Thales Blog

As Fraudsters Target On-line Business Banking, How Can It Be Secured?

June 28, 2010

As if security managers at banks and other financial institutions don’t have enough to worry about, a recent article from Network World points out another threat that must be dealt with—hackers remotely taking control of customers’ computers to make unauthorized funds transfers. This raises a critical issue: the importance of securing the front-end of a system is equally as important as securing the back-end.

Some banks offer complimentary security software to their customers, and consumers in the US also have a government safety blanket—federal regulations require funds to be restored if an unauthorized transfer takes place.

For business banking, however, no such regulations exist and, as the Network World article points out, the restoration of lost funds occurs on a case-by-case basis. This is particularly troublesome for businesses because fraudsters have turned their attention toward business banking because of the larger transaction amounts and potentially richer haul.

The data protection principles that apply to consumer banking also apply to businesses (with some differences). In either case, both front-end and back-end security measures are needed. Back-end fraud detection is certainly important, but without technologies to protect the front-end, the system remains vulnerable. This is akin to a homeowner installing a burglar alarm but leaving the front door unlocked and open.

The Network World article highlights “out-of-band” security measures as one possible front-end solution, where for example a mobile phone is used as part of the authentication process for bank account access on the PC. This is just one form of strong security that can be employed, and many banks employ two-factor authentication to access their online business banking services. Whatever banks use, they should ensure that their infrastructure can be easily adapted to accommodate other forms of strong authentication should they elect to change their method of protection, or need different methods of protection for different services.

One way in which business banking differs from consumer banking is in the greater frequency, volume and value of payment instructions, which means that transaction security is particularly important.

In the U.K., this problem is solved because all banks use a single infrastructure for business payments. Companies submit payments directly to the Bacs or Faster Payments ACH payment services, protecting them with digital signatures using credentials that are issued by their bank. The signature credentials are securely stored on smartcards or within Hardware Security Modules (HSMs). This protects the transactions, ensures that they cannot be repudiated and prevents cybercrimals from interfering and diverting funds, even if they have successfully installed malware onto the company’s computers.

So as business banking continues to be a target for fraudsters, there is a lesson to be learned—the U.S. and other countries that rely on solutions from each individual bank to secure on-line business banking could significantly improve their front-end security by using strong-authentication to secure payment instructions, using a single authentication infrastructure, or on an individual basis.