Fighting online banking fraud at Wells Fargo

Bank says a combination of user authentication, risk analysis, and device fingerprinting helps it catch online fraud

A recent report from Javelin Strategy & Research showed that identity fraud is up, but Wells Fargo & Company said it's beating online banking fraud with a multi-layered system that uses a combination of security controls.

"We have a layered approach, which means there are both front-end prevention controls and back-end detection controls," Teddy De Rivera, executive vice president, Wells Fargo Internet Services Group, said in an interview.

The bank's front-end controls include passwords, two-factor authentication and challenge questions that are used when customers are logging into Wells Fargo's online banking system, he said. On the back end, the bank uses a combination of techniques that includes real-time risk analysis that takes a customer's normal online banking behavior into account and device fingerprinting.

"PCs and mobile devices are all unique with the way the systems are configured, the IP address, and software," De Rivera said. "If all the sudden a customer who normally logs in from Chicago is logging in from somewhere in Eastern Europe, that's a red flag."

If the bank spots abnormal activity, an employee will reach out to the customer to confirm whether he or she actually did initiate the activity.

San Francisco-based Wells Fargo uses three different systems for device fingerprinting. "We try to have a robust set of tools so we're not reliant on any single product," De Rivera said.

"Most of these functions happen in the background, but we find it's been very effective in protecting our customers from fraud," he said. In fact, actual losses from online banking fraud are relatively small and have gone down, he added.

For certain online banking services, Wells Fargo offers out-of-band, two-factor authentication. Called Advanced Access, the program involves sending a numeric code to a customer's phone; customers need to tell the bank which phone on which they want to receive codes.

The bank also uses knowledge-based authentication in certain cases, such as when customers are opening new accounts. KBA typically involves a question and answer process to authenticate a user based on knowledge of personal data, such as cities birthplace. While the technique is effective, there are some concerns with it because there's been evidence that fraudsters are patrolling social networking sites to gather data on customers, De Rivera said.

In addition to its multi-layered system for fighting fraud, Wells Fargo emphasizes customer education and includes many security tips and tools on its website. It co-sponsors the Javelin identity fraud survey report because the report helps raise consumer awareness on identity fraud, De Rivera said.

"We view education as power to the consumer," he said. "The better they're educated about this, the more they realize they can use a lot of the technology to their advantage and not become a victim."

One of the most important steps banking customers can take to protect their accounts is to monitor their financial records on a regular basis, De Rivera said. He suggested reviewing accounts online and signing up for alerts to an email account or mobile device that warn if a balance has dropped below a certain level.

"Fraudsters take advantage of customers who are offline because they know there's a 30-day window between getting statements," he said.

According to Javelin's report, which surveyed 5,000 adults, 43% of all reported identity fraud cases are spotted by consumers monitoring their accounts, and those who use electronic methods to detect fraud suffer lower average out-of-pocket fraud costs.

Industry collaboration also helps Wells Fargo battle not only online fraud but all kind of fraud, including check fraud. The bank, along with Bank of America, BB&T and JP Morgan Chase own Early Warning Services, a limited liability company, which facilitates the exchange of information to prevent fraud.

For example, if Bank of America knows that fraud has been perpetrated with a certain device, they share that information with the other banks, which can block the device from coming into their online systems, De Rivera said.

Dig deeper on Debit and credit card fraud prevention

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close