techniques such as out-of-band communication with customers, allows institutions to better detect and prevent fraud. Only by staying one step ahead of the fraudsters will banks be able to live happily ever after.
Fraud & Risk Solutions Consultant
Related Blog Posts
Regulating for Real-Time: The Role of Government in Payments Modernization
Dr. Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments and the findings of the new white paper, Get More from Real-Time.
Issuing and Acquiring in a Real-Time and Open Payments Ecosystem – The Global Picture
Dr Leo Lipis and Craig Ramsey, Head of Real-Time Payments for ACI Worldwide, continue their discussion on real-time payments, stemming from the findings of the new white paper, Get More from Real-Time. See part one.
SWIFT gpi: Leveraging Cross-Border Payments for the Real-Time World
SWIFT gpi represents the evolution of business done over the SWIFT network, bringing correspondent banking into the digital era.
I’ve covered this topic before, but with gpi now reaching the two-year milestone, it’s a good chance to reassess the progress that has been made – and what is needed to drive further adoption.
The Race to Real-Time Payments in Europe
Instant payments have quickly morphed into the new norm, and as individual European nations forge a real-time, digital-first payments environment, they raise the bar for all financial institutions conducting business in the Eurozone. It’s no longer a question of “what’s the business case?” but a matter of how instant payments players can take advantage of the opportunities now being created.
Der Wettlauf um Echtzeitzahlungen in Europa
Echtzeitzahlungen haben sich zur neuen Norm entwickelt. Indem einzelne europäische Länder die Rahmenbedingungen für digitale Echtzeitzahlungen schaffen, setzen sie neue Maßstäbe für alle Finanzinstitute, die Geschäfte in der Eurozone abwickeln. Es geht nicht mehr um die Frage „Was ist das Business Model?“, sondern darum, wie Akteure im Bereich der Echtzeitzahlungen die sich bietenden Geschäftsmöglichkeiten erfolgreich nutzen können.
Local Perspectives: Real-Time Realities Across Asia-Pacific in 2019
Money20/20 Asia returns to Singapore this week, attracting payments professionals from around the vast APAC region – and beyond. The real-time and open imperative is one of the reasons why all eyes are on Asia-Pacific when it comes to payments, so I caught up with ACI payments experts representing three of the key countries within the region, to take the pulse of real-time schemes that are in varying stages of maturity.
What it Means for a Bank to be Real-Time Ready – It’s More Than Just Payments
Banks are quickly learning that real-time enablement of the business is more than just a technological upgrade – there is a wider challenge of transforming services and customer experience. Although the banking world faces this challenge with some trepidation, there are success stories from other industries that have overcome legacy technologies and transformed frustrating and opaque customer experiences.
Instant and Open Payments for Consumer Purchases – Lessons Learned From India and Beyond
Did you know that 65% of merchants want to accept instant payments? That’s because they know the customer experience (CX) benefits will drive growth for their business, and they recognize that this payment type will save their business money.
Putting Malaysia on the Path to Payments Innovation
The public launch of the DuitNow instant credit transfer service, in December 2018, provides just a taste of what lies ahead as Malaysia’s Real-time Retail Payments Platform (RPP) is progressively rolled out. Fueled by Bank Negara’s (BNM) increasing support for e-payment platform development, there has been a steady increase in mobile wallet and digital payment usage, setting the stage for 2019 to be a year of transformation for the payments industry in Malaysia.