As Corporate Account Takeover swiftly rises (read Part 1 here), traditional protection strategies are not enough. Verifying all transactions between a financial institution and its business client through manual processes would be a daunting and practically impossible task, not to mention cost-prohibitive for most institutions. Today, multi-dimensional, preemptive strategies are critical to mitigating this growing threat.
However, one major question posed is where does the responsibility for online banking security lie?Yes, it is the responsibility of each individual organization to protect their own financial interests. But viewing it from an “every‐man-for‐himself” approach doesn’t help solve account takeover fraud on a more systematic level. There are too many variables.
Truth be told, financial institutions are in a better position to implement system-wide safeguards, as they have the ability to isolate equipment, set restrictions and enforce protocols that individual businesses may not. In fact, industry experts have offered recommended technologies for institutions to implement to help protect clients.
But for too long, attention has been given to individual measures to try and stop cyber‐criminal activity. Financial institutions need more robust technologies and clearer strategies to fully protect business clients from Corporate Account Takeover.
Create a Series of Security Protocols
Use of dual‐factor authentication, One Time Passwords (OTP) and Out of Band Verification (OOB) methods used simply for verifying a user’s authorized access to a funds transfer system have their own vulnerabilities. Additionally, they do not address manipulation of transactions once access has been granted.
Instead, financial institutions must leverage the strengths of each of these techniques by creating a series of security protocols within a transaction verification system to eliminate the threat of Corporate Account Takeover.
Establish an Automated Solution for Transaction Verification
An automated solution to transaction verification is greatly needed to stem the tide of unrecoverable monies being lost to fraud, but what should this automation look like?
The solution should leverage OOB methods, but OOB should be used to send out‐of‐band alerts to the business client when a suspect transaction is detected. The client contact information must be controlled by the financial institution and be inaccessible by the user in order to prevent information from being changed by a fraudster in an effort to re‐direct alerts.
For high risk transactions like wire transfers, it should be the account holder that verifies the transaction and biometric technology, coupled with a 24/7 interactive voice response (IVR) system can support this in the most streamlined manner possible. Rather than burdening financial institution employees with calling account holders to verify a suspicious wire transaction, reversing the process enhances both efficiency and security. Upon receipt of an out of band alert, an account holder can call the IVR system and with voice biometrics, they can establish voice authentication and then verify or dispute the wire transaction.
By placing responsibility on the account holder to verify a transaction, they are in control of where their funds are being sent and can influence how fast the payment is settled. In other words, a payment is not slowed down by a financial institution’s manual processes.
Verify Outgoing Credit Transactions with a Pre-Approved Payee List
Verification of every outgoing credit transaction must be performed. The only reasonable method for validating an outgoing credit is to compare it against a pre‐approved list of payees, along with a routing and account number combination. The payee list should only be populated by a financial institution and then verified by the business client.
Furthermore, the business client’s users should never have access to populate or modify the contents of an issuance file. The user’s role should be limited to the verification of issuance file contents after receiving an OOB alert, logging in via multi‐factor authentication and then entering an OTP (the last step of verification). Any approval granted by the user must be followed up with an out‐of‐band confirmation alert.
Once payees are verified by the business client’s user, each subsequent live credit entry should be compared against the issuance file to ensure new routing and account number combinations are not present. If they are introduced, the batch should be suspended and the system should create a random OTP and send an alert via the out‐of‐band method to the business client. Because the OTP transmitted can only be used to verify the transaction that has already been received by the financial institution's server and cannot be altered from the outside, this OTP is of no use to a criminal. In theory, sending OTPs by SMS should be as effective as a key generator.
However, it should be noted that financial institutions have experienced a weakness with mobile phone identification. Effective fraud prevention is only achieved if any change of mobile phone number is performed by the financial institution and only after thorough identity checking.
Corporate Account Takeover – a $16.8 billion problem – can cease to exist with the right technology and techniques. Doing so, however, is dependent on financial institutions taking advantage of the immediate opportunity to protect their clients and their reputations, and ultimately secure confidence in our economic system.
For more information, download our Corporate Account Takeover white paper.