Tuesday, May 8th, 2012 | Mike Byrnes
American Banker published a great article last week covering some of JPMorgan’s security strategies for mobile banking. Lloyd O’Conner explained 
the importance of layering multiple security technologies to protect their clients — as well as their own company — from the growing cyberthreats that not only target the online channel but are zoning in on the mobile channel as well.
O’Conner discusses some critical layers, including:
- Authenticating to the device: advanced measures (including biomtetrics) beyond simple PIN protection
- Authenticating the mobile device to the banking application: leveraging device certificates and device registration
- Authenticating the user to the application and encrypting the communication channel.
While I agree 100 percent with JPMorgan — after all, they are demonstrating clear innovation and leadership in mobile banking here — I think there is another layer that needs to be called out as well.
While varied identity authentication layers are critical, some forms of advanced fraud attacks (e.g., man-in-the-browser) have proven to defeat a broad range of authentication approaches. Adding real-time fraud detection to flush out behavior anomalies is a critical layer to help detect MITB and, fortunately, is totally transparent to the mobile user.
By deploying a layered security framework, FIs can help defeat advanced MITB malware attacks. This approach not only provides world-class fraud prevention, but also helps enhance the end-user experience.
Tags: biometrics, JPMorgan, layered security
Posted in Uncategorized | Add Comment | No Comments »
Friday, March 30th, 2012 | Mike Byrnes
Brian Krebs scooped a major story yesterday about a potential major credit card breach at a U.S.-based payment processor affecting both VISA and MasterCard.
The news made headlines across top media outlets for good reason: this is NOT the first major credit card breach. 2011 saw a wrath of breaches including Epsilon and Sony, not to mention the “out-of-control” card-skimming fraud that is going on throughout the USA prompting FBI involvement.
Not unlike robbing banks, forging checks or conducting online fraud, criminals find the weak link in security systems and put plans in place to exploit them. Unfortunately, the industry has known for decades that magnetic stripe cards offer poor security protection, and with the shift toward using cards for online payments, it’s no wonder we’re reading about new breaches on a weekly basis.
Fortunately, technology exists that helps dramatically improve credit card security — it’s called EMV or chip-based credit cards. EMV allows for an encrypted security key to be contained within the chip on the credit card, thereby making card-skimming or duplication virtually impossible; or at the very least, extremely difficult, impractical and uneconomical for a criminal to execute. As well, implementations support the concept of a user PIN to help prevent card use when a card is physically lost or stolen. Read the rest of this entry »
Tags: breach, credit card breach, EMV, MasterCard, mobile, NFC, Visa
Posted in Authentication, Fraud Detection | Add Comment | No Comments »
Wednesday, February 15th, 2012 | Mike Byrnes
Let me be clear right up front. Yes, cybersecurity threats are real. Yes, they are growing in volume and in sophistication. And, yes, they are the root of the problem. BUT, one of the underlying frustrations I have with the cyber-threat situation is that, in general, many organizations remain anything but creative and strategic when it comes to implementing effective security measures.
We see both extremes. At one end, we have strong security measures that create nothing but havoc and frustration for end-users. And at the other, we see companies implement incredibly weak security measures because they are so careful not to burden their customers with hindrances to the online experience. The net result is similar — users bear the wrath of the security measure and either the pain of using it, or the pain of not having it effectively protect their identities and online assets.
Read the rest of this entry »
Posted in Authentication | Add Comment | No Comments »
Tuesday, December 6th, 2011 | Mike Byrnes
As mentioned in my last post, with organized crime groups clearly focused on the mobile channel, financial institutions will increasingly need to roll out strong security. 
But, they also need to be mindful of the impact that security has on the user experience.
At a recent conference, I had the pleasure of attending a session hosted by a SVP of security at one of the largest banks in the US. He discussed the current state of cybercrime threats and security challenges, but I was encouraged to hear him also devote considerable time to the importance of the customer experience. He then made what I consider to be a profound statement that applies to virtually every company in today’s Internet age: “Delight or disappoint and they will tweet, and they will blog and the social momentum will take off.”
So how does a bank best approach delighting their customers giving the opportunities and threats associated with Internet- and mobile-based service offerings? I think it’s safe to say many banks have shied away from tackling the problem until now — mostly employing a “do little approach” to protecting their online and mobile customer base.
A recent article on Bank Information Security’s website discusses a Javelin report, “Banking Identity Safety Scorecard,” which concludes that banks still rely on “old authentication” techniques and have failed to properly vet new mobile applications and services. One of the primary reasons? Banks are sensitive to introducing anything that may add potential customer frustration. Unfortunately, what they fail to realize is that cybercrime is impacting the customer experience and corporate brand. Just take a look at the wrath of major breaches this year and you’ll see why. Read the rest of this entry »
Posted in Uncategorized | Add Comment | No Comments »
Wednesday, November 30th, 2011 | Mike Byrnes
http://www.fsisac.com/
FS-ISAC (Financial Services Information Sharing and Analysis Center) is a highly organized, well-managed, security-focused organization that fosters a growing community of financial institutions and security vendors to collaborate in fighting cybercrime. Entrust is proud to be an ongoing sponsor and the FS-ISAC Fall Summit in Washington D.C. is in full swing.
