I work in security for a financial firm. While we, like most financial firms, have done a lot to secure ourselves...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
over the years, we've struggled with how to secure clients conducting sensitive financial transactions via online banking from insecure locations, using malware-infected equipment, and sometimes running antivirus/antispyware, sometimes not. While education of clients is key, along with providing multifactor authentication for ACH/wire clients, we want to provide effective controls to layer onto all browser sessions to harden them from keyloggers, MITM attacks, etc. What would you say are the best technological tools for the job? Are there other controls/tools financial institutions could utilize to harden these sessions remotely?
Unless there is a major cultural and architectural shift toward using trusted platforms, you may want to assume your customers’ systems are insecure or infected. Customers are unaware of the risks they face while using insecure systems, especially when it comes to the security of financial transactions online. This doesn’t mean you should do nothing to help protect customers, but you may want to implement the protections for the financial transactions on the parts of the system under your direct control.
Electronic payments association NACHA gives several tips for protecting against fraud, including protections like multifactor authentication, out-of-band authentication, and dual-control to request and authorize transactions. You may want to implement all of these for transactions and for logging into your Web portal.
You could also delay transactions for 24 hours or until approved, or require ACH/wire transfer recipients to be registered by the customer seven days in advance of the transaction's occurrence.
You could ban insecure older browsers like IE6 and others and recommend alternative Web browsers, technical tools like Trusteer's Rapport to protect the browser,, sandboxing Web browsers as with Invincea Inc.'s virtual browser, or application virtualization like Microsoft’s for the Web browser to help reduce risks. You could also use health checks of client systems to determine whether their machines are infected and if they should be allowed to conduct online financial transactions with your organization without first undergoing remediation of some kind.
When recommending any products, however, or requiring any health check, you should be clear these controls will not necessarily protect your customers from all attacks, and still should be implemented with other basic security controls, such as anti-malware.
Dig Deeper on Web application and API security best practices
Related Q&A from Nick Lewis
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks ...continue reading
How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it ...continue reading
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.