One CU Dials Up A Mature Technology To Deal With A FRESH CHALLENGE

Register now

Worried about the danger that is part of the conventional layered approach many credit unions are taking to authenticate members online, Pennsylvania State Employees Credit Union (PSECU) announced this week it will call users to confirm high-risk transactions instead of defaulting to a challenge question.

"Many credit unions are going with a challenge-response as the second factor to authenticate certain transactions, but with the threat of screenscraping Trojans out there, I don't feel that challenge-response is strong enough," explained Kevin Doyle, Information Security manager at the $2.3-billion CU.

The FFIEC and NCUA have set year-end deadlines for financial institutions to employ layered authentication online during high-risk transactions.

Instead of answering a challenge question, PSECU members performing high-risk transactions will receive an automated call to the mobile, home, or work phone number listed on their accounts.

The member will pick up the call and use the telephone keypad to enter a random confirmation number generated on the screen of the homebanking site.

The phone line and confirmation number thus act as "something the user has," or the second control in a two-factor approach to online authentication. The first factor at PSECU is the member number, PIN, and password.

PSECU will launch the telephone authentication, provided by Chicago-based Authentify, Inc., on July 1, along with a new homebanking site, said Doyle. "I don't see any vulnerabilities with Authentify," Doyle added. "It's less susceptible than challenge-response. You can't alter or capture the member's phone number listed on the account the way you can with challenge-response information."

The challenge-response factor requires users to use their computer keyboards to type in the answer to a previously-chosen question (see related story about the challenge-response authentication in this issue).

Less than 1% of transactions at PSECU are identified as high-risk, which PSECU has defined as transactions involving a combination of factors, including a password or IP address change, or most outgoing transfers, said Doyle. The telephone authentication won't be a big deal for members, he continued.

"All our members will have to do is update their phone numbers," he said. "That's one of the reasons we liked Authentify - it really doesn't interfere with the member experience or require anyone to install anything."

Authentify would be "a little too intrusive"- and unnecessary - to confirm low-risk transactions, Doyle said. "We didn't want to turn away people from the online experience."

Authentify is one of several second-factor authentication options provided by the RSA Security Adaptive Authentication platform, which also includes RSA's fraud network and risk engine.

Additional second-factor options include challenge-response, one-time-password devices, and digital watermarks.

The annual cost for Adaptive Authentication at PSECU is less than $1 per member, said Doyle. "My vice president is convinced that it's a good investment."

NCUA examiners visited PSECU in April and also "seemed pretty satisfied with the telephone authentication concept," Doyle said.

CUJ Resources

For info on this story:

* Pennsylvania State Employees CU at

* Authentify at

* RSA Security/Cyota at

For reprint and licensing requests for this article, click here.