This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners and the latest on effective security awareness."
Download it now to read this article plus other related content.
Addison Avenue Federal Credit Union serves over 140,000 members, a good percentage of whom don't live or work near a branch. As people move away from the area or change jobs, they would rather continue to do business with Addison Avenue online than change to a local bank. So it's important that we offer secure online and mobile access.
Sounds simple, right? But finding the right mix of security and convenience can be a bit tricky.
The convenience of our online banking is a big draw for our "remote" members. They appreciate having access to their money from any computer, 24 hours a day, every day. Our goal is for all of our members to feel that banking with us online is not only convenient but absolutely safe, just as safe as doing their banking at a branch.
Behind the scenes, of course, is an infrastructure designed to keep our members' money and confidential information as safe as it can be. Specialized hardware, software, and a dedicated staff of information security specialists are hard at work to keep information in and intruders out.
But the truth is that there are some things that are out of our control. Identity theft is continually on the rise, and fraudsters are becoming cleverer at pilfering electronic information. Our firewalls may be virtually impenetrable, but members themselves can do things inadvertently to put their money or personal information at risk, like doing their banking on a public computer, or jotting down their
Adding complexity is the fact that some people have a greater tolerance for risk than others. Our default security settings aim for the "sweet spot," where the majority of members feel their information is absolutely secure, and yet they are not annoyed by seemingly endless rounds of passwords and security questions. But everyone's threshold is different -- some may prefer security that is less strict, while some feel the need for added protection. So how can we minimize risk without becoming intrusive?
Our answer to this problem can be summed up in one word: choices. The fact is that if you let someone choose what they're going to do, even if the choices are limited, they will feel more in control of their situation and less inconvenienced or forced.
So, at every step of the way, we strive to provide choices for our members, within a multi-pronged approach to information security.
Education. We are committed to educating our members on Internet safety. Our website has plenty of information on best practices when conducting online transactions, and we host presentations at our sponsor company sites on identity theft and other security related issues. When you log into Online Banking, you are automatically given suggestions to strengthen your security settings. The goal is to raise our members' awareness, and then give them choices to implement whatever level of security setting they decide is appropriate for their situation and comfort level.
Fraud detection software. We have specialized fraud detection software to protect our members from unauthorized login to their account. The program analyzes a member's behavior -- the location where they normally log in, the computer they use, the time of day, the kinds of transactions they do -- to construct a behavioral pattern for that person. If their transactions fit the pattern, we don't intrude. But if we detect some change in that behavior --for example, an unusually large withdrawal request or logging in from a different city or country -- we ask them to provide extra proof of their identity.
Multiple levels of security. Email is the default security notification -- all members are emailed automatically if there's been a request to reset a password, change security settings or perform a wire transfer. In addition, we offer authentication by phone, text message or Security Key; some people will gladly perform this extra step at every login for added reassurance.
Our Security Key is the option that offers the most security for the least inconvenience. With phone or text authentication, members who travel may not be in an area where they can receive a one-time password over their mobile device. The security token is a self-contained system that is not subject to a carrier's coverage area, and generates your one-time password wherever, whenever you need it. And because the key is separate from your computer, it's not susceptible to viruses or fraud.
We calculate the success of our security programs by tracking the rate of adoption and surveying members for their reactions. We hope that members will perceive additional security choices like going through airport security, knowing that the scanning and checks are intended to protect them, not inconvenience them.
Another key measure of success is a reduction in fraud. We are already seeing a tangible drop in inappropriate online activities, and to date we have not incurred any loss of funds through fraud. Still, we are constantly researching new ways to continue to provide the most convenient and secure online banking services for our members.
|SECURITY 7 AWARDS|
Title: Chief Information Officer
Company: Addison Avenue Federal Credit Union
INFORMATION SECURITY MAGAZINE'S 6TH ANNUAL SECURITY 7 AWARDS
Consumerization of IT and enterprise evolution: Consumer devices in the workplace and the shift to cloud services require new security standards.
An effective information security program requires ongoing monitoring: A successful information security program uses ongoing oversight and monitoring to manage risks.
Online banking security is a balancing act: Online banking security requires providing users with choices in order to minimize risk without becoming intrusive.
Government transformation through technological innovation: The economic crisis gives government entities the opportunity to change for the better.
Maintaining health care privacy and security: In the world of health care, the more we value privacy, the harder we work to protect it.
Implementing an information security strategy in a decentralized environment: Implementing data security in a decentralized organization requires a collaborative approach.
Fighting online fraud requires delicate balance: Countermeasures for thwarting Internet fraudsters must be balanced with customer service.
This was first published in October 2010