The FDIC has issued their second Financial Institution Letter (FIL) specifically cautioning financial institutions to, "investigate the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer's ID, password and account numbers." This "recommended action" was the only recommendation that was specifically underlined for emphasis by the FDIC-a fair warning to all financial institutions.
There are a number of companies now offering two factor authentication products to provide a response to the FIL 103-2005 requirements. All of the solutions appear to use a MAC and/or other computer, browser, or IP data as the "second" item of required two factor authentication-the first being the user's name/password.
These so called "second authentication" items seem to be weak solutions to a very serious problem. Because they reside in the user's computer and are easily obtainable by a hacker or spyware, they are not secure items and therefore fail to meet the purpose of FIL 103-2005.
The purpose of FIL 103 is to stop the fraud which is occurring in online banking transactions. It was issued to kill the impact of phishing attacks, spyware and hacker attacks. Most second factor authentications items are only providing a public image of security-not real security.
Financial institutions must consider using stronger authentication methods than just names and passwords. A variety of options are available but only a select few provide for a highly secure second factor item isolated from the hardware itself. Information security continues to operate in an increasingly difficult environment with new vulnerabilities and weaknesses identified on a regular basis. It is therefore imperative that financial institutions identify and implement the very best in IT security and control.
Glenn Gearhart, CEO
ACAP Security Inc.
Huntington Beach, Calif.
