Even as they seek to comply with a year-end deadline, credit unions are spinning their wheels on popular layered authentication tools, according to a number of security experts.
"I'm reading underground blogs about hacks of these solutions already," said Tripp Johnson, a senior director at Scottsdale, Ariz.-based Cornerstone Advisors.
"A lot of these solutions are temporary because the challenge-response factor isn't strong enough for hackers," added Kelly Dowell, executive director of the Austin, Texas-based Credit Union Information Security Professionals Association.
Most of the 25 vendors offering authentication solutions require users to register online with a challenge-response factor, or default to a challenge-response factor during high-risk transactions.
Popular solutions that incorporate challenge-response as the second security factor include those provided by PassMark Security and Cyota, which are offered through partnerships with FiServ, Inc. and Jack Henry & Associates.
A challenge-response screen prompts online members to use their computer keyboards to answer a previously-chosen question in order to verify identity. If the answer matches what's stored in the credit union's database, the member is granted access to the account.
But databases can be hacked, and computer screens can be scraped, leaving the member's accounts-and identification-ulnerable once again. "God yes, they're vulnerable," Dowell continued. "Although layered authentication is a big step forward, it's not going to solve all the problems."
Challenge-response is also vulnerable to fraud perpetrated by friends, colleagues or family who have easy access to personal information.
"Challenge-response makes no sense if your problem is family-and-friends fraud," pointed out Peter Tapling, CEO at Chicago-based Authentify, which provides second-factor authentication based on an automated phone call.
Nearly half of the incidents of identity theft is committed by people who know the victim, according to a 2004 survey by the Identity Theft Resource Center, a San Diego nonprofit.
A better second-factor authentication would "assume the end-user PC is compromised," Dowell continued.
Passfaces assumes just that, according to Patricia Lareau, vice president of Product Management at the strong-authentication corporation. "You may notice that all other solutions rely on a password or PIN to tie the authentication process to the user," Lareau explained. "The social vulnerabilities of these factors are enormous."
Passfaces technology is based on the mind's capacity to recognize human faces, she continued. The solution requires users to identify several random faces from many sets of nine faces, a format that brings to mind the Brady Bunch television credits.
"My belief in Passfaces remains strong because we are the only offering that authenticates the person," Lareau said.
However, Johnson asserted that there are weaknesses in any image-based approach. "I tried one of the image-based solutions, and I didn't remember which darn picture they showed me," he said.
"In this case, I'm in favor of the big-brother approach in which the financial institution builds a pattern analysis of the end user's behavior in all the delivery channels and locks the account if there's unusual behavior," Johnson continued. "That's going to lend much more credibility toward fraud prevention than showing a picture."
As the threats continue to evolve, the "major players will invest the money to overcome them," added Dowell.
Amir Orad, VP-marketing at RSA Consumer Solutions, RSA Security, agreed.
"The RSA Adaptive Authentication solution is a one-stop shop," he said. To address the shifting horizon, the RSA platform offers a risk engine and fraud network, as well as several second-factor authentication options, he said.
PassMark follows suit, added Andrew Voorhies, technology operations manager at Stanford FCU. "Because this threat is never-ending, we continually educate our members and our staff," he said. "PassMark in tandem recognizes better methods either by peer group innovations or think-tank sessions. The outcome of the methods translates into product upgrades, which we'll be doing to stay current."
CUJ Resources
For info on this story:
* Stanford FCU at www.sfcu.org
* CUISPA at www.cuispa.org
* Cornerstone Advisors at www.crnrstone.com
* Identity Theft Resource Center at www.idtheftcenter.org
* Passfaces at www.passfaces.com
