Reader Question #2
In these days of rampant ID theft and security breaches, what will be the new bar for verifying a home banking member upon log-in?
John Schooler, President, USERS, Inc., Valley Forge, Penn.
As security breaches have become more commonplace and more sophisticated, home banking has outgrown the simple user ID and password protection that marked the earliest applications. More stringent password protection is now a requirement for any home banking solution.
For instance, USERS' software allows our clients to select password controls that meet the very stringent requirements of TruSecure, a leading Internet security firm that regularly audits our Internet banking applications. Our clients can require passwords with both alpha and numeric characters, both upper and lowercase characters, and special characters. They can also set passwords to expire after a particular period, requiring members to change them.
To supplement these baseline requirements, the industry is gradually moving toward the use of two-tier or multi-factor authentication. As an example, a home banking application could recognize the IP address that the member typically uses when logging in. If an attempt was made to access that account through a different IP address, the member would have to answer a series of questions to authenticate his/her identity before gaining access. If the software recognized the same IP address attempting to gain access to multiple accounts, it would deny access and generate a fraud alert report.
Another logical next step to further secure Internet applications is to verify the identity of prospective members who attempt to open accounts via the Web. USERS is taking this step by interfacing with a third-party supplier that specializes in identity verification, allowing our clients to open new member accounts online without taking on undue risk.
Jim Berthelsen, Harland Financial Solutions
The first step to improve authentication for home banking will be to simply enforce the minimum requirements of the FFIEC with single-factor authentication. Using IDs that are unrelated to the member account or relationship, optionally combined with unique data provided by the institution, and requiring passwords whose constraints cannot be set below the recommended FFIEC guidelines in terms of relationship to the ID, length, complexity and life time are measures that should be in place today by any financial institution. If there is still a need to raise the bar higher, then the two-factor authentication would be the next level and numerous details and options surround that level of security.
Other options such as hardware devices that generate unique keys or passwords, software for additional data field validations, and manual methods such as phone calls to verify acceptance into a site also exist. The goal at Harland is to allow for a variety of options to enable credit unions the ability to choose solutions that meet their own internal security strategy and requirements.
Lea Spagarino, Symitar
The days of safely relying on reusable passwords to authenticate members logging into the credit union website are coming to an end. "In these days of rampant ID theft" multiple new defenses are necessary. They include:
* Two Factor Authentication-a password and a second authentication. Examples include a biometric solution (fingerprint recognition), a credit union supplied token that has a number that changes every minute or a less expensive inert token where a member will enter a number from a preprinted "bingo" card.
* Web Log-monitor transactions and where they are coming from (member's home or office), compare them to a profile and detect behavior-based suspicious activity.
* Brand Monitoring- proactive automated search of domains for "look alikes" to the CU site.
Symitar is currently reviewing 11 separate vendors that cover all these defenses and more. In addition, Symitar's parent company (Jack Henry and Associates) recently acquired a biometric technology solution and has deployed this solution for employee log-in and is now reviewing member authentication options. We will need to provide a wide range of solutions to fight off ID theft for our clients.
Remember also that it is a team effort. We need to work closely with the CUs and their members for the most effective defense. In many cases the best defense is an alert member. The average loss in 2004 when the ID theft is detected online by a consumer is $551. It goes up to $4,543 when the consumer detects it on a paper statement and way up to over $12,000 when detected by the financial institution.
Sue Pogatschnik, Bankers Systems
The short answer is that as of today there is no prescribed security standard to use when designing or reevaluating your home banking security. After state and federal legislators have finished their work in 2005, there could be a legal "floor" for such security standards but these standards won't represent the "ceiling" in terms of effective security.
The most common methods of identifying a member using a home banking system include tokens (devices that generate a unique number used by the member to enter their account), biometrics (i.e., fingerprint scanners), and responsive questions. Each has its own pluses and minuses.
The pluses of tokens and some fingerprint devices is that they are portable. This means that you can access your account from more than one PC. Unfortunately, this is also a minus (think "television remote control").
Responsive questions, usually based on the content of a member's credit report, can be effective but members find them intrusive, sometimes can't remember the answers, and can easily be answered by a fraudster who has obtained the credit report.
A newer method that addresses both identity theft and "pharming" (redirecting the member to a fake CU site), is to have the member choose a unique picture that will be presented on screen whenever they access the account. If they correctly ID the picture, they can be associated with the account. If the picture isn't presented, the member recognizes they may be viewing a "pharming" site that otherwise looks just like yours.
Have A Technology Question For The CU Journal Panel? E-Mail It To fdiekmann