I work in security for a financial firm. While we, like most financial firms, have done a lot to secure ourselves...
over the years, we've struggled with how to secure clients conducting sensitive financial transactions via online banking from insecure locations, using malware-infected equipment, and sometimes running antivirus/antispyware, sometimes not. While education of clients is key, along with providing multifactor authentication for ACH/wire clients, we want to provide effective controls to layer onto all browser sessions to harden them from keyloggers, MITM attacks, etc. What would you say are the best technological tools for the job? Are there other controls/tools financial institutions could utilize to harden these sessions remotely?
Unless there is a major cultural and architectural shift toward using trusted platforms, you may want to assume your customers’ systems are insecure or infected. Customers are unaware of the risks they face while using insecure systems, especially when it comes to the security of financial transactions online. This doesn’t mean you should do nothing to help protect customers, but you may want to implement the protections for the financial transactions on the parts of the system under your direct control.
Electronic payments association NACHA gives several tips for protecting against fraud, including protections like multifactor authentication, out-of-band authentication, and dual-control to request and authorize transactions. You may want to implement all of these for transactions and for logging into your Web portal.
You could also delay transactions for 24 hours or until approved, or require ACH/wire transfer recipients to be registered by the customer seven days in advance of the transaction's occurrence.
You could ban insecure older browsers like IE6 and others and recommend alternative Web browsers, technical tools like Trusteer's Rapport to protect the browser,, sandboxing Web browsers as with Invincea Inc.'s virtual browser, or application virtualization like Microsoft’s for the Web browser to help reduce risks. You could also use health checks of client systems to determine whether their machines are infected and if they should be allowed to conduct online financial transactions with your organization without first undergoing remediation of some kind.
When recommending any products, however, or requiring any health check, you should be clear these controls will not necessarily protect your customers from all attacks, and still should be implemented with other basic security controls, such as anti-malware.
Related Q&A from Nick Lewis, Enterprise Threats
Chameleon malware targets insecure wireless access points. Enterprise threats expert Nick Lewis explains how to defend against the malware.continue reading
The Zeus malware is threatening RTF security by embedding itself in the file, which is commonly seen as safer than other file formats such as PDFs. ...continue reading
Enterprise threats expert Nick Lewis explains how to detect and avoid one of the most advanced malware threats: The Mask.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.