As the use of online banking by consumers and businesses has risen, so has the crime associated with it. The FBI and other authorities have issued alerts about a steep rise in online banking crime, much of it targeted at small and midsize businesses, municipalities and non-profits. The crooks steal passwords and account numbers, hack into bank accounts and transfer out funds. In some cases, the losses have been catastrophic , including at least one company that reportedly was on the brink of bankruptcy afterwards.
To bank managers like Laura Briscoe, vice president of information security at Stillwater National Bank and Trust Company (SNB), a subsidiary of Southwest Bancorp Inc. headquartered in Stillwater, Okla., this surge of attacks against online banking customers was particularly troubling. First off, the criminals were getting in by planting malware on the customers' PCs, which is not something a bank can prevent. Second, the money was often sent out of the country, after it was first moved to a dummy account in the U.S., making it virtually impossible to get it back. Yet Briscoe knew customers still expected banks to protect their money, despite the difficulties.
"The fraud wasn't due to anything on the banks' end. It was usually the customer's computer that was infected and their passwords stolen. But once the money is gone, it's gone, and you don't want a customer who's had a million dollars sent out of the country and can never get it back," Briscoe said.
To increase the level of security, many banks use software or hardware tokens, either to identify the user to the bank's website or to generate a one-time password. But because criminals can circumvent the two-factor security provided by tokens, SNB and other banks are opting to deploy out-of-band authentication.
The technology can automatically place a phone call to any customer attempting to transfer a large amount of money out of their account. Customers can have the calls come to their mobile phone or POTS (Plain Old Telephone Service) number, and can use a PIN, text response or voice print to authorize the transaction. If a user's PC and account have been hacked, the phone call may be the only chance to catch it.
"We decided we had to take [the second authentication] off of the computer, period. Even tokens are getting successfully hacked now, so this seemed like the only practical option for us," Briscoe said.
Robert Vamosi, research analyst at Javelin Strategy & Research, noted that out-of-band authentication is growing in usage, but still is mostly used for high-value transactions. "If you want to move $10,000, then the bank is likely to want to make sure you are who you say you are, and they bring out the big guns for a high-risk transaction," he said
SNB uses PhoneFactor Inc.'s hosted service, the Universal Banking Gateway. Overland Park, Kan.-based PhoneFactor also sells an on-premise version of its software. Other vendors include Authentify Inc.,Entrust and StrikeForce Technologies Inc. Briscoe chose PhoneFactor's hosted service because it worked better with the bank's third-party online banking service. She also liked the short amount of time required -- usually a minute or less -- to authenticate a transaction. To make sure it would be easy for customers to use, she initially rolled it out to just a handful of clients in September. The bank now has nearly every customer using it, and will begin requiring them to use it in early 2011.
"For the customer, it's not a big change. It's seconds on the clock before your phone is ringing, and the recording tells you the amount and what it's for. Then you enter your PIN and the system approves it," she said. "Everything on the [PC] screen remains the same. It just freezes for a minute while this is going on."
Clever crooks thwart even best security
Where there's a will, there's a way, and a determined criminal can find a way around most security measures. With out-of-band authentication, a hacker may attempt to get the customer's phone number changed on the account, substituting the crook's phone number.
"[A hacker] can say to the bank, I've changed my phone number, and the bank may say OK, we'll call both numbers to make sure, and then the criminals will flood the original number with crank calls," Vamosi said.
Hence, the technology's effectiveness depends on the bank adhering strictly to policies against making changes to an account without phone confirmation, or transferring money without that extra authorization.
The mobile phone may also prove to be a weak spot in out-of-band-authentication, according to Vamosi, who noted that people who use the same smartphone for Web banking as well as SMS authentication aren't operating in the spirit of the out-of-band approach. Also, smartphones have the ability to bypass the phone carrier and contact the Internet directly.
"That allows the bad guys to take control of the Wi-Fi connection," he said.
Also, this fall researchers uncovered a new technique developed by the infamous Zeus banking Trojan that is designed to circumvent SMS-based out-of-band authentication and relies on customers using a smartphone with Web access and tricking them into clicking on a malicious Web link in an SMS message.
Nevertheless, the odds that a hacker will go through the effort to target an account with that extra security, given there are lots of easier ones to hack, go down substantially said Diana Kelley, founder of SecurityCurve, an IT security consulting firm.
"So the attacker has to have my password, pass phrase, my account number, and now one more thing," Kelley said. "It's about raising the bar a little higher and making it a little harder for the criminal."