Two-Factor Authentication for Bank Wire Transfers
In the case of large-scale retail data breaches, class action lawsuits have been brought against the corporations with claims that they did not implement strong enough security standards to keep consumer data safe.
But in the banking industry, past lawsuits have proven that despite the lack of security, the courts have ruled in favor of the banks each time. It would appear as though standards required by the retail industry (PCI DSS) hold more weight than those required by the banking and financial industry (FFIEC).
The difference being, small businesses that fall under the online banking security guidelines just aren’t protected in the same way as consumers - they must take responsibility in order to ensure they have security, or the option of security with their third-party vendors.
One example is the case of an escrow firm that sued their bank for the lack of two-factor authentication on high-dollar transactions after hackers stole the bank’s credentials in order to make one wire transfer of $440k to a bank account located in the European island country of Cyprus, as KrebsonSecurity.com reports.
###Dual Control vs. Two-Factor Authentication The bank offered ‘dual control’ authentication, which was really just the use of one factor, twice. Meaning, a customer was required to have a username and password to approve a wire transfer from their account, as well as another set of username/password to release the same wire transfer.
But that’s not actually two-factor, which is the use of different channels of authentication, such as a username/password for primary authentication, and the use of a smartphone or device for secondary authentication.
The lawsuit the escrow firm brought against the bank claimed that the bank didn’t offer adequate security as required by the FFIEC guidelines for online banking security, outlined in their supplement to their 2005 online banking authentication document in 2011, Supplement to Authentication in an Internet Banking Environment (PDF).
The FFIEC also states that single-factor authentication is not adequate for certain banking activity, including sensitive communications, high-dollar value transactions or privileged user access (i.e., by that of network administrators).
They also recommend other security controls for online banking, including:
- Fraud detection and monitoring systems
- Out-of-band verification for transactions
- Policies and practices for addressing compromised customer devices
- Account activity controls, such as transaction value thresholds, number of transactions per day, etc.
According to the supplement:
Out-of-band authentication means that a transaction that is initiated via one delivery channel (e.g., Internet) must be re-authenticated or verified via an independent delivery channel (e.g., telephone) in order for the transaction to be completed. Out-of-band authentication is becoming more popular given that customer PCs are increasingly vulnerable to malware attacks.
Duo Security offers out-of-band authentication via Duo Mobile, the free mobile app that works with your accounts to push notifications to your phone when you log in. After completing primary authentication, you’ll receive a prompt on your phone to approve or deny the secondary authentication request.
###Challenge Questions? Still Not Two-Factor Another case of poor online bank authentication could be found in the case of a construction company, Patco Construction that sued their bank, Ocean Bank after a series of wire transfers stole over half a million dollars from their company bank account. According to Krebs, hackers used the Zeus trojan to steal their credentials and make the transfers.
Ocean Bank’s service provider processed bank transfers and had their own authentication process in place that required a company ID, username and password, as well as answers to three challenge questions if the transaction was considered ‘high risk,’ as according to KrebsonSecurity.com. However, primary authentication (username/password) + challenge questions still doesn’t equal two-factor authentication.
A two-factor authentication solution that can be implemented on the transaction level offers more granular security and control over your bank accounts. Find out more about two-factor in the banking and financial industry in:
The Current State of Online and Mobile Banking Security
Facing Modern Information Security Challenges in Banking & Finance
ATM Admin Panels Hacked to Allow Unlimited Withdrawals, Warns FFIEC