Best practices for online banking security

There are two common misconceptions about online banking security which are holding financial institutions back from offering their customers the best services possible.

Hilding Arrehed, Director Worldwide Professional Services at ActivIdentit provides suggestions on how to use advanced security technologies of today to build an online banking system that offers strong security, whilst maintaining high convenience and access to as many services as you want to make available:

• At the time of log in, let customers choose which authentication method to use based on what they intend to use the service for.
• Give customers the option to configure their own security levels.
• Let customers decide which type of device to connect from.
• Integrate the online banking system and its security with your other operations to give customers a consistent sense of your approach to security.
• Let customers use the same security credential as they use for online banking when they access other bank services.
• Give customers good support the way they want it. Through FAQ on the website, online chat, telephone, email, face to face or by letter.

One typical misconception in online banking is that security begins and ends with securely authenticating account access.

Based on his experience with successful online banks, Arrehed says banks have done just that and he shares a few recommendations they gave:

Make it as easy as possible. Only ask for transaction signing when money is transferred to accounts other than the customers’ own accounts and allow transactions to be batched.

Use a secure but risk-appropriate technology to carry out the transaction signing. Smart cards, tokens, soft tokens and SMS text messages are all good ways to provide electronic transaction signing.

Make sure that it is clear to the user what is being electronically signed. This is to prevent the risk of man-in-the-middle attacks which is particularly important now given the recent attacks on trusted Certificate Authority providers and hacks of the session security protocol mechanisms (SSL/TLS) used by our web browsers.

Store the transaction data including the customer’s electronic signature in a secure tamper-evident audit database for archiving purposes. It can be very useful to be able to prove that a money transfer was correctly carried out and approved many years after it happened.

Arrehed concludes: “Every bank obviously has its own advantages, challenges and security needs. Your security solution, including authentication and money transfer approval mechanisms, therefore needs to be specifically defined to meet those needs.”