Professional Documents
Culture Documents
The Importance of Transaction Signing To Banks: © 2014 Entersekt
The Importance of Transaction Signing To Banks: © 2014 Entersekt
TRANSACTION SIGNING TO
BANKS
Protecting customer accounts, both consumer and business, is a top priority
for financial institutions everywhere, especially in light of the security risks
attendant on online and mobile banking. The global nature of todays
financial world has also led many banks to offer international banking
services to multinational corporations and consumers, which has
complicated their ability to provide security. As a result, many financial
institutions, and even governments, are turning to transaction signing as a
powerful, advanced means of boosting security. Heres what you need to
know about this important new approach to keeping banking customers
accounts in safe hands: yours.
2014 Entersekt 1
A new weapon in the fight against online and
mobile banking fraud
For businesses, the increased use of online and mobile payments and banking services is a
function of their time-saving convenience, but it comes with added risk. According to Poneman
Institutes 2012 Business Banking Trust Trends Study, sponsored by Guardian Analytics, 74
percent of companies experienced online fraud in 2012. 1 Credit or debit card fraud and
unauthorized access to accounts are the types of digital crime these companies have typically
experienced.
1 2012 Business Banking Trust Trends Survey (August 2012); Ponemon Institute
[http://www.ponemon.org/local/upload/file/2012_Business_Banking_Trust_Trends_FINAL14.pdf]
2 Telcos declare SMS unsafe for bank transactions (November 9, 2012); iTnews.com.au
[http://www.itnews.com.au/News/322194,telcos-declare-sms-unsafe-for-bank-transactions.aspx]
2014 Entersekt 2
To help protect their customers, banks are looking past yesterdays approaches and assessing
new and stronger alternatives. One such tool is digital transaction signing. Specifically targeting
transactions deemed as higher risk, transaction signing is used to verify the authenticity and
integrity of an online transaction by requiring customers to digitally sign major transactions,
such as large monetary transfers or online changes to personal customer details.
In order to confirm the online transaction, users are required to enter a dynamic PIN or OTP that
is generated when a customer inputs information specific to a transaction, such as an account
number or a transaction amount, into a device uniquely theirs. Transaction signing calculates a
value based on the user input on both the client and server side. If the information does not
match, the signature is voided and the transaction will not be approved.
Governments and regulatory bodies in several regions are also embracing secure digital
transaction signing by setting industry standards and enacting regulatory requirements aimed at
engineering a more secure digital environment for their citizens. For banks with a global focus,
this means transaction signing is a reality they cannot ignore. It is both an opportunity to
provide customers with greater security and, in a number of regions, a regulatory and
compliance requirement.
These regulations are very prescriptive. Singapores Technology Risk Management Guidelines
12.1.7 states that financial institutions should implement two-factor authentication at login
for all types of online financial systems and transaction-signing for authorizing transactions.
When referring to Appendix E.1 in the same regulation (Countering Man-in-the-Middle
Attacks), the guidance suggests that an OTP or digital signature is generated for each new
payee being added. It also states that the data being signed should be displayed to the customer
in a meaningful way before being signed.
[http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%2
0Framework/Risk%20Management/TRM%20Guidelines%20%2021%20June%202013.pdf]
2014 Entersekt 3
if a certification system, such as a public key infrastructure, is in place. Messages to be signed
should be encrypted and, once signed, should be tamper-evident. A properly implemented
asymmetric encryption technology with a hashing scheme will cover all the bases, and will have
the added benefit of supporting nonrepudiation. The technology in use must support custom
digital certificates that comply with specific Taiwan regulations. As per the Singapore
regulations, OTPs may be used for certain types of low-risk transactions, but can be replaced by
a digital signature scheme to satisfy the requirements for both low- and high-risk transactions.
Implementing a transaction signing solution not only helps protect banking customers, but will
help financial institutions meet the international business banking requirements in Singapore,
Taiwan and Korea. Given the current environment and rate of fraud targeting small business
banking, it is also not inconceivable that U.S. and other regulators might start requiring broader
use of transaction signing in some or all business banking transactions.
A cyber-attack is made possible when hackers compromise business accounts with techniques
ranging from email scams and phishing to using trojans and other malware. They steal
2014 Entersekt 4
usernames, passwords and challenge questions, and disable alerts before initiating heists from
the bank. These attacks have become more frequent and a lot more sophisticated in recent
years, even being combined with DDoS attacks to avoid real-time detection of fraudulent
transactions. Gartner says that over 10 percent of small businesses have had funds stolen from
their bank accounts, with losses exceeding $2 billion. 4 Verizons 2013 Data Breach Investigations
Report, says that almost half of all breaches took place at companies with fewer than 1,000
employees. 5 Businesses with fewer than 100 employees were hit the hardest.
Unlike consumer accounts, corporate accounts are not generally protected from financial losses
stemming from account takeover fraud. In fact, many businesses are surprised to learn that
banks have no legal or regulatory obligation to reimburse them for such attacks, as federal
regulations do not cover commercial accounts. Regulatory bodies, such as the Federal Deposit
Insurance Corporation (FDIC), the Office of the Comptroller of Currency (OCC) and the Federal
Financial Institutions Examinations Council (FFIEC), do offer guidance on fraud controls for
financial institutions, but not specific actions to be taken for corporate accounts.
Businesses and banks differing assumptions on liability in the event of fraud have generated a
number of important court cases. One example of a court case involving a cyber-attack was
initiated by Patco Construction Company. In May 2009, cyber criminals hacked into Patcos
network and stole the ID and password of an authorized Patco employee, enabling them to log
on and steal $588,000 from the companys checking account at Ocean Bank over the course of a
week. (The transfers were only noticed when an executive at Patco received a notice via U.S.
