Anti-fraud firm Cyota explains that if the transaction is then
verified, its eSphinx system updates its user profile so as not to
red-flag that particular behaviour at a later date.
Banks risk losing their on-line customers unless they change
consumer perceptions that internet banking is unsafe. A survey by
Forrester Research published last month suggests that only 30% of
European internet users are confident of the security of personal
financial information on-line.
But Cyota recommends against the use of authentication devices
to combat common phishing attacks and new emerging threats –
despite a recommendation in Forrester's report for the immediate
deployment of such hardware.
Devices such as tokens, biometrics and smartcards only
authenticate users at the point of entry, and provide no protection
once fraudsters gain access to an account – which one must assume
they will, says Cyota. Instead, banks and financial institutions
need to take a layered approach to security, including prevention,
strong authentication and fraud management.
At the moment the majority of security providers rely on
usernames and passwords and a request for extra information, such
as your mother's maiden name, before giving access to a secure
site.
However, this type of security system has been shown to be
ineffective and can easily be exploited by a phishing attack –
where an e-mail from an attacker lures a recipient to a web site
that purports to be his bank's site. This security information is
requested and then fed by the attacker into the genuine site of the
victim's bank.
A popular suggestion is to add another layer of
authentication, where the user is asked for something he knows as
well as something he possesses (such as a device that displays a
unique password that changes every minute); or something he is
(using biometrics, such as a fingerprint or iris scan).
But such two-factor authentication systems have been the
subject of recent debate in the industry. Security expert Bruce
Schneier recently wrote that banks will spend millions deploying
two-factor authentication tokens. "Early adopters of this
technology may very well experience a significant drop in fraud for
a while as attackers move to easier targets," said Schneier, "but
in the end there will be a negligible drop in the amount of fraud
and identity theft."
According to Amir Orad, Cyota's executive vice president of
marketing, this type of hardware-based solution tends to be
cumbersome, expensive and difficult to deploy. He added: "they
typically solve yesterday's fraud problems, such as phishing, but
not the emerging threats such as Trojans and man-in-the-middle
attacks."
Cyota's eSphinx solution assesses on-line banking activities
using a customer profile. If its software detects potential fraud
by gross deviations from established on-line banking behaviours –
for example, by logging in from obscure locations or emptying an
account – the system will call the user and ask them to provide
additional authentication. Once the transaction is verified, the
system will learn from the new behaviour and update the customer
profile to avoid triggering similar alerts in the future.
Cyota claims that the system is a low-cost alternative to
hardware-based strong authentication solutions, and is completely
invisible to 95% of accountholders, allowing banks to improve
security without compromising usability.
