Prevent Fraud and Cyber Attacks for Online Banking


Trevor Reschke Head of Threat Intelligence

The Wall Street Journal reported in February that banks closed more than 1,700 branches across America between June 2016 and June 2017, the largest decline on record. According to the paper, a lot of these closures happened in big cities and the surrounding suburbs because foot traffic has significantly declined. Where once almost all banking was conducted in branches, today it’s increasingly moving online. An American Bankers Association (ABA) survey last year found that for 40 percent of people the primary method of banking is a laptop or PC, followed by mobile (26 percent) and then branches (18 percent). This shift to digital banking means that branches are simply not as profitable with fewer and fewer customers to service in person.


The shift to online banking has occurred relatively quickly, and with it there has been an increase in concerns over fraud and security. A survey by the credit-scoring Fair Isaac Corporation (FICO) found that identity theft and banking fraud are the biggest concerns in life for 44 percent of consumers, compared to 18 percent citing a terrorist attack as their top concern and 22 percent citing their own death or that of a loved one as their primary worry. Additionally, 76 percent are also generally worried about their bank account information being stolen and 58 percent concerned about their credit card information getting into the wrong hands. So in the context of life worries, this is kind of a big deal.


As banks continue to shut branches and, as a consequence, narrow the range of options consumers have to conduct their financial transactions, we can expect increased momentum in the number of people moving their banking online. In all likelihood the majority of those aren’t going to be up to speed on the latest security measures. This, combined with the fact that banking fraud is on the rise, means that security and fraud prevention has never been more critical for banks or for banking customers.


The challenge for banks lies in the fact that transactions have become transient. No longer is banking limited to transactions within the walls of the bank – these transactions are taking place everywhere, all the time. The devices and networks consumers are using are completely outside the control of the bank and it makes fraud monitoring and malware protection difficult to say the least.


Traditionally, banks have tried to encourage endpoint protection (EPP) by providing the necessary software free of charge to consumers but, bluntly, this approach hasn’t worked. There are too many devices to cover, too much reliance on the end-user to take protective measures, and not enough appreciation of what really needs protection – the transactions themselves.


But the focus of EPP software is on preventing malware infections, fighting that never-ending arms race to keep up with the adversaries – a battle that cannot be won. While there is a lot of ingenuity by adversaries in exploiting zero-days and worming their way through networks, that is not why malware exists, it’s just the transportation for the payload. Malware almost always has a purpose beyond spreading, and that’s to cause harm through fraud – stealing data, manipulating sessions, hijacking transactions, and submitting fraudulent transactions. THAT is where the focus of countermeasures should be, and THAT is why the focus should be on protecting the transaction stack.



This modern paradigm eschews the flawed approaches that weren’t designed with today’s threats in mind – it endeavors to seamlessly protect the full transaction stack from the cloud, not from the endpoint itself. Here’s the logic: by putting focusing on protection of the browsing sessions themselves, you can prevent malware from accessing sensitive data instead of attempting the futile aspiration of eradicating malware. Traditional endpoint protection tools worry about identifying and removing malware – a method that relies on knowing what the malware is and how to remediate it. As stated previously, this is a virtually impossible task in the age of mutating malware and zero-day threats. Full transaction stack protection (FTSP) removes focus on what the malware is or how to remove it, it is concerned only with preventing it from accessing the data it was created to steal.


Not everyone is going to be happy with bank branch closures, so it’s important to provide as positive an online experience as possible, without encumbering users with extra security steps or frustrating software installs. FTSP eliminates any burden on the end users, providing an impenetrable layer of protection is simply there – whether customers have infected devices or whether they land on a webpage that’s compromised by malware. This approach dramatically reduces security and fraud losses, in large part because it doesn’t rely on consumers to install and update anti-virus software that wasn’t even designed to stop today’s threats. FTSP is not only changing the game for security, anti-fraud and consumer confidence, it’s improving the user experience in a way that will make even the stodgiest ones more willing to embrace the shift to online banking.