The NCUA gave passing marks to the first credit union to verify members online using a third-party authentication tool, perhaps setting a precedent for other credit unions that are struggling to understand the recent FFIEC and NCUA missives.
"Our NCUA audit in February concluded that everything we did regarding risk assessment, due diligence and implementation are satisfying factors in meeting the FFIEC and NCUA guidance," said Andrew Voorhies, technology operations manager at Stanford FCU.
Financial institutions must mitigate high-risk online transactions using multifactor authentication, layered security, or other controls by the end of the year, according to the FFIEC and NCUA (see related story, page 11).
Stanford FCU chose to mitigate those transactions using the Two-Factor Two-Way Authentication solution by PassMark Security, Inc. of Menlo Park, Calif. The $700-million Stanford CU launched PassMark in January 2005.
However, Voorhies was quick to point out that "each credit union should perform a risk assessment of its own, which would consider many different elements of the networks and systems" before choosing a solution.
"PassMark is not the only company offering a multifactor solution, but we are definitely satisfied with PassMark and would recommend it to credit unions whose options might include two-way, two-factor authentication," he continued.
"Two-factor" authenticates the member's password and Internet device, such as a computer or phone, by identifying behavior patterns and technical profiles.
'Satisfactory Cost'
In addition, "two-way" allows members to verify, with a personally chosen image and caption, that a website is valid before they log in with their passwords.
Asked if he thought the cost of the PassMark solution was a barrier to implementation, Voorhies responded: "The cost is satisfactory for the end result."
The solution is priced according to user population and the options enabled, which yields a cost of between 35 cents to 95 cents per user per year, according to PassMark.
Stanford FCU repeatedly passes along the same advice to other credit unions launching browser-based authentication software: test.
"Once you've decided on a solution, if you're not using a token or smart-card and it's software-based, make sure you test different browsers and operating systems," Voorhies said.
"The credit union spent about 100 to 200 hours for the PassMark implementation, and most of that time was spent testing browsers," he said.
The CU checked the solution in the Explorer, Firefox, Netscape, Opera and Safari browsers, as well as the Microsoft Windows and Apple Macintosh operating systems, he said.
After an initial rush of calls for support in the first month, members "adapted to the process quite quickly, and several of them thanked us for taking greater steps sooner than required to protect their online experience," Voorhies added.
In addition, members themselves are playing "Neighborhood Watch" online.
"Our members are much more cautious about threats out there," said Voorhies. "They are much more aware of how to differentiate a real SFCU site and a non-SFCU site."
Implementing a layered solution may not be completely seamless. Whereas the Internet banking application at Stanford FCU is currently protected by the authentication process, the bill payment users are still authenticated using the one-factor password approach.
"We're working with our bill payment provider to integrate bill payment behind Internet banking and PassMark," Voorhies said.
CUJ Resources
For info on this story:
* Stanford FCU at www.sfcu.org
* PassMark at www.passmarksecurity.com
