Taking a proactive, layered approach to online security

United States regulatory agencies have issued a call-to-action for financial institutions to improve their online security measures to protect their customers from the growing risk of online fraud, with the Federal Financial Institutions Examination Council (FFIEC) specifically asking banks to consider implementing stronger, two-factor authentication by the end of 2006. Online fraud is not a new issue. Many banks in the UK and Europe have long offered multi-factor authentication options for their customers.

In the US, Zions Bank has taken a leadership role in the industry. The team at Zions Bank began their search for additional online security measure even before the FFIEC Guidance was issued in October 2005. The main business drivers that the team identified were the ever-evolving, increasingly sophisticated online threats, increased phishing attacks across the industry and the feeling that in the current environment protecting your customers is ‘just the right thing to do’.

Following an extensive evaluation and internal risk assessment, Zions decided to take a proactive approach to security; however, the team realized that one single technology or application would not be sufficient to meet the bank’s and its customers’ needs and preferences. They therefore decided on a three-prong approach:

• Anti-phishing service to detect and shut down phishing attacks.
• Site-to-user authentication to boost customer confidence.
• Behind-the-scenes risk-based authentication to detect and block fraud.

Zions’ online security strategy is supported by the technology and services of RSA, the security division of EMC. Also an advocate for a layered approach to remote channel security, RSA provided Zions with a 24/7 anti-phishing service (RSA FraudAction) and RSA Adaptive Authentication – a multi-factor, multi-level authentication platform. Zions also joined the RSA eFraudNetwork community, a global network geared towards fighting online financial fraud. With membership comprising thousands of financial institutions worldwide, the eFraudNetwork collates some of the best, most up-to-date intelligence from across the globe in real time, giving financial institutions instantaneous information and immediate protection.

Usability and a positive user experience were of paramount importance. Beyond providing solid, multi-tiered security, Zions demanded that the protection implemented had no adverse impact on their customer’s online experience. Taking the notion of security and the user experience a step further, Zions required solutions that would actually positively impact a customer’s confidence in banking online and satisfaction with the institution. These requirements came with the budget limitations common to an IT organization serving multiple internal and external constituencies.

According to Lee Carter, President of Online Banking: “Zions Bank is known for taking care of our customers in every way; that includes doing everything we can to secure their personal information and funds. As an early adopter of proven and sophisticated anti-fraud and multi-factor authentication solutions we are sending fraudsters a clear message – you won’t have any luck here, you might as well look elsewhere.”

The solutions

As an immediate measure, Zions deployed the RSA FraudAction anti-phishing service. Today, with thousands of phishing attacks every month, targeting hundreds of global financial brands, it is important for financial institutions to protect themselves and their customers first and foremost against phishing, while preparing in advance and putting additional measures in place to combat more sophisticated attacks as well. The single most effective way for an organization to reduce the impact of phishing and protect its brand, customers and assets is to shut down fraudulent websites. Although additional protection mechanisms certainly exist and should be leveraged, disabling a phishing site simply stops the attack. This ensures that the fewest consumers are actually defrauded after landing on the spoofed site. With FraudAction, Zions is protected by the RSA Anti-Fraud Command Center working round the clock to detect and shut down phishing attacks on its behalf. This effective approach provides Zions and its customers with immediate protection against phishing, with minimal investment of Zions’ time and resources.

In parallel to the anti-phishing service, Zions launched a new service called SecurEntry. Based on RSA Adaptive Authentication technology, SecurEntry combines visible site-to-user authentication as well as behind-the-scenes risk-based authentication. Transparently, using the customers' own computers as a second factor of authentication, the system provides a positive identification based on device and network forensics, behavioral analysis and other parameters. Then it quickly and transparently scores transactions according to the perceived level of risk and automatically adds additional security measures if needed, all with minimal impact to the online banking customer.

In addition, SecurEntry delivers site-to-user authentication with a shared secret image and text phrase to allow Zions to authenticate itself to the online banking customer in order to protect against phishing, pharming and other spoofing attacks and instill confidence in the channel.

Signing up for SecurEntry is a simple process: Zions customers select an image and choose a phrase that will be presented to them from now on when logging in to online banking. The system then prompts users to answer several secret questions – a subset of which will be presented to the user when logging in from an unrecognized device (users can register more than one computer to the service). From the point of enrollment consumers will experience a user-friendly log-on process, first providing their user name and then entering their password after recognizing their personal image and phrase.

Deployment strategy

Deploying a security solution to masses of consumers, especially one that changes the way they are used to banking, is not to be taken lightly. Any number of issues could arise that could potentially bring negative results such as a surge in customer service calls or even customer abandonment. It is crucial for one to consider and test the usability of the system and plan for any potential pitfalls in advance. Zions worked together with RSA to develop and deploy a planned and gradual rollout of the new SecurEntry service, which ultimately resulted in a very positive launch for both the bank and its customers.

The first step in the SecurEntry rollout was an internal beta test of the technology. Then the bank conducted a pilot with 30 employees who were selected to try out the new system and provide feedback. The bank’s team purposely selected individuals who explored all features of the new service and played around with it in order to detect any potential issues in the system. Once the pilot was deemed successful and certain last tweaks were implemented, Zions launched SecurEntry to its entire customer base.

The general launch was accompanied by an online marketing campaign, including promotion of the service on the bank’s homepage, a tutorial about the new service and detailed demo of the user experience as well as e-mails to customers and advertising on the radio.

Furthermore, to allow consumers to familiarize themselves with the idea of a new login process, Zions launched the service to everyone, but provided users with a 75-day voluntary enrollment period. On the 75th day after the general launch SecurEntry became the standard login process for Zions’ online banking application.

Positive results

To date, all of the phishing attacks handled by the RSA Anti-Fraud Command Center (AFCC) on behalf of Zions Bank have been shut down in less than 4.5 hours on average, compared to the industry average shutdown time of 115 hours. According to the AFCC, Zions is not a primary target of phishing, most likely due to the fact that it is not one of the more ‘attractive’ targets.

The initial results of SecurEntry have been extremely positive. While the bank provided its users with a 75-day voluntary enrollment period, after 35 days 70 percent of the bank’s online users had already signed-up for the service, and on day 75 an amazing 83 percent had enrolled. In addition, there was a very reasonable increase in the amount of calls to the banks call center as a result of the new service. The bank continues to monitor the results.

While preliminary customer feedback has been very positive, it is a bit early to collect substantial data regarding a boost in customer confidence or an increase in online usage as a result of the SecurEntry service. However, a recent survey of 5000 consumers conducted by Gartner at a top-10 US bank using the same RSA technology revealed that most of the bank’s online banking consumers found the system to be convenient to use and reassuring to their sense of security. In addition, more than 67 percent of consumers in the survey stated that security features are either somewhat or extremely important in their decision to conduct more business online with their bank.

Advancement in the capabilities of Internet banking has been one of the most notable developments in the financial industry over the past decade. And despite the threats, accountholders continue to adopt online banking – expecting new enhancements to security and functionality. With the advent of mature security solutions and by applying sound judgment, Zions Bank has set a great example of how financial institutions can bring themselves into step with the FFIEC’s guidance – and their customers’ wishes – without complicating the user experience, ‘breaking the bank’ or waking up behind the ‘security eight ball’ tomorrow.