Home » Fraud Prevention » ID Systems & Services in Fraud Prevention

A solution for eliminating the human risk from bank security?

We've all heard of phishing and man-in-the-middle attacks by computer hackers, but how many people think it could really happen to them? Most might think they'd never fall for a socially-engineered cyber attack but, according to Vasco Data Security, social engineering is growing steadily.

And 37 per cent of all attacks are targeted at financial services organisations, according to the data security firm's e-book, Mitigating human risk in banking transactions. A fifth of phishing attempts attack financial credentials. What's more shocking is that 23 per cent of recipients open phishing messages and 11 per cent of recipients open phishing attachments. Data from Gartner Group suggests that theft through phishing costs US bank and credit card issuers around $2.8 billion a year.

Phishing and other types of socially-engineered attacks (including using voice-phishing, instant messaging, spoof emails, covert redirect and 'man-in-the-browser') all depend on one key weakness in any security system: the human. So many companies address this through education, increasing security awareness and user-oriented security controls. But Vasco makes an important point: “But even with education and additional user controls, social engineering attacks are still successful, because the final decision is made by the user – the user authenticates to their bank, but the bank does not authenticate to the user.”

Two of the key risks in the traditional transaction initiation process are:

  1. that hackers can (relatively easily) direct a user to a fake bank website, which can be used to harvest the user's bank account log-in details; and
  2. that hackers can also convince the user to initiate or authorise a fraudulent transaction without the bank's involvement.

Vasco has a system that addresses this problem and takes the 'trust' decision away from the user and ensures only the bank can initiate a transaction signature request.

CTMfile take: These observations may not be new but they are interesting – especially for corporate treasury professionals with responsibility for making high volumes of/very large payments on a daily basis – to note how important it is to get independent, authentic confirmation from the bank and the initiator before making payments.  

This item appears in the following sections:
Fraud Prevention
ID Systems & Services in Fraud Prevention
Minimizing Payment Fraud

Also see


No comment yet, why not be the first?

Add a comment