Worldwide LocationsActivIdentity Blog
« Back to Blog HomepageBest Practices for Online Banking Security - ActivIdentity Blog
Dec 5, 2011 3:18pm by Hilding Arrehed, CISSP | 0 Comment
Give them what they want!
Having had the pleasure to work with many banks around the world to help them design and implement security solutions for their online banking systems, my colleagues and I have picked up a few things about what to do to deliver secure yet user friendly solutions.
For starters, as long as it makes customers feel secure and enables them to access more (preferably all) banking services online, it’s OK to sacrifice a little when it comes to user login experience. Here are a few suggestions on how to use advanced security technologies of today to build an online banking system that offers strong security but maintained high convenience and access to as many services as you want to make available:
For starters, as long as it makes customers feel secure and enables them to access more (preferably all) banking services online, it’s OK to sacrifice a little when it comes to user login experience. Here are a few suggestions on how to use advanced security technologies of today to build an online banking system that offers strong security but maintained high convenience and access to as many services as you want to make available:
- At the time of log in, let customers choose which authentication method to use based on what they intend to use the service for.
- Give customers the option to configure their own security levels.
- Let customers decide which type of device to connect from.
- Integrate the online banking system and its security with your other operations to give customers a consistent sense of your approach to security.
- Let customers use the same security credential as they use for online banking when they access other bank services.
- Give customers good support the way they want it. Through FAQ on the website, online chat, telephone, email, face to face or by letter.
And don’t forget transaction security!
One typical misconception in online banking is that security should be all about how to authenticate users to best protect access to the service. That’s not the way I have learnt to look at it. The real risk for online banking customers is that someone steals money from their accounts. It therefore makes a lot of sense to focus more on ways to secure the actual money transfers than just the access to the service. Many of the most successful online banks I have worked with have done just that and here are a few recommendations they gave:
- Make it as easy as possible. Only ask for transaction signing when money is transferred to accounts other than the customers’ own accounts and allow transactions to be batched.
- Use a secure but risk-appropriate technology to carry out the transaction signing. Smart cards, tokens, soft tokens and SMS text messages are all good ways to provide electronic transaction signing.
- Make sure that it is clear to the user what is being electronically signed. This is to prevent the risk of man-in-the-middle attacks which is particularly important now given the recent attacks on trusted Certificate Authority providers and hacks of the session security protocol mechanisms (SSL/TLS) used by our web browsers.
- Store the transaction data including the customer’s electronic signature in a secure tamper-evident audit database for archiving purposes. It can be very useful to be able to prove that a money transfer was correctly carried out and approved many years after it happened.
Every bank obviously has its own advantages, challenges and security needs. Your security solution, including authentication and money transfer approval mechanisms, therefore needs to be specifically defined to meet those needs. At ActivIdentity Professional Services we specialize in advising customers in these kinds of matters, and we have managed to gather quite a lot of experience during the 14 years we have been active in the field.
If you want more detail around the recommendations made in this blog, please read the full Online Banking Best Practice story.
Post a Comment
All fields are required.
Legal Disclaimer
Some of the individuals posting to this blog website work for ActivIdentity Corporation ("ActivIdentity"). Opinions expressed in the blog postings and in any corresponding comments are the personal opinions of the original authors, not of ActivIdentity. The blog postings are provided for informational purposes only and are not meant to be an endorsement or representation by ActivIdentity or any other party. This blog website is available to the public. ActivIdentity moderates the comments and comments will not be posted until they are approved by the moderator. ActivIdentity does not guarantee that your comments will be posted to this blog website and ActivIdentity may refuse to post any comments in its sole discretion. No information you consider confidential should be posted to this blog website. By posting comments, you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to this blog website. You release ActivIdentity from any liability related to your use of this blog website and the content on this blog website. Your use of this blog website is also subject to the terms and conditions of the ActivIdentity Legal Notice available at http://www.actividentity.com/legal/ (the "Legal Notice"). The blog postings are "materials" and any comments that you post to this blog website are "feedback," each as defined in the Legal Notice.
Some of the individuals posting to this blog website work for ActivIdentity Corporation ("ActivIdentity"). Opinions expressed in the blog postings and in any corresponding comments are the personal opinions of the original authors, not of ActivIdentity. The blog postings are provided for informational purposes only and are not meant to be an endorsement or representation by ActivIdentity or any other party. This blog website is available to the public. ActivIdentity moderates the comments and comments will not be posted until they are approved by the moderator. ActivIdentity does not guarantee that your comments will be posted to this blog website and ActivIdentity may refuse to post any comments in its sole discretion. No information you consider confidential should be posted to this blog website. By posting comments, you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to this blog website. You release ActivIdentity from any liability related to your use of this blog website and the content on this blog website. Your use of this blog website is also subject to the terms and conditions of the ActivIdentity Legal Notice available at http://www.actividentity.com/legal/ (the "Legal Notice"). The blog postings are "materials" and any comments that you post to this blog website are "feedback," each as defined in the Legal Notice.
Subscribe to our RSS FeedSearch Blog
Category
Identity & Access ManagementRecent Posts
Recent Comments
Blogroll
The Forrester Blog For Security & Risk ProfessionalsComputer Weekly: David Lacey's IT Security Blog
Infosecurity Magazine: Security Viewpoint
Pro Security Zone: Editor's Blog
IT Pro
Adventures in Security
ha.ckers.org
Information Security: Security Bytes
Krebs on Security
SC: Data Breach Blog
Schneier on Security
Securosis
GovInfoSecurity.com: The Security Scrutinizer
GCN Tech Blog
Cybersecurity
Gartner Blog Network
Cnet: Insecurity Complex
Computerworld: Security Impact Blog
Computerworld: Security is Sexy
eWeek Security Watch
InformationWeek Security Weblog
Network World: Security Strategies Alert
ZDNet.com: Zero Day
Bank Info Security: Industry Insights
Bank Technology News
CRN Community: Hot Topics
Threatpost: Digital Underground