PALO ALTO, Calif.-Life is often easy for fraudsters, because credit unions allow members to log-in to Internet banking using a password, image or challenge question.
But life is decidedly less easy at Addison Avenue FCU here, which says it enjoys completely fraud-free interactions at its online and mobile channels.
"You can forget about user name, password and secret questions," suggested Srividya Balaji, software development manager at AAFCU, which merged in January with First Technology CU of Beaverton, Ore. "They're not secure. One Trojan horse malware can capture those credentials."
Malware-and consumers inadvertently clicking on fraudulent links-are helping criminals enjoy major plunder from recent data breaches, including those at Epsilon and RSA.
"Out-of-band" authentication may provide the strongest defense against such breaches. Addison Avenue uses VeriSign Two-Factor and Risk-Based Authentication, requiring members to verify identity with something they know, such as a password, and something they have, such as a phone call, text message, e-mail or software token.
By the time Addison Avenue's merger with First Tech is operationally complete later this year, all members of the newly formed $4.7-billion First Tech Federal CU will verify their identity online via the VeriSign solution, said Balaji.
"Verifying identity using a 'what you know' with a 'what you have' approach is the way to stay ahead of fraudsters," Balaji said. "If you're not requiring that from your members, require it ASAP."
Combination of Steps
Addison Avenue FCU requires two-factor authentication only for high-risk transactions online, she explained.
"We combine a rules-based risk engine with a behavioral model. We score each transaction based on suspicious activity, such as logins from remote locations. But for certain transactions, including wire and ACH transfers, I don't care whether the activity is suspicious or not-I always want out-of-band authentication with a phone call, SMS, token or email."
Of the four out-of-band methods, email authentication is the most popular with members, said Balaji. But email's also the least secure, she said. "I'm pushing to have email removed as an option. There are too many instances of public domain emails being compromised."
That leaves phone calls and text messages, and phone call authentication is more reliable, she continued. "SMS is really spotty."
Providers can't guarantee SMS transmission, explained John Zurawski, VP-sales and marketing, Authentify, the authentication company that delivers the phone call option for Addison Avenue via VeriSign. "Once an SMS one-time-password has been launched, the application has to wait for some period before it can decide if the password has expired. But with the phone call, the dialing technology can be tuned to dial again immediately if there is not a connection. As a result, the voice channel is quicker and more reliable."
The software token is the newest option and the one members use least, Balaji said. A member using the software token is prompted during high-risk transactions to launch an application from their mobile phone that generates a unique security code. The member then enters the code during the banking session before the transaction is confirmed.
The process is similar for the remaining three authentication options, with one-time passwords being transmitted to the member via e-mail, phone call or SMS.
"We've always used security as our differentiator," Balaji added. "We didn't go the authentication route everyone else went with picture and password. We wanted to make sure we mitigated fraud the right way. We do get fraud attempts, but in every case, the fraudster fails the out-of-band authentication."