Answer

How to ensure the security of financial transactions online

I work in security for a financial firm.  While we, like most financial firms, have done a lot to secure ourselves over the years, we've struggled with how to secure clients conducting sensitive financial transactions via online banking from insecure locations, using malware-infected equipment, and sometimes running antivirus/antispyware, sometimes not.  While education of clients is key, along with providing multifactor authentication for ACH/wire clients, we want to provide effective controls to layer onto all browser sessions to harden them from keyloggers, MITM attacks, etc. What would you say are the best technological tools for the job?  Are there other controls/tools financial institutions could utilize to harden these sessions remotely?

    Requires Free Membership to View

Unless there is a major cultural and architectural shift toward using trusted platforms, you may want to assume your customers’ systems are insecure or infected. Customers are unaware of the risks they face while using insecure systems, especially when it comes to the security of financial transactions online. This doesn’t mean you should do nothing to help protect customers, but you may want to implement the protections for the financial transactions on the parts of the system under your direct control.

Electronic payments association NACHA gives several tips for protecting against fraud, including protections like multifactor authentication, out-of-band authentication, and dual-control to request and authorize transactions. You may want to implement all of these for transactions and for logging into your Web portal.

You could also delay transactions for 24 hours or until approved, or require ACH/wire transfer recipients to be registered by the customer seven days in advance of the transaction's occurrence.

You could ban insecure older browsers like IE6 and others and recommend alternative Web browsers, technical tools like Trusteer's Rapport to protect the browser,, sandboxing Web browsers as with Invincea Inc.'s virtual browser, or application virtualization like Microsoft’s for the Web browser   to help reduce risks. You could also use health checks of client systems to determine whether their machines are infected and if they should be allowed to conduct online financial transactions with your organization without first undergoing remediation of some kind.

When recommending any products, however, or requiring any health check, you should be clear  these controls will not necessarily protect your customers from all attacks, and still should be implemented with other basic security controls, such as anti-malware.

This was first published in August 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: