Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They are using stolen usernames and passwords to transfer money through wire transfers, Automated Clearing House (ACH) and through billing fraud.
The Federal Financial Institutions Examination Council (FFIEC) has repeatedly implored that come January 2012, any lagging financial institutions will be required to significantly upgrade their security protocol. Since any existing form of authentication can be compromised, the FFIEC recommends that financial institutions should institute systems of â€œlayered security.â€
Previous FFIEC recommendations discussed authentication, suggesting that the security issue takes place when a user logs in. But in fact, not all the danger occurs at login. Other website integration points are vulnerable to security issues, particularly at the point when money is transferred.
According to the FFIECâ€™s recent update:
â€œFraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudsterâ€™s PC may enable the fraudster to log into the customerâ€™s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.â€
One of the FFIECâ€™s recommendations for financial institutions involves complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.
Smart financial institutions arenâ€™t just complying with the FFIECâ€™s security recommendations, but are going beyond by incorporating device reputation into their layered security approach.