Mail that one of the transfers had failed.) The criminals had been able to successfully answer
two challenge questions used to approve any transfer over $1,000. Awareness of a number of
security and/or procedural failures might have prevented the attack or allowed it to be detected
4 Owners May Not Be Covered When Hackers Wipe Out A Business Bank Account (June 13, 2012); New York Times
[http://www.nytimes.com/2012/06/14/business/smallbusiness/protecting-business-accounts-from-hackers.html]
5 2013 Data Breach Investigations Report (April 2013); Verizon
[http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf]
2014 Entersekt 5
sooner. In addition, the fraudulent activity could have been prevented had the bank utilized
strong out-of-band, multi-factor authentication to digitally sign the transactions.
Another court case involved Experi-Metal (EMI). In 2009, the company comptroller there
responded to a phishing email appearing to come from their bank, Comerica, notifying EMI of
scheduled maintenance and asked it to log into the company account via the provided link. Once
on the imposter website, the comptroller was asked to provide the one-time code established
by the bank, thus providing the hackers with the credentials needed to access EMIs actual
account and make nearly a hundred wire transfers within a few hours. Of the money
transferred, $560,000 was not recovered. Had the company maintained better safeguards to
prevent phishing attacks, this loss could have been avoided. The bank did not have adequate
measures in place either: it did not engage in fraud scoring and fraud screening to detect
suspicious activity on its customers accounts. This again could have been stopped by utilizing
out-of-band transaction signing.
While banks in the U.S. have generally done an adequate job adhering to the FFIEC guidance for
high-risk transactions, several courts have deemed that simply following the FFIEC guidance is
not sufficient. Applying the U.S. Uniform Commercial Code, courts are finding that affected
banks could and should do more under an interpretation of what constitutes commercially
reasonable information security.
In the Patco case, the original district court ruling in 2012 found that the bank was not liable for
the monetary loss. However, in 2013, an appellate court reversed that decision, sending certain
aspects back to the district court and called the banks security not commercially reasonable.
A combination of security inadequacies and outright failures were to blame.
In the EMI case, the judge found that Comerica did not act in good faith when it processed
nearly a hundred wire transfers in an hour, remarking that, A bank dealing fairly with its
customer, under these circumstances, would have detected and/or stopped the fraudulent wire
activity earlier.
In addition to the financial risk of potentially refunding business customer losses, banks
experience reputational damage and ultimately run the risk of losing customers. Businesses that
have been hit by fraud feel betrayed by the bank they thought was protecting their money and
often elect to take their business elsewhere. Increasingly, banks are faced with the quandary of
whether to absorb the losses incurred by customers in account takeover attacks irrespective of
the liability, in order to retain their customers. The 2011 Business Banking Trust Trends Study by
Ponemon Institute found that, in 78 percent of attacks, money left the financial institution
before the attack was recognized. 6 In half of the cases, the financial institution took all or some
of the loss.
6 2011 Business Banking Trust Trends Survey (February 2011); Ponemon Institute
[http://info.guardiananalytics.com/rs/guardiananalytics/images/2011_Business_Banking_Trust_Study%20Exec%20Summary
.pdf]
2014 Entersekt 6
In Ponemon Institutes survey of the following year, 56 percent of respondents said a single
successful instance of fraud involving their online bank accounts would be enough to destroy
their confidence in their bank. The same survey identifies another problem. In most cases,
businesses discover fraud before their bank notifies them, either when accessing the online
account, while reconciling their monthly statements, or by receiving a call from a merchant,
supplier or vendor about insufficient funds. (Only 44 percent say a bank representative
contacted them first.) It should be obvious to anyone that the perception of negligence in cases
like this inevitably compounds the damage done to the trust relationship between businesses
and their banking partners.
In order to comply with the new regulations, while also offering efficient customer service,
implementing an uncluttered, intuitive interface for viewing all transactions in a batch and
approving them individually is essential. The ideal solution would allow the approvers
responses to be digitally signed, supporting nonrepudiation. Where multiple approvers are
required, transaction authentication messages should be sent to all the parties, approving the
transaction only when the required responses have been submitted.
With the increased use of mobile devices, it is important that this type of solution also work on
the phone or tablet. Industry-standard X.509 digital certificates can be employed to uniquely
identify every mobile device, transforming it into a second factor of authentication that
authenticates the user when logging in to the corporate online banking portal. Additionally,
2014 Entersekt 7
leveraging advanced digital certificates enables executives to digitally sign approvals of all
sensitive transactions (single or batched) with just one touch, and would be able to fully encrypt
communications to and from the financial institution.
By leveraging a solution equipped with more advanced forms of security technology, corporate
finance officers gain complete peace of mind when logging on, accessing data and transacting,
whether with their PC or on their mobile phones. They also benefit from not having to generate
and enter signing codes or OTPs to approve batched transactions, a frustrating chore when
performed on the mobile device. Its a solution that guarantees security while making life that
much easier for corporate finance officers on the go.
Whether required by regulatory authorities or not, transaction signing solutions ensure that the
authenticity and integrity of online transactions is never in doubt, helping to restore confidence
in mobile and online channels, and fortifying the trust relationship banks and their customers
share. Implementing a transaction signing solution not only helps protect customers but will
help financial institutions meet the emerging regulatory requirements at home and abroad.
Important notice
All copyright and intellectual property herein vests in Entersekt. No part of the contents of this document may be used or copied
in whole or in part to any party without prior written permission from Entersekt.
Entersekt, Capital Place, Neutron Avenue, Technopark, Stellenbosch, South Africa
2014 Entersekt 8