I work in security for a financial firm. While we, like most financial firms, have done a lot to secure ourselves over the years, we've struggled with how to secure clients conducting sensitive financial transactions via online banking from insecure locations, using malware-infected equipment, and sometimes running antivirus/antispyware, sometimes not. While education of clients is key, along with providing multifactor authentication for ACH/wire clients, we want to provide effective controls to layer onto all browser sessions to harden them from keyloggers, MITM attacks, etc. What would you say are the best technological tools for the job? Are there other controls/tools financial institutions could utilize to harden these sessions remotely?
Unless there is a major cultural and architectural shift toward using trusted platforms, you may want to assume your customers’ systems are insecure or infected. Customers are unaware of the risks they face while using insecure systems, especially when it comes to the security of financial transactions online. This doesn’t mean you should do nothing to help protect customers, but you may want to implement the protections for the financial transactions on the parts of the system under your direct control.
Electronic payments association NACHA gives several tips for protecting against fraud, including protections like multifactor authentication, out-of-band authentication, and dual-control to request and authorize transactions. You may want to implement all of these for transactions and for logging into your Web portal.
You could also delay transactions for 24 hours or until approved, or require ACH/wire transfer recipients to be registered by the customer seven days in advance of the transaction's occurrence.
You could ban insecure older browsers like IE6 and others and recommend alternative Web browsers, technical tools like Trusteer's Rapport to protect the browser,, sandboxing Web browsers as with Invincea Inc.'s virtual browser, or application virtualization like Microsoft’s for the Web browser to help reduce risks. You could also use health checks of client systems to determine whether their machines are infected and if they should be allowed to conduct online financial transactions with your organization without first undergoing remediation of some kind.
When recommending any products, however, or requiring any health check, you should be clear these controls will not necessarily protect your customers from all attacks, and still should be implemented with other basic security controls, such as anti-malware.
This was first published in August 2011