Cyber Payment Fraud: A Layered Security Approach

11.07.2016 by Mike Pokas

When it comes to preventing cyber payment fraud, traditional security controls are proving to be insufficient.  Cyber criminals are becoming more sophisticated.  Three decades ago, paper check fraud was our biggest concern.  However, as we have expanded the way in which we conduct business with mobile phone banking, wireless fund transfers, etc. we also expand our risk to entirely new levels.

Cyber criminals are more organized than ever before.  Moreover, they are decentralized and operate on a global scale making it even more difficult to chase the money. These better organized criminals can now perpetrate more fraud in much less time and be gone before we can track them down.

hacked

The velocity of payment fraud has also increased.  In an accelerated banking arena, funds are collected and transferred faster than ever. Faster processing has compressed the time available to detect fraud and mitigate risk.

In order to stand a chance in this fight, banking institutions now must adopt a layered approach to securing high-risk online banking systems.

But how does one choose among all of the layered security options? And then, after selecting controls, what are the elements of an effective layered security strategy that satisfies the guidance and enhances security?

Here are five “layers” of security that could help your organization protect itself from cyber payment fraud.

  • Two-Factor User Identification: Creates a layered authentication method and makes it more difficult for an unauthorized person to access a target. The user is only granted access after successfully presenting two separate pieces of evidence identifying themselves.  This is typically a combination of what the user knows (i.e. password, PIN) and what the user has (security token). If password compromised attacker still has one more barrier to breach before successfully gaining access.
  • Device Authentication: Ensures that only authorized devices are allowed to connect to a given network, site or service. Required for all user devices (smartphones, tablets, laptops, etc.) before sensitive data is accessed.
  • Transaction Signing: Calculates a keyed hash function to generate a unique string which can be used to verify both the authenticity and integrity of an online transaction. This should be required of all high risk or sensitive transactions including large monetary transfers, online account changes, etc.
  • Application security: With the increase in mobile banking, it is imperative to ensure that the applications used to deliver sensitive information on mobile devices are secure, by architecturally hardening the application and requiring mutual authentication. This process can make online frauds and data theft significantly more complex and costly for hackers.
  • Adaptive Security Platform: This is a flexible security architecture and associated procedures put in place to protect an organization’s information beyond the traditional perimeter defenses. The problem with the traditional security is that a firewall or IPS monitors the communication between devices and tries to spot an attack in the traffic based on having seen such an attack before. ASP provides an integrated security approach in a continuous monitoring method which is effective when security has been breached.

It is my opinion, this layered approach will deliver the defense in-depth necessary to ensure banking customers remain secure and safe as they engage in banking from more locations and types of devices, than ever before.

Interested in learning more, Click the Call Me Now! and A VioPoint associate will be with you shortly.

Call Me Now! 

Picture of Mike Pokas

About Mike Pokas

Mike Pokas is the Vice President of Consulting and has 28+ years of information technology experience and education spanning a diverse range of technologies and industry verticals. For the past 10 years he has been in the information security sector. He currently holds a number of key industry accreditations including CISSP, CISM and PMP certifications.

Latest Blog Posts

Categories

see all