New Security Rules May Spark New Technology

Many banks must go back to the drawing board in deciding which security systems to use to protect online banking users.

The methods banks favored six years ago, when the Federal Financial Institutions Examination Council issued its initial guidance on how to protect online account access, are no longer sufficient against today's threats, the agency said Tuesday.

For mainstream consumers, many banks use a software-based approach, such as identifying the computer the consumer regularly uses to bank online, because it is cheaper and less disruptive than hardware-based alternatives. However, the FFIEC now insists that "simple device identification, as a primary control," is no longer "an effective risk mitigation technique," according to its new guidance.

Many banks use hardware tokens to generate one-time-use passwords for high-value accounts, such as those held by businesses. This time around, tokens may fall out of favor for consumers not because of their cost but because their most prominent vendor, EMC Corp.'s RSA Security, suffered a recent data breach that led it to offer to reissue its devices to many customers. Its rivals have swooped in like vultures — PhoneFactor Inc., which has a graphic on its homepage welcoming RSA customers, says it has seen double-digit growth in inquiries and sales since last year.

The last time banks shied away from hardware-based approaches, inventors came out of the woodwork proposing new, often zany methods of replacing conventional passwords. Some of these had users deciphering codes written on plastic cards, while others (such as the PassMark, an RSA product in use at many banks today) made consumers stare at pictures of other people's pets each time they sign in.

One vendor, Passfaces Corp., proposed that bank customers click on faces in a Brady Bunch-style grid at every login. This system actually has just over a dozen bank and credit union customers today, but was more successful among health care providers, the company said.

Not all banks will have to scramble to upgrade their systems. Large banks, accustomed to being the biggest targets, have already put stronger security methods in place. For example, ING Direct customers are used to unconventional login methods — they type a PIN on a virtual keypad at every login, and as of May, they must generate a special code to allow third-party financial management sites to access their data.

But most banks stick to the methods the FFIEC criticized as insufficient. According to Gartner Inc., 73% of banks use cookies or Flash objects to identify computers, and 89% use challenge questions. The FFIEC said both methods are insufficient by themselves.

"Most of the banks, for consumers, are doing those weak authentication methods," Gartner's Avivah Litan said. "They do have to go back to square one for consumer banking."

Litan said the FFIEC's guidance, though more detailed than the 2005 original, is still insufficient for today's fraud environment. She called its wording "wishy-washy" in places, but more important, "this FFIEC guidance should have been issued two years ago. Look how much blood was shed" in the years leading up to the revision.

Dave Jevans, the chairman of the Anti-Phishing Working Group, said that 2005's guidance was narrowly focused on protecting just the initial authentication, which fraudsters have long been able to get around. The current guidance goes further, but "is not forward-looking," he said, in that it ignores new channels, such as mobile, that fraudsters are starting to target.

Jevans, who also chairs the security vendor IronKey Inc., said that many large banks were at least evaluating better options before the new guidance came out this week. But "on the small financial institution side: Generally, they have nothing," he said.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER