Over the next year banks will likely spend millions of dollars enhancing information security in response to the recent Federal Financial Institutions Examination Council guidance. The FFIEC guidelines were updated in response to increased threats from phishing, pharming and crimeware. The updated guidelines suggest that financial institutions (FIs) assess the risk associated with their Internet banking applications, identify mitigating actions and adjust their information security programs to implement those actions.
Specifically, the FFIEC guidance does not consider ID and password alone as an adequate security measure for Internet-based banking. The current practices of using a password or PIN are inadequate protection due to their susceptibility to fraud. In high risk areas FIs should implement additional controls such as multi-factor authentication and mutual authentication. The guidelines apply to retail and commercial FIs engaged in Internet banking. Institutions are expected to achieve compliance by year-end 2006.
The Pew Internet & American Life Project found that more than 50 million U.S. adults now bank online, a jump of 47 percent during the past two years. The rise in online banking provides an explanation for the emerging threats that seek personal information about online banking customers. Most online banking utilizes user name and password based authentication. The problem with passwords is that it is too easy to lose control of them. People give them to other people. People write them down, and other people read them. People send them in an e-mail, and that e-mail is intercepted. People use them to log into remote servers or Web sites, and they get tricked into logging into bogus sites.
Criminals are devising sophisticated ways to steal credentials and commit financial fraud. Pharming attacks, for example, redirect a user's browser to bogus Web sites while maintaining the appearance of the correct Web site. One such attack modifies the host file on the user's operating system that maps Web sites to IP addresses, directing specific Web requests to bogus bank Web sites.
In other attacks, users were tricked into installing crimeware on their computers. Crimeware such as key loggers capture every single key stroke. Screen swappers capture screen images to be sent back to the criminals. Key loggers and screen swappers are particularly malicious because they attack silently without providing clues of any activity to the unsuspecting user. Typical anti-virus solutions do not detect these crimeware programs.
Multi-factor authentication refers to the use of more than one of the following factors to verify a user's identity-what a user knows, such as a secret such as a password or a PIN; what a user has, such as a token, credit card, passport or smart card; and what a user is, namely a physical characteristic such as a fingerprint, retinal scan or face recognition.
Many in the security industry believe multi-factor authentication provides relief against these emerging threats. European banks have aggressively pushed two-factor authentication to secure access to customer accounts. However, as with simple passwords and PINs, sophisticated criminals can intercept the additional factors used in authentication. In the case of the Swedish bank Nordea, criminals attempted to steal paper-based, one-time passwords from its users, forcing it to shut down its online services. Even time bound one-time passwords, which are typically good for at least 60 seconds, can be intercepted.
Thwarting these threats requires customers to be sure the Web site they access definitely belongs to the financial institution. Mutual authentication provides that assurance by enabling the customer and the FI to authenticate each other. Mutual authentication in combination with multi-factor authentication provides the strongest defense against emerging threats such as phishing and pharming. This is exemplified by Bank of America, which is allowing customers to choose an image and phrase to be displayed when they access their on-line account. Customers ensure their chosen image and phrase are displayed before logging on to their account.
Wall Street classifies authentication under the broader term of Identity and Access Management (I&AM). The I&AM space is extremely competitive and a multitude of vendors provide multi-factor and mutual authentication solutions. IDC predicts identity and access management solutions should grow at a 9.7 percent CAGR from $2.6 billion in 2005 to $3.5 billion in 2008 and account for 22 percent of the $16.2 billion total security software market in 2008.
Multi-factor technologies like token-based, one-time password generators, smart cards and biometric readers have been in regular use to protect high value assets. Established vendors such as RSA, Activcard and Verisign provide these types of solutions. Mobile phones are gaining acceptance as authentication devices. In such solutions, the FI sends the one-time authentication key to the user's mobile phone. The user then uses the key as part of the authentication process. Vendors such as Vasco Systems, NordicEdge and Secure Computing Corp. provide these mobile SMS-based solutions.
Passmark and Entrust provide software solutions for both multi-factor and mutual authentication solutions. Their mutual authentication solutions add mechanisms like drop down list boxes, graphics and click sequences to the authentication process. The appearance of these mechanisms on the Web site provides the user with confidence the Web site truly belongs to the FI.
Risk threshold-based authentication assigns risk scores to a given user or transaction. Such risk scores are derived from the user's IP location, prior behavior and type of activity. The user's login attempt is blocked if any aspect of the login is out of the ordinary. Bharosa and Digital Resolve are two vendors that provide such risk-based solutions.
Recently, software-based multi-factor authentication has appeared. Software-only solutions derive a second authentication factor from a virtual token-an encrypted file stored on a computer, the serial number of a hard disk inside a computer or even the geographic location of a computer, based on network address or serial number. Software-based solutions eliminate the need for customers to carry tokens, but physical access to the computer must be closely controlled by the customer.
The initial cost to deploy a multi-factor solution is driven by the choice of an authentication layer solution and its integration with existing access control mechanisms. The second cost dimension to consider is the acquisition of devices for end users, such as tokens or smart cards. A third, and often overlooked, cost is the implementation of ongoing processes for issuing these devices and handling customer service calls. Replacing lost cards, for example, can get very expensive.
Identity management should be considered as part of an overall portfolio of security investments. The spending should be in relationship to the value of the assets protected, any regulatory compliance requirements and the amount of risk the organization is willing to accept. Furthermore, security solutions must be sequenced and prioritized along with every other IT project.
Multi-factor authentication can be integrated into existing access control services such as user directory and Public Key Infrastructure services. Integration is typically achieved by adding hardware and software to collect the multi-factor information about a user, verify the user against that information and store the results in a directory for other applications to access.
Implementation requires more than just technology. Financial institutions need to consider the impact on their customers, ensuring the enrollment process is seamless, as well as addressing the inevitable issues that arise when a customer loses the "thing that they have." Many customers will not naturally adapt to the new paradigm of multi-factor authentication. Therefore customer education is paramount.
FFIEC guidance seeks to address the threat to Internet Banking. However, banks should take a more holistic view of authentication by considering authentication solutions that provide coverage for all channels-online, phone, ATM and branch. Authentication alone will not address the risks to banking; a multi-faceted view of security is necessary by considering not just authentication, a preventative measure, but detective and corrective security measures.
DiamondCluster International's David Baker is a partner and chief architect, while Nalneesh Gaur is manager at the firm.
