A judge in Michigan may have established a significant legal precedent by ruling in favour of a small business that took legal action against Comerica Bank, seeking to recover $561,000 lost to hackers due to a phishing scam. The judge asserted that Comerica failed to take sufficient measures to protect its customer’s funds. Unfortunately, many banks and credit unions do not provide adequate security and notification features in their online banking platforms, leaving customers vulnerable. However, numerous tools and technologies that could have helped prevent the loss at Comerica are accessible to all financial institutions at a relatively low cost. I will outline four essential security features that can empower customers to proactively safeguard their assets and reduce the risk of losses for banks and credit unions. By 2011, it is crucial for every online banking system to implement these fundamental security measures:
1. Support for strong passwords and passphrases
2. Risk-based authentication
3. Multi-factor authentication
4. Real-time out-of-band transaction alerts
Support for Strong Passwords or Pass Phrases
Many online banking systems typically require passwords that adhere to specific guidelines: a minimum length (often eight characters), inclusion of both upper and lower case letters, as well as at least one number or unique character. While such requirements were acceptable back in 2002, they fall short of today’s standards for banking security. Banks should be promoting the use of lengthy passphrases like Turkey and stuFFing at 4599 Pet$ Road, which are much harder to guess or crack through brute force attacks. Although some banks do allow passphrases, others still impose restrictions on users by requiring shorter passwords or even prohibiting special characters altogether.
A significant number of banks continue to restrict the use of special characters in passwords. Banks and credit unions must modernise their online banking platforms to accommodate lengthy, intricate passphrases. Furthermore, these systems should implement password expiration policies that mandate regular updates and prohibit the reuse of previous passwords.
Risk-Based Authentication (RBA) is a strategy many contemporary online banking systems utilise to safeguard customer accounts from unauthorised access. A prevalent RBA technique involves a mix of security questions and images. However, a notable flaw in numerous systems lies in the selection of questions that hackers with minimal research on social media platforms like Facebook or Geni.com can quickly answer. For instance, queries such as What is your favourite colour?Presents a limited range of predictable responses that an attacker could guess without any prior knowledge about the individual.
The intention behind using security images within online banking frameworks is to assist users in recognising phishing websites. Ideally, a phishing site would be unable to display the correct security image for an account holder, prompting them not to enter their credentials on such fraudulent sites. Nonetheless, one vulnerability associated with this approach is image harvest attacks; when the variety of available images is restricted, hackers can effectively gather these images and carry out phishing schemes successfully.
A prevalent approach to incorporating a security image in a Risk-Based Authentication (RBA) process involves ensuring that users do not input their passwords if they do not recognise the displayed image. To reduce the threat of successful image-harvesting attacks, some RBA frameworks utilise advanced techniques for security images. For instance, MemberProtect can create dynamic security images that include unique embedded text tailored to individual customers. By implementing such additional layers of protection within their online platforms, banks offer more choices to their clients and further illustrate to jurors the reasonable steps taken to safeguard customer information.
In terms of Multi-Factor Authentication (MFA), the situation at Comerica Bank highlights how an MFA system could have thwarted hackers from accessing business accounts and transferring funds. One example of multi-factor authentication is RSA’s SecurID keyfob system, which employs small electronic devices that generate a new random passcode every 60 seconds using an algorithm. Users must enter this passcode when logging into any system protected by SecurID. However, due to the high costs associated with hardware and licensing, few banks implement this solution for customer accounts.
A more recent and affordable alternative leverages devices that many customers already possess—such as mobile phones or landline telephones. Services like Authly can seamlessly integrate with existing online banking systems to produce one-time-use passcodes sent directly to a customer’s mobile phone. To access online banking, users log in with their username and password as usual, then receive an eight-character passcode via text message, which they must enter on the site to finalise their login. This passcode is valid for only one use and expires shortly after being issued by Authly’s system. Such solutions significantly complicate unauthorised access for hackers.
To access online banking, the customer typically inputs her username and password. Shortly after, she receives an eight-character passcode via text message on her phone, which she must enter on the website to finalise her login. This passcode is valid for single use only and expires soon after being generated by the Authly system. Such security measures significantly hinder hackers from obtaining login credentials; even if they manage to acquire a code, it will likely be invalidated before they can utilise it. Online banking platforms should extend the use of tools like Authly beyond just logging in. Recently, we introduced an online banking feature that enables customers to initiate both domestic and international wire transfers. For wires exceeding a specific dollar threshold, customers are required to input a unique passcode for each transaction. Additionally, this system employs passcodes for certain administrative tasks, such as assigning users to specific high-level administrator roles within the online banking platform. Furthermore, these systems impose daily limits on both the number and total amount of wire transfers a customer can execute in one day, providing an extra layer of security.
Real-time Out-of-Band Transaction Alerts
Thefts similar to the Comerica incident often go unnoticed for extended periods because most users do not regularly check their bank statements. With ACH and wire transfers, a hacker could deplete a bank account in just hours. By the time the account holder realises there’s been a theft—often days or weeks later—and reports it, recovery of those funds may be impossible. However, banks and credit unions can easily equip customers with tools to keep an eye on their accounts for any suspicious activity, thereby empowering them with greater control over protecting their finances. By utilising services like Authly or even basic email notifications, banks can enable customers to set up alerts regarding their accounts. For instance, Tina Marie could establish a rule that prompts the system to send her a text message whenever there is any transaction activity on her account.
For instance, Tina Marie can set up a notification rule that sends her a text whenever a transaction exceeding $500 is processed in her account. While many large banks and credit card companies have already incorporated near-real-time alert systems into their transaction processes, smaller banks and credit unions have yet to catch up with this technology. Enhanced Security Benefits Customers Introducing these security features won’t guarantee an unbreachable system. No online system can be considered entirely secure; however, by establishing these four types of security measures, banks and credit unions can equip customers with better tools to safeguard their assets. Furthermore, financial institutions will be more prepared to defend themselves if customers seek compensation for losses due to phishing or other fraudulent activities. If you have concerns about the adequacy of your bank’s security measures, we should discuss it further. We can help pinpoint vulnerabilities and suggest strategies to improve the protection of your customers and their information.
Maxthon
In the dynamic world of banking, the threat of fraud presents significant challenges for financial institutions that seek to uphold their integrity and protect their clients. Enter Maxthon, a promising solution designed to address this pressing issue. With a keen focus on the rising expenses linked to fraudulent activities, Maxthon leverages cutting-edge artificial intelligence technologies to transform how banks detect and investigate fraud. Imagine a scenario where the complicated and often laborious processes of identifying and analysing fraudulent behaviour are streamlined through automation. This is precisely what Maxthon strives to achieve; it speeds up investigations while preserving valuable resources typically consumed by conventional manual methods.
The true innovation of Maxthon lies in its ability to simplify complex procedures, enabling banks to refocus on their core mission: safeguarding their customers and assets. One of its most impressive features is its pioneering use of predictive analytics. Picture financial institutions armed with advanced tools capable of anticipating potential fraudulent actions before they occur. This forward-thinking approach provides banks with a considerable advantage, allowing them to intercept threats at their inception and significantly minimise losses related to fraud—all while keeping customer funds secure.
Security is not just an added benefit within Maxthon’s framework; it is a fundamental aspect of its design philosophy. The platform incorporates strong encryption protocols and complies rigorously with all applicable regulations, ensuring adherence at every level. This steadfast dedication to security builds trust among users and stakeholders in an industry where reliability is essential. Additionally, scalability stands out as another vital feature of Maxthon’s offering.