Like all financial institutions, Bank Leumi is a prime target for cybercriminals, who use an increasingly sophisticated array of phishing techniques and malware to try to paralyse banking activities and defraud account holders. To shield its customers from such attacks, Bank Leumi selected F5 WebSafe and F5 MobileSafe.
In 2008, Bank Leumi suffered a significant phishing attack, the first in its history. Calls to the bank’s customer contact centre soon spiked, as concerned individuals rushed to report the scam, but it still took the organisation’s fraud prevention team over 60 hours to shut the attack down. After this serious incident, the ability to identify phishing attempts immediately became a top priority for the business.
Bank Leumi and its subsidiaries form one of Israel’s largest banking groups, with 270 branches throughout Israel and more than 60 branches in 17 countries across the globe. As well as phishing attacks, this international organisation was also concerned about its vulnerability to malware. It therefore started to look for solutions that would help it redouble its protection for customers.
At the time, Bank Leumi was working to extend its business to new channels in order to meet the needs of its customers. It therefore required a solution that was, in the future, capable of increasing the security of mobile banking and protecting customers, regardless of what device they used to access their online accounts.
Bank Leumi ideally wanted to find a solution that didn’t need to be installed on customers’ own devices, as this would increase complexity for customers – and potentially also increase costs for the business. “Your customer may need technical support, and all of a sudden, it becomes your responsibility,” says Eli Irim, manager of investigations and control, Bank Leumi.
Your customer may need technical support, and all of a sudden, it becomes your responsibility.
After conducting a careful and extensive evaluation of several competitive products, Bank Leumi selected F5 WebSafe and F5 MobileSafe, two solutions acquired by F5 from Versafe in September 2013. The bank deployed F5 WebSafe first and is now planning the roll out of F5 MobileSafe as part of a broader new mobile banking strategy.
F5 WebSafe provides a ring of defence between customers’ devices and the bank’s core online banking applications. The solution helps the bank to detect and mitigate malware and phishing attacks, as well as a myriad of other threats including web injection, credential grabbing, man-in-the-browser, session-hijacking and man-in-the-middle attacks, by identifying any changes to the HTML or the injection of malicious script into the genuine site. To protect customers’ financial transactions, the solution also identifies and prevents automated payments and money transfers initiated by malware or a bot.
Similarly, F5 MobileSafe employs a range of techniques to distinguish transactions by genuine users from those initiated automatically by malware. It identifies devices that have been jailbroken and encrypts information at the application layer in order to detect malware and protect customers from all mobile threats including SMS grabbing, zero-days and keylogging. The solution also allows for the rapid detection of suspected fraud via social networks.
Most customers choose to bank online or from their mobile device because it’s easier and more convenient. So in making a decision on what fraud prevention solution to select, I wanted to ensure it required our customers to be involved as little as possible.
Bank Leumi is now far better able to defend its business against phishing and malware attacks. Its customers can enjoy all of the convenience of Internet banking, safe in the knowledge that their online transactions are secure.
Safer online banking for customers
As soon as malware or phishing is detected, Bank Leumi is immediately notified via SMS and email and given critical information about the attack. It can then take appropriate and immediate action to protect its online banking customers. Whereas it took the business 60 hours to halt its first phishing incident back in 2008, it can now block threats in minutes using F5 WebSafe.
“Malware and phishing are my two concerns, and F5 WebSafe has been very effective in helping us detect and respond more effectively to these attacks,” says Irim. “Once we receive an alert about a potential phishing threat on our website, we can quickly switch traffic to another server to avoid an attack.”
No inconvenience for online and mobile customers
Many of the competitive products that Bank Leumi evaluated required customers to download security software to their devices, and this was precisely what the bank was trying to avoid. In contrast, neither F5 WebSafe nor F5 MobileSafe requires the installation of software on end user devices. Consequently, Bank Leumi was able to deploy F5 WebSafe easily, in just a matter of days, without any disruption to its customers. What is more, the bank doesn’t have the cost of having to support users with technical issues.
“Most customers choose to bank online or from their mobile device because it’s easier and more convenient,” says Irim. “So in making a decision on what fraud prevention solution to select, I wanted to ensure it required our customers to be involved as little as possible.”
Added security for mobile banking
When F5 MobileSafe goes live it will give Bank Leumi the ability to detect if a mobile device has been jail broken, and it also can match the devices ID against behavioural information to spot suspicious behaviour. “Defending against web fraud is a difficult discipline because customers are often unaware that anything untoward is happening,” says Irim. “MobileSafe should give us the ability to ensure greater integrity of sensitive customer data to protect both them and the Bank.”