I had the privilege to participate in a mobile security panel session yesterday and it’s clear, from the spirit of the questions and the conference buzz in general, that securing the mobile channel is top-of-mind for many security professionals. This includes employees accessing corporate networks as well as customers embracing the mobile banking/commerce revolution.
Read the rest of this entry »
Tags: cybercrime, FS-ISAC
Posted in Fraud Detection | Add Comment | No Comments »
Tuesday, October 25th, 2011 | Mike Byrnes
A short while ago, I had the chance to speak with Ziff Davis on the FFIEC’s 2011 Guidance update for Internet banking (podcast below). It was a great opportunity to not only get the word out, but I really enjoyed the challenge of trying to distill the guidance into 10 minutes or less — not an easy task for a guy with a lot of wind. 
If you have a chance, take a listen to gain insight into the overarching theme of the new guidance and details on how to start building a layered security defense including “front-door” authentication techniques, in-session anomaly detection and innovative, yet simple-to-use approaches for security controls at transaction execution. As always, Entrust looks forward to serving as your trusted adviser for identity-based security needs and welcomes your input and questions as we collectively work to combat online fraud.
Read the rest of this entry »
Tags: FFIEC, podcast
Posted in Authentication, Fraud Detection | Add Comment | No Comments »
Tuesday, September 27th, 2011 | Mike Byrnes
“NFC has no value,” said Keith Rabois, COO of mobile payment firm Square, during a statement at the GigaOM 20011 Mobilize conference Monday in San Francisco.
There’s no doubt NFC is a threat to Square’s business with the likes of Google, ISIS and even Visa shoring up NFC-based mobile wallets. But to come out with such a statement seems a little over the top. NFC is a very promising technology. And while it can be used for mobile payments, there are so many other applications — including user-friendly device pairing; quick and simple on-boarding to public Wi-Fi networks; application-sharing between mobile devices; and a slew of marketing ideas — where consumers can “tap” into a store or entertainment locale and quickly learn of promotions, events or information of interest.
Read the rest of this entry »
Tags: clearXchange, Google, ISIS, MasterCard, NFC, Square, Visa, VITAband
Posted in Authentication | Add Comment | 1 Comment »
Thursday, September 22nd, 2011 | Mike Byrnes
Clearly, most of us enjoy the many conveniences offered by today’s smartphones and associated mobile applications. This week, Google takes things one giant step forward, announcing availability of their highly anticipated Google Wallet — an Android-based application that uses NFC technology to serve as a digital/virtual wallet. In classic “hip” Google style leading up to the announcement, they published a great Seinfeld-based YouTube video featuring George Costanza, clearly demonstrating one of the many value propositions inherent to a mobile wallet.
Read the rest of this entry »
Tags: Google, Google Wallet, NFC, smartphone
Posted in Authentication | Add Comment | No Comments »
Thursday, August 25th, 2011 | Mike Byrnes
As my grade 11 accounting teacher used to say, “It all comes out in the wash!” And he was right. Sooner or later, things have a way of “righting” themselves. When you’re in a tough situation and life doesn’t seem fair, this statement is not always easy to believe. But in my experience, somehow, in due time, fate seems to find a way to resolve matters or shine a light on the truth to bring some form of due justice.
Such is the case of Ocean Bank, a Florida-based financial institution, whose fraud detection measures were so poor in 2009 it cost one of its customers more than $360,000. Well, Ocean Bank is involved in another fraud investigation. The FDIC teamed up with other crime-control agencies to fine Ocean Bank almost $11 million in AML fraud violations. This time, Ocean Bank is accused of failing to detect suspicious transaction activity within their systems, having “insufficient policies, procedures and systems in place to assess and mitigate the risks.” In addition, Ocean Bank failed to train staff appropriately in fraud detection.
Read the rest of this entry »
Tags: aml, bank fraud, cybercrime, FDIC, OceanBank, Patco
Posted in Fraud Detection | Add Comment | No Comments »
Monday, July 25th, 2011 | Mike Byrnes
As most of you are well aware, as a remedy to try and help its customers, RSA is offering “free” tokens to replace their compromised devices. Well, they’re really not free tokens; what RSA is willing to do is provide a new token with a limited-time license based on the remaining life span of a customer’s compromised token. Oh, and the IT management costs to disable your old tokens and register your new tokens will have to be covered by you, the customer. And then there’s the logistics cost of distributing tokens to employees and customers (mass mailing will certainly be involved in many cases) along with the call center costs to help users enroll / activate the new tokens. Hopefully that’s the limit of it but who really knows; maybe a breach has already occurred but not yet discovered….At the end of the day, RSA customers are being given the opportunity to replace an old, compromised technology with an old technology with a limited life span – that doesn’t sound that compelling to me.
Read the rest of this entry »
Tags: Authentication, bank fraud, RSA
Posted in Authentication | Add Comment | No Comments »
