Added controls reduce 'fraudian' slip

To better manage the risk of identity fraud, banks should not focus solely on authentication, says security strategist.

SINGAPORE--Banks need to look beyond two-factor authentication and implement other levels of controls in order to successfully tackle fraud, according to the group security strategist at National Australia Bank.

Speaking Tuesday at the Secure IT 2006 conference here, James Cerantonio noted that identity theft is a growing threat. Citing recent comments from Thomas Harkins, former operations director of Mastercard's fraud division, Cerantonio said that ID theft is "poised to increase by a factor of 20" over the next two years. The financial services segment, in particular, is a heavily targeted sector for financially-motivated attacks.

But authentication, whether session-based or transaction-based, is a limited mode of protection. Cerantonio said: "The weakest link [in fraud management] is in the definition of the 'problem'. The problem is not authentication; it is the authorization of the transaction."

In addition to authenticating user identity, he noted that banks need to put in place tools to secure the Internet infrastructure and identity unusual network behavior.

A proper fraud management system, therefore, should encompass authentication as a component of front-end controls, as well as additional tools such as virus scanning and anti-spyware, he said.

Controls also need to be implemented at the bank's online infrastructure and back-end systems. To protect the Internet infrastructure, banks can engage in IP (Internet Protocol) monitoring and intrusion mechanisms such as intrusion prevention and intrusion detection. Backend controls include tools to detect transaction anomalies.

To better detect fraud, Cerantonio urged financial institutions to gather intelligence at all levels and "correlate date from multiple channels and sources". He added that they then need to use the data or risk losing out financially.