CUs Implement Layered Controls For Member Log-Ins

Credit unions are feathering the nest with layers of authentication, hoping to weather looming regulatory examinations and deadlines for online security.

For Central Corporate CU (CenCorp) in Southfield, Mich., the process started with a risk-assessment of all online transactions, said Tim Sweet, director of Information Technology at the $2-billion corporate in Southfield, Mich., which provides services to approximately 400 member CUs.

Risk assessment is the right place to start, according to the guidance offered in the NCUA and FFIEC's Authentication in an Internet Banking Environment, which mandates that credit unions implement effective authentication technology before the end of the year to verify online member identity.

But risk assessment expertise isn't something credit unions are born with. "My biggest frustration is that the guidance says so much, yet it says nothing about how financial institutions should comply," said Tripp Johnson, a senior director at Scottsdale, Ariz.-based Cornerstone Advisors. "I would have liked to have seen a risk assessment checklist come out with the guidance in order to know what risk assessment levels are tolerable," he said.

Stanford FCU, Palo Alto, Calif., the grandparent of credit union layered authentication, offered a few pointers.

"During these risk assessments, credit unions should consider how members interact with the credit union, how savvy members are, and anything else unique about the credit union and their members," said Andrew Voorhies, technology operations manager at the $700-million CU, which launched PassMark Security's tool in January 2005 (see related story, page 17).

As far as technology goes, credit unions should implement multifactor authentication, layered security, or other controls to mitigate risks, according to the NCUA.

CenCorp's risk analysis led Sweet to believe that multi-layered authentication is the best bet. "We are thinking about having our users enter an ID and password, answer a secret question, and then do some sort of image recognition," Sweet explained.

"By doing this we feel that we won't have to implement any new hardware, such as biometric devices, tokens or RSA cards, or have to increase administration of the system," he continued. "Also, we felt by taking this approach we could minimize the risk of the system being compromised."

Multi-Layer Vs. Two Factor

CenCorp's "multi-layered" authentication- the most common approach among credit unions-is a far cry from 'two-factor'-the term most commonly used to describe well-known authentication solutions.

"Historically, two-factor has been assumed to be stronger," according to Kelly Dowell, executive director at the Credit Union Information Security Professionals Association in Austin, Texas. "The image-based and screen pad solutions are just an added layer of something the user knows, so the strength isn't what they should be."

In contrast, two-factor requires "something the user knows, has, or is," which is traditionally guaranteed by some combination of passwords, images, hardware tokens, smart cards, and biometrics.

Cencorp takes the two-factor tact with online users making high-risk wire transfers.

Wire transfers are authenticated with a test key, Sweet explained. The test key is calculated from values sent to the CUs annually plus values in the actual wire, such as dollar amount. A second system administrator then confirms and processes the wire, he said.

Most credit unions are avoiding the pure two-factor approach because tokens, cards, and biometrics can be expensive to issue and awkward to use.

With the approaching compliance deadlines, a gray area is surfacing between multi-layered and two-factor, said Dowell.

"Two-factor is being redefined by the technology providers. We're in desperate times, and we're seeing creative solutions come out that are pushing the boundaries."

However, "the NCUA isn't really too concerned about the terminology; they just want something better in place," he said.

"Something better" often calls for "something easy to use," Sweet continued. That eliminates any type of download to a user's system -no matter how unobtrusive.

"We have to keep it simple for members," agreed Charles Bruen, CEO at $600-million First Entertainment CU in Hollywood, Calif.

Cost and ease of integration with homebanking software rounded off Bruen's top-three priorities in choosing authentication tools.

CUJ Resources

For info on this story:

* CenCorp at www.cencorpcu.org.

* Stanford FCU at www.sfcu.org

* CU Information Security Association at www.cuispa.org.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER