THE IMPORTANCE OF

TRANSACTION SIGNING TO
BANKS
Protecting customer accounts, both consumer and business, is a top priority
for financial institutions everywhere, especially in light of the security risks
attendant on online and mobile banking. The global nature of todays
financial world has also led many banks to offer international banking
services to multinational corporations and consumers, which has
complicated their ability to provide security. As a result, many financial
institutions, and even governments, are turning to transaction signing as a
powerful, advanced means of boosting security. Heres what you need to
know about this important new approach to keeping banking customers
accounts in safe hands: yours.

2014 Entersekt 1
A new weapon in the fight against online and
mobile banking fraud
For businesses, the increased use of online and mobile payments and banking services is a
function of their time-saving convenience, but it comes with added risk. According to Poneman
Institutes 2012 Business Banking Trust Trends Study, sponsored by Guardian Analytics, 74
percent of companies experienced online fraud in 2012. 1 Credit or debit card fraud and
unauthorized access to accounts are the types of digital crime these companies have typically
experienced.

There is no shortage of solutions on the market

that promise to secure online and mobile banking
through reliable user and transaction
authentication. Unfortunately, however, many of
the legacy technologies they are based on are
seriously flawed and no longer afford the
protection that banks and their business
customers expect.
Banks have historically relied on two-factor
authentication to secure online and mobile
transactions. This requires customers to identify
themselves by providing a piece of information
unique to their account, such as a PIN or
password, and something they physically have in
their hand, such as a software or a hardware
token, which generates a one-time password
(OTP) that must be provided to complete a
transaction.
Two-factor authentication certainly helps counter
fraud, but weak implementations of it mean
banking systems continue to be targeted by
fraudsters. OTP systems and challenge-based
questions are being easily defeated, enabling
fraudulent schemes such as the Eurograbber
trojan to compromise thousands of accounts and inflict tens of millions of dollars of account
takeover fraud losses
Why are OTPs losing popularity?
Currently, the most popular digital authentication
method uses OTPs delivered to users through hardware
and software tokens or via text or automated voice
message. The principal flaw in this approach is that is
relies on re-entering information into a browser-based
communications channel back to the bank. Should a
phishing site mimic a banks online banking portal, or if
the browser had been compromised by some form of
malware, the customers login credentials and OTP can
easily be captured by cybercriminals and immediately
used to access accounts. Using text messages to deliver
OTPs is perhaps the worst option, given the wide-open
nature of SMS and mobile devices inadequate
protections against mobile malware. (Mobile carriers in
Australia have, in fact, issued guidance to banks there
recommending that SMS not be used for transmission
of sensitive banking information, including OTPs. 2)
OTPs are also unpopular with users. They find having to
carry an OTP token a hassle and re-entering strings of
digits for login and transacting an error-prone waste of
time. Their frustration can only get worse as they
conduct more of their banking on the mobile phone and
as the new regulatory requirements around batch
transaction signing start to take effect. Digitally signing
each transaction within a large batch using an OTP for
every individual transaction is a cumbersome process,
and a great deal more so when you are away from your
desk, trying to get the job done on a phone or tablet.

1 2012 Business Banking Trust Trends Survey (August 2012); Ponemon Institute

[http://www.ponemon.org/local/upload/file/2012_Business_Banking_Trust_Trends_FINAL14.pdf]
2 Telcos declare SMS unsafe for bank transactions (November 9, 2012); iTnews.com.au

[http://www.itnews.com.au/News/322194,telcos-declare-sms-unsafe-for-bank-transactions.aspx]

2014 Entersekt 2
To help protect their customers, banks are looking past yesterdays approaches and assessing
new and stronger alternatives. One such tool is digital transaction signing. Specifically targeting
transactions deemed as higher risk, transaction signing is used to verify the authenticity and
integrity of an online transaction by requiring customers to digitally sign major transactions,
such as large monetary transfers or online changes to personal customer details.

In order to confirm the online transaction, users are required to enter a dynamic PIN or OTP that
is generated when a customer inputs information specific to a transaction, such as an account
number or a transaction amount, into a device uniquely theirs. Transaction signing calculates a
value based on the user input on both the client and server side. If the information does not
match, the signature is voided and the transaction will not be approved.

Governments and regulatory bodies in several regions are also embracing secure digital
transaction signing by setting industry standards and enacting regulatory requirements aimed at
engineering a more secure digital environment for their citizens. For banks with a global focus,
this means transaction signing is a reality they cannot ignore. It is both an opportunity to
provide customers with greater security and, in a number of regions, a regulatory and
compliance requirement.

Understanding international standards

Most large global banks such as Citibank, Chase, Bank of America, HSBC, Deutsche Bank and
Wells Fargo will likely be looking to swiftly implement transaction signing solutions that meet
the requirements of each of the nations they operate in. One of the strictest standards in effect
is the Monetary Authority in Singapore (MAS) Technology Risk Management Guidelines, which
states that banking customers should be able to review individual transactions as part of a batch
and sign them on an out-of-band device. 3 Singapore is not the only place implementing similar
requirements. Others include South Korea and Taiwan.

These regulations are very prescriptive. Singapores Technology Risk Management Guidelines
12.1.7 states that financial institutions should implement two-factor authentication at login
for all types of online financial systems and transaction-signing for authorizing transactions.
When referring to Appendix E.1 in the same regulation (Countering Man-in-the-Middle
Attacks), the guidance suggests that an OTP or digital signature is generated for each new
payee being added. It also states that the data being signed should be displayed to the customer
in a meaningful way before being signed.

According to Taiwans transaction signing specifications, transactions are to be classified as

either high or low risk. For high-risk transactions, data used to identify the user (user ID, etc.)
must be signed. Actual transactions must also be signed. High-risk transactions are only allowed

3 Technology Risk Management Guidelines (July 2013); Monetary Authority of Singapore

[http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/Regulatory%20and%20Supervisory%2
0Framework/Risk%20Management/TRM%20Guidelines%20%2021%20June%202013.pdf]

2014 Entersekt 3
if a certification system, such as a public key infrastructure, is in place. Messages to be signed
should be encrypted and, once signed, should be tamper-evident. A properly implemented
asymmetric encryption technology with a hashing scheme will cover all the bases, and will have
the added benefit of supporting nonrepudiation. The technology in use must support custom
digital certificates that comply with specific Taiwan regulations. As per the Singapore
regulations, OTPs may be used for certain types of low-risk transactions, but can be replaced by
a digital signature scheme to satisfy the requirements for both low- and high-risk transactions.

Implementing a transaction signing solution not only helps protect banking

customers, but will help financial institutions meet the international business
banking requirements in Singapore, Taiwan and Korea.

Implementing a transaction signing solution not only helps protect banking customers, but will
help financial institutions meet the international business banking requirements in Singapore,
Taiwan and Korea. Given the current environment and rate of fraud targeting small business
banking, it is also not inconceivable that U.S. and other regulators might start requiring broader
use of transaction signing in some or all business banking transactions.

Why should U.S. banks be concerned about

international requirements?
While new technologies to help combat fraud continue to evolve, so do the savvy fraudsters
who continue to target businesses. Unfortunately, many small businesses are not able to spend
enough time or money on fraud prevention and too often rely on their banking institutions for
fraud detection and prevention. They hold their financial institutions responsible for securing
the online and mobile channels. In Poneman Institutes 2012 Business Banking Trust Trends
Study, 72 percent of U.S. businesses asserted that their banking institution is ultimately
responsible for ensuring their online accounts are secure. This creates a potential liability issue
for both the bank and the business.

A cyber-attack is made possible when hackers compromise business accounts with techniques
ranging from email scams and phishing to using trojans and other malware. They steal

2014 Entersekt 4
usernames, passwords and challenge questions, and disable alerts before initiating heists from
the bank. These attacks have become more frequent and a lot more sophisticated in recent
years, even being combined with DDoS attacks to avoid real-time detection of fraudulent
transactions. Gartner says that over 10 percent of small businesses have had funds stolen from
their bank accounts, with losses exceeding $2 billion. 4 Verizons 2013 Data Breach Investigations
Report, says that almost half of all breaches took place at companies with fewer than 1,000
employees. 5 Businesses with fewer than 100 employees were hit the hardest.

Unlike consumer accounts, corporate accounts are not generally protected from financial losses
stemming from account takeover fraud. In fact, many businesses are surprised to learn that
banks have no legal or regulatory obligation to reimburse them for such attacks, as federal
regulations do not cover commercial accounts. Regulatory bodies, such as the Federal Deposit
Insurance Corporation (FDIC), the Office of the Comptroller of Currency (OCC) and the Federal
Financial Institutions Examinations Council (FFIEC), do offer guidance on fraud controls for
financial institutions, but not specific actions to be taken for corporate accounts.

Businesses and banks differing assumptions on liability in the event of fraud

have generated a number of important court cases.

Businesses and banks differing assumptions on liability in the event of fraud have generated a
number of important court cases. One example of a court case involving a cyber-attack was
initiated by Patco Construction Company. In May 2009, cyber criminals hacked into Patcos
network and stole the ID and password of an authorized Patco employee, enabling them to log
on and steal $588,000 from the companys checking account at Ocean Bank over the course of a
week. (The transfers were only noticed when an executive at Patco received a notice via U.S.
Mail that one of the transfers had failed.) The criminals had been able to successfully answer
two challenge questions used to approve any transfer over $1,000. Awareness of a number of
security and/or procedural failures might have prevented the attack or allowed it to be detected

4 Owners May Not Be Covered When Hackers Wipe Out A Business Bank Account (June 13, 2012); New York Times

[http://www.nytimes.com/2012/06/14/business/smallbusiness/protecting-business-accounts-from-hackers.html]
5 2013 Data Breach Investigations Report (April 2013); Verizon

[http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2013_en_xg.pdf]

2014 Entersekt 5
sooner. In addition, the fraudulent activity could have been prevented had the bank utilized
strong out-of-band, multi-factor authentication to digitally sign the transactions.

Another court case involved Experi-Metal (EMI). In 2009, the company comptroller there
responded to a phishing email appearing to come from their bank, Comerica, notifying EMI of
scheduled maintenance and asked it to log into the company account via the provided link. Once
on the imposter website, the comptroller was asked to provide the one-time code established
by the bank, thus providing the hackers with the credentials needed to access EMIs actual
account and make nearly a hundred wire transfers within a few hours. Of the money
transferred, $560,000 was not recovered. Had the company maintained better safeguards to
prevent phishing attacks, this loss could have been avoided. The bank did not have adequate
measures in place either: it did not engage in fraud scoring and fraud screening to detect
suspicious activity on its customers accounts. This again could have been stopped by utilizing
out-of-band transaction signing.

While banks in the U.S. have generally done an adequate job adhering to the FFIEC guidance for
high-risk transactions, several courts have deemed that simply following the FFIEC guidance is
not sufficient. Applying the U.S. Uniform Commercial Code, courts are finding that affected
banks could and should do more under an interpretation of what constitutes commercially
reasonable information security.

In the Patco case, the original district court ruling in 2012 found that the bank was not liable for
the monetary loss. However, in 2013, an appellate court reversed that decision, sending certain
aspects back to the district court and called the banks security not commercially reasonable.
A combination of security inadequacies and outright failures were to blame.

In the EMI case, the judge found that Comerica did not act in good faith when it processed
nearly a hundred wire transfers in an hour, remarking that, A bank dealing fairly with its
customer, under these circumstances, would have detected and/or stopped the fraudulent wire
activity earlier.

In addition to the financial risk of potentially refunding business customer losses, banks
experience reputational damage and ultimately run the risk of losing customers. Businesses that
have been hit by fraud feel betrayed by the bank they thought was protecting their money and
often elect to take their business elsewhere. Increasingly, banks are faced with the quandary of
whether to absorb the losses incurred by customers in account takeover attacks irrespective of
the liability, in order to retain their customers. The 2011 Business Banking Trust Trends Study by
Ponemon Institute found that, in 78 percent of attacks, money left the financial institution
before the attack was recognized. 6 In half of the cases, the financial institution took all or some
of the loss.

6 2011 Business Banking Trust Trends Survey (February 2011); Ponemon Institute

[http://info.guardiananalytics.com/rs/guardiananalytics/images/2011_Business_Banking_Trust_Study%20Exec%20Summary
.pdf]

2014 Entersekt 6
In Ponemon Institutes survey of the following year, 56 percent of respondents said a single
successful instance of fraud involving their online bank accounts would be enough to destroy
their confidence in their bank. The same survey identifies another problem. In most cases,
businesses discover fraud before their bank notifies them, either when accessing the online
account, while reconciling their monthly statements, or by receiving a call from a merchant,
supplier or vendor about insufficient funds. (Only 44 percent say a bank representative
contacted them first.) It should be obvious to anyone that the perception of negligence in cases
like this inevitably compounds the damage done to the trust relationship between businesses
and their banking partners.

How can banks comply with the new regulations

and help secure customer accounts?
Implementing a transaction signing solution that requires customers to digitally sign each and
every high risk transaction enables banks and their customers to verify the authenticity and
integrity of online transactions, helping negate online banking fraud. So, how might such a
solution look like in reality?

In order to comply with the new regulations, while also offering efficient customer service,
implementing an uncluttered, intuitive interface for viewing all transactions in a batch and
approving them individually is essential. The ideal solution would allow the approvers
responses to be digitally signed, supporting nonrepudiation. Where multiple approvers are
required, transaction authentication messages should be sent to all the parties, approving the
transaction only when the required responses have been submitted.

Leveraging advanced digital certificates enables executives to digitally sign

approvals of all sensitive transactions (single or batched) with just one touch,
and will fully encrypt communications to and from the financial institution.

With the increased use of mobile devices, it is important that this type of solution also work on
the phone or tablet. Industry-standard X.509 digital certificates can be employed to uniquely
identify every mobile device, transforming it into a second factor of authentication that
authenticates the user when logging in to the corporate online banking portal. Additionally,

2014 Entersekt 7
leveraging advanced digital certificates enables executives to digitally sign approvals of all
sensitive transactions (single or batched) with just one touch, and would be able to fully encrypt
communications to and from the financial institution.

By leveraging a solution equipped with more advanced forms of security technology, corporate
finance officers gain complete peace of mind when logging on, accessing data and transacting,
whether with their PC or on their mobile phones. They also benefit from not having to generate
and enter signing codes or OTPs to approve batched transactions, a frustrating chore when
performed on the mobile device. Its a solution that guarantees security while making life that
much easier for corporate finance officers on the go.

Rethinking approaches to user and transaction authentication is crucial if banks want to

effectively protect themselves and their customers. Financial institutions wanting to offer online
banking services to the corporate banking segment must provide a highly secure environment
that meets stringent regulatory requirements at home and abroad.

Whether required by regulatory authorities or not, transaction signing solutions ensure that the
authenticity and integrity of online transactions is never in doubt, helping to restore confidence
in mobile and online channels, and fortifying the trust relationship banks and their customers
share. Implementing a transaction signing solution not only helps protect customers but will
help financial institutions meet the emerging regulatory requirements at home and abroad.

Further reading on entersekt.com

Corporate banking authentication [http://www.entersekt.com/corporate/]

Important notice
All copyright and intellectual property herein vests in Entersekt. No part of the contents of this document may be used or copied
in whole or in part to any party without prior written permission from Entersekt.
Entersekt, Capital Place, Neutron Avenue, Technopark, Stellenbosch, South Africa

Phone: +27 21 815 2800 Email: info@entersekt.com

Web: www.entersekt.com

Document ID: ENTERSEKT-45-149

2014 Entersekt 8