Criminals are getting more effective in their ability toleverage information about customers to beat a bank's or creditunion's process controls.

They can often determine customers' recent payments and creditdetails – either via internal collusion or a host of securityvulnerabilities – and are actually monitoring that as the customerengages with their account.

Worse yet, individuals often make things easier for accountthieves by posting details in various social media outlets (thingslike mother's maiden name or high school attended ring a bell?) andother information freely available on the Internet.

Addressing online security for financial institutions and theircustomers means looking at all activity across the organization –not just in the cyber sphere.

Cross-channel monitoring and assessment is essential,particularly as criminals get bolder about engaging with banksbeyond online activity to potentially escalate or confirmprivileges to set in motion the movement of money, such as a callto the bank to enable an automated clearing house (ACH) transferprior to the typical two-week cooling off period after making amajor change to the account.

In just one week, here's what a thief can accomplish with astolen account.

Day 1: Thief steals Mr. A's user ID andpassword for an online bank account using a Trojan on a PC.

Days 2-3: Thief logs into Mr. A's account andchanges his email address. Then, the thief logs into Mr. A'saccount a few more times and looks around, gathering information onaccount activity. The thief also gathers some personal informationfrom Facebook, LinkedIn or another social media site.

Day 4: Thief calls the bank and speaks to acustomer service representative. He authenticates himself as theaccount owner by answering challenge/response questions, havinggleaned the information from social media or other avenues. Anemail verification notice is sent, and since it now comes to hisemail, he is granted full account access.

Days 5-6: Thief creates a new transfer accountwithin Mr. A's existing account; the new account is verified by thebank.

Day 7: Thief pays himself a large amount ofmoney directly from Mr. A's account.

Only after noticing the money is gone does Mr. A report anunauthorized payment.

In this scenario, the financial transaction happened on dayseven. However, by then the thief had successfully breached severallayers of security and the money was essentially gone.

Risk Assessments and the New FFIECSupplement

As this scenario reveals, a cross-channel view of user activityis essential to detection and prevention of fraud. Fraudulentactivity that is not transaction based is often even more difficultto spot because these actions occur in isolation and can beobscured from traditional detection methods.

In 2005, the Federal Financial Institutions Examination Councilissued guidance that provided a risk-management framework forhow institutions should authenticate the identity of customersaccessing Internet-based financial services.

The overarching goal of the guidance is to ensure that sensitivecustomer information is protected, and that techniques used forthat protection scale appropriately with the level of riskentailed.

In June 2011, the FFIEC issued a Supplement to the 2005 Guidance that broadens the initialguidance to include transaction monitoring and tasks banks andcredit unions with “knowing their customers” in an effort tocurtail account takeover and fraud. The new recommendations providea great opportunity for credit unions to start the New Year with anassessment of business practices across the enterprise, includingmonitoring and analyzing activity across multiple data channels andcore banking systems.

With traditional approaches and the “siloed” detectioncapabilities, fraudulent activity can be very challenging to detectwhen it occurs across different channels and across differentapplications. It makes multiple layers of security –technologically and from a business process control standpoint –even more important.

This leads to a need for more business process controls to helpdetect and prevent cross-channel fraud. Credit unions can use anautomated, risk-based approach to provide insight across theenterprise to flag potential incidents.

For example, when a customer calls the institution,organizations now map what phone number the caller is using. If itis a new phone number, it can be noted and provides an additionallayered risk score to be put on any activity that happens duringthat session.

Such an approach can be applied to maintenance activity, newservice requests and many other behaviors. This layered approach torisk assessment also should be integrated into the institution'sback-end processes. For example, the money vault staff can assessrequests against other recent activity. Such risk-assessmentmechanisms on top of layered security can flag and alertpotentially fraudulent transactions – before the money goes out thedoor.

Credit unions can use the new FFIEC Supplement as an opportunityto get the broadest business value – and use it as a mandate tobetter understand how their members are interacting with theirfinancial institution, both online and in other direct activities,to analyze the risk of fraud.

ChristineMeyers is the product marketing manager for Seattle-basedAttachmate Luminet, an enterprise fraud managementsolution.