I work in security for a financial firm. While we, like most financial firms, have done a lot to secure ourselves...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
over the years, we've struggled with how to secure clients conducting sensitive financial transactions via online banking from insecure locations, using malware-infected equipment, and sometimes running antivirus/antispyware, sometimes not. While education of clients is key, along with providing multifactor authentication for ACH/wire clients, we want to provide effective controls to layer onto all browser sessions to harden them from keyloggers, MITM attacks, etc. What would you say are the best technological tools for the job? Are there other controls/tools financial institutions could utilize to harden these sessions remotely?
Unless there is a major cultural and architectural shift toward using trusted platforms, you may want to assume your customers’ systems are insecure or infected. Customers are unaware of the risks they face while using insecure systems, especially when it comes to the security of financial transactions online. This doesn’t mean you should do nothing to help protect customers, but you may want to implement the protections for the financial transactions on the parts of the system under your direct control.
Electronic payments association NACHA gives several tips for protecting against fraud, including protections like multifactor authentication, out-of-band authentication, and dual-control to request and authorize transactions. You may want to implement all of these for transactions and for logging into your Web portal.
You could also delay transactions for 24 hours or until approved, or require ACH/wire transfer recipients to be registered by the customer seven days in advance of the transaction's occurrence.
You could ban insecure older browsers like IE6 and others and recommend alternative Web browsers, technical tools like Trusteer's Rapport to protect the browser,, sandboxing Web browsers as with Invincea Inc.'s virtual browser, or application virtualization like Microsoft’s for the Web browser to help reduce risks. You could also use health checks of client systems to determine whether their machines are infected and if they should be allowed to conduct online financial transactions with your organization without first undergoing remediation of some kind.
When recommending any products, however, or requiring any health check, you should be clear these controls will not necessarily protect your customers from all attacks, and still should be implemented with other basic security controls, such as anti-malware.
Dig Deeper on Web Application and Web 2.0 Threats
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.