By Marcia Savage, Site Editor | SearchFinancialSecurity.com
The recent surge in online banking fraud and unauthorized Automated Clearing House (ACH) transfers has led to an astounding $100 million in attempted losses from small and midsize businesses so far this year, according to the FBI.
SearchFinancialSecurity.com recently met with Avivah Litan, a vice president and distinguished analyst at Gartner Inc., to get her thoughts on the alarming trend and some insight into how banks can protect their customers' accounts. Litan is an expert in financial fraud, authentication, identity theft, and fraud detection and prevention technology.
What's most alarming about the attacks on online banking and how are banks responding?
First, it's very real. There's not a single bank I've talked to in the last few months that hasn't seen this fraud. You read about it in the news but when hearing about it from the banks, I realize how pervasive it is. The second thing is the banks that don't have solutions in place are really caught off guard. You can't just whip solutions into place. So they're really kind of stuck doing manual reviews on almost all their wire transfers, if they're a small institution. Obviously, large institutions can't review all their wire transfers manually, and they generally have some solutions in place. It's more the small and midsize banks that are caught off guard. Some of the big banks are caught off guard too, but it's easier for them to change the system to automate the fraud detection and whittle down the number of manual reviews they do. It's not like a crisis in terms of those crooks are going to raid bank accounts and the banks can't do anything. Once banks get hit by this, they do take measures -- some are manual, some are automated.
What this [fraud surge] shows is that there is no end to criminal ingenuity. They are definitely beating common security controls, like one-time password tokens. …
Another thing that these attacks have taught us is anything going through the browser is suspect. You can't rely on anything coming through a user's browser, whether it's a login credential, strong authentication, or transaction values -- everything can be altered and intercepted.