As cyber-attacks spread like wildfire, credit unions are counting down the FFIEC deadline that mandates stronger online authentication.
The FFIEC requires that financial institutions implement multifactor authentication by Dec. 31 for customers logging-in to accounts online.
Most of the credit unions that have stepped up to the plate are using solutions that rely entirely on software, not hardware tokens or cards.
The Credit Union Journal surveyed six of the software-based solutions on the market, all of which require passwords or PINs as the first of the multiple authenticating factors.
For the second factor, all solutions authenticate the user's existing device, such as a computer or phone, by identifying user behavior patterns and technical profiles, such as Internet Protocol address, Internet Service Provider, PC and browser settings and geographic location.
None of the products disrupts the user's experience or requires additional hardware or software installed on the member's PC, according to the providers. Here's what CU users had to say:
Cavion Plus Software Token
First-time users enter a randomly generated security code to register their computers and install a browser cookie. In addition to registering their computers, users also see a personally chosen word or phrase at log-in before they enter a PIN.
"We feel it is important to ensure that our members are using the most technologically secure method of accessing their accounts."
- Karyl Body, website administrator, Retail Employees CU, Atlanta, $36 million.
Corillian Intelligent Authentication
As a complement to the Corillian Corp. online banking suite, Intelligent Authentication attracted nine credit union users in its first three months of release.
"Corillian's solution is unobtrusive, low maintenance and easy for the member. Most of our homebanking activity occurs during work hours, and this solution does not require any physical token to be utilized or thin client to be placed on the desktop, which could be forbidden by an employer."
- Greg Gallant, CTO, Texans CU, Richardson, Texas, $1.5 billion.
eSphinx is one member of Cyota's online security and anti-fraud family, which includes phishing, transaction fraud and website validation solutions. Cyota prides itself on its fraud-tracking network, which collects fraud patterns from financial institutions worldwide. eSphinx then uses that data to block future fraudulent log-ins.
"We like the layered approach the Cyota products offer and the fact that they can work in conjunction with the existing layers of security we already have in place. Cyota's competitors offer some of the functionality that Cyota does, but we want our member information protected by the additional layers of security that Cyota offers."
- Jim Watts, CIO, Royal CU, Eau Claire, Wis., $695 million.
Level 9 Safe2Login
Recipient of the 2005 CUNA Technology Council Future Forum "Best of Show" award, Safe2Login uses challenge questions to verify member identity before issuing a one-time, on-screen security code.
The solution, developed by New England Federal CU (NEFCU) and its CUSO, Level 9 Inc., authenticates the online banking server to the member, and is easier to use and install and less expensive than most solutions, according to Jim St.Peter, manager of Technology and Operations at the $500-million NEFCU.
"These are important factors to consider given that most solutions require time-consuming and expensive integration with your Internet Banking application and require additional security servers in your data center," said St.Peter.
"Ease of use, member acceptance and cost were the determining factors when we selected Safe2Login. Many options were not appropriate; they were too expensive and too invasive."
- Bill Helms, president, First Cheyenne FCU
PassMark Two-Factor Two-Way Authentication
PassMark's solution includes two-way authentication in addition to the standard two-factor. Two-way allows users to verify, with a personally chosen image and caption, that the website is valid before they log in with their passwords.
"We selected PassMark because we preferred their approach to validate our member by a registered device or challenge question as opposed to the alternative, tokens. This provided greater convenience to our members by not having to carry a token and less overhead for us to manage them.
"We found having to devise a standard set of challenge questions for all our members globally is somewhat limiting; as an alternative, to allow members to create their own unique challenge questions would be a beneficial enhancement."
- Victor Smilgys, AVP-eCommerce, Technology CU, San Jose, Calif., $1.2 billion.
TriCipher Armored Credential System
The TACS spin on authentication is that the software allows credit unions to switch between different factors, including passwords, existing devices, tokens, or smart cards, depending on each member's needs. No credit union clients were available to comment; however, TACS is available to CUs via Internet banking provider Digital Insight.
Multifactor authentication requires something the user knows-a username and password or PIN-with something the user is, does, or has-the user's Internet behavior, the user's computer profile, or a hardware token. Credit unions have said they are reluctant to dole out unwieldy hardware tokens to members.
"The browser-based software approach satisfies the FFIEC guidance, is simple to explain and is minimally invasive to the end user's online banking experience. In addition, we can strengthen existing protections within the solution to help our client financial institutions address the potential security concerns of tomorrow without having to completely retool."
- Scott Mackelprang, vice president, Security and Compliance, Digital Insight, Calabasas, Calif.
FOR INFO ON THIS STORY:
* Cavion Plus Software Token at www.cavionplus.com.
* Corillian Intelligent Authentication at www.corilliansecurity.com
* Cyota eSphinx at www.cyota.com
* Level 9 Safe2Login at www.l9.com
* PassMark Two-Factor Two-Way Authentication at www.passmarksecurity.com
* TriCipher Armored Credential System (TACS) at www.tricipher.com.