Layered security essential for web fraud detection

There is no silver bullet to solving the online authentication problem which is a well-known fact amongst practitioners,

Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein.

The US Federal Financial Institutions Examinations Council (FFIEC) has released new guidelines for financial institutions called a Supplement to Authentication in an Internet Banking Environment. This is the first major review since the previous guidelines was first issued in 2005.

The main focus of the new guidelines is on layered security and real-time detection.

Some interesting points are raised why BehavioSec functionality fits well with the guidelines.

Taken from the guidelines the effective controls to be included into such a layered program suggested are, amongst others,

-          Fraud detection and monitoring systems that include consideration of customer history and behavior…

Our solution is behavioral based analysis of customer interactions with a web site to efficiently identify & verify that it is the correct user accessing their account, adding an additional layer to already existing strong authentication tools without interfering with the end-user experience.

Continued reliance on the ‘gatekeeper approach’, is disregarded and suggestions to monitor the user interaction into the actual session are encouraged,

Layered security controls should include processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to:

-          initial login and authentication of customers requesting access to the institution’s electronic banking system; and

-          initiation of electronic transactions involving the transfer of funds to other parties.

This fits well with the multi layered approach introduced by BehavioSec using Behaviometrics as additional risk based verification on top of existing security checks. Our solution makes sure that not just that the correct user credentials are provided but that they are entered by the intended user and that the same behavioral patterns are seen through the whole transaction. Comparing it to traditional authentication approach of black and white 1 or 0 it would be like, virtually, swiping a fingerprint and receiving a risk score the likelihood that it was the correct user whenever a transaction is conducted.

Get Ready For the FFIEC Guidance

To be compliant with the guidelines FFIEC encourages companies to look more into solutions such as BehavioSec.

The banking, payment, and security industries have continued to innovate in response to the increasing cyber threat environment. In addition to some of the control methods previously discussed, other examples of customer authentication include keystroke dynamics and biometric based responses

About FFIEC
All quotes are extract from the report and is available from FFIEC’s site

Download this article BehavioSec and FFIEC guidance (PDF)

Download a white paper about BehavioSec and the FFIEC guidelines (PDF)