Remote Employee Access Is Risky; This Bank Makes It Safer

As security concerns mount in banking and large institutions roll out biometric authentication, community banks are also putting stronger fences around their computer systems.

A case in point is $711 million-asset Carolina Bank in Greensboro, N.C. The bank's growth and a corresponding increase in remote workers drove the CEO and IT department to seek a technology that would let them tighten access to their Citrix and Outlook Web Access systems without making the login process harder for employees. (Citrix software extends access to servers for people who work remotely.)

"As we were growing the number of people who need to have remote access and realized their varying degrees of IT awareness, it was clear that we needed to have a simple and direct method we could use without creating issues for our IT staff, and giving them accessibility 24/7 if they needed it," said CEO Bob Braswell.

The bank's executives read about the massive data breach JPMorgan reported last summer, in which 83 million customer records were compromised and hackers were said to have broken in through the computer of an employee working from home. But this was not the bank's motivation for buying new authentication software, Braswell said.

"The driving factor was to create a higher level of security for all employees who need remote access," Braswell said. "You can never be secure enough. If somebody wants to break bad, they break bad." Stronger authentication, especially with a text-message passcode that quickly expires, offers a layer of protection — the hacker at least cannot pass the information on to somebody else to use.

The bank's biggest security fear is of the unknown. "We don't know enough to know what our biggest worry is," Braswell said. "There's a 15-year-old kid out in Iowa somewhere who's trying to hack into us, that's our biggest worry."

In stepping up its authentication technology and choosing an out-of-band authentication method (in which the user is verified through a channel other than the one she's using to log in), Carolina Bank is in good company.

"I just spent the last few months speaking with 19 of the largest banks in North America, and I'm without question seeing increasing traction with out-of-band authentication," said Julie Conroy, research director at Aite Group. About 84% of the banks she spoke with have deployed out-of-band authentication, and many are using it to replace hardware token or knowledge-based authentication questions (mother's maiden name, etc.).

"Out of band authentication is generally less expensive than knowledge-based, and in the view of many of the bankers I spoke with, it's more effective, with the increasing prevalence of personal data on the Internet thanks to data compromises and the oversharing that takes place via social media," she said.

An IT committee at Carolina Bank looked at several tech options for strengthening the way employees authenticate themselves to the bank's systems. They choose SMS Passcode's text-message authentication, partly on the strength of a recommendation from their Citrix consultant, XenTegra.

The way SMS Passcode works is simple. Employees go to a secure web page, enter their user name and password and receive a text message on their phone containing a code they then enter on the web page. They have to use the code within two minutes or start the whole process over again.

"The multifactor authentication has given us the access and security we need, while at the same time making it easy for our staff to access via smartphones, which everyone has with them," Braswell said.

The automatic password expiration helps ease worries about data privacy.

"One concern we had was that if the employee was remotely logging in and, say, kept the gateway open, an authorized family member or somebody could get in and not necessarily do any harm, but end up seeing things they shouldn't see," Braswell said. "This blocks it because every time they finish their task and sign off, they have to start all over again."

The SMS Passcode software also provides geofencing and adaptive authentication. There's little reason for anyone outside Carolina Bank's market area to be logging in, so it can easily set geographical boundaries to catch ill-intentioned foreigners. Adaptive authentication determines whether users are logging in from trusted locations such as home or the office, versus an airport lounge with public Wi-Fi, and delivers the appropriate level of security.

Implementation of the system was easy and did not require a testing period, according to J.D. Brown, the bank's systems administrator.

One potential downside of text-message authentication is that it takes some end-user education, Conroy noted. At Carolina Bank, this hasn't been a problem, Brown said. "Employees all have their phones with them, all they have to do is get a text message," he said. "It's been well received."

Another shortcoming of text-message authentication is that at the time of enrollment a company has to ensure it is signing up genuine users, not fraudsters.

Carolina Bank addresses this by only allowing IT department staff to enter cell phone numbers into the system, so a fraudster would not be able to type in a new number and divert the text messages to it.

There have also been cases of cybercriminals exploiting SMS messages, though this requires social engineering (tricking people, basically).

But in this case, in addition to the limited timeframe of the passcode and the fact that the IT department controls the data entry, SMS Passcode ties each login to a specific session. So even if a hacker stole a working user ID, password, and temporary passcode, they wouldn't be able to use it on a different machine, according to Henrik Jeberg, managing director of SMS Passcode.