In its get-tough-on-cybercrime by the end of 2006 manifesto, the FFIEC doesn't call for a certain brand of authentication, going as far as to say its new guidance "does not endorse any particular technology."
But while there may be little clarity on what the specific bar is, the underlying message is unmistakable-the government's no longer OK with institutions trying to get by with lower and cheaper levels of user authentication for online banking simply because the odds suggest most of their customers will never be victimized. "It's an aggressive but a very sound set of requirements for banks," says George Waller, evp of StrikeForce Technologies.
The financial and tech industries have been grappling with user ID as adoption of Internet banking has increased, and the topic recently has become white hot as reports of phishing, pharming and other electronic crime have escalated.
There's been a wide array of approaches to deal with the problem. A number of firms, such as E*Trade and Bank of America, have offered extra authentication for online banking. Others have limited their offerings to only large dollar transactions, figuring the odds were that most of their retail customers would escape ID theft-though that notion had started to diminish before the FFIEC put it away for good.
"Passwords are becoming weaker and weaker, and the PC itself is becoming less trustworthy because of malware," says Amir Orad, evp of marketing for Cyota. "The outcome is banks have been looking and are already looking to move into higher levels of authentication."
Waller says some of the key provisions of the new guidance revolve around the need to verify the identity of the actual person who's electronically transacting with a bank, the practice of finding out if someone "is who they say they are." Waller says, "The next factor is authentication, and what it comes down to is two-factor authentication. The government is saying you need two-factor authentication, but there seems to be some consternation of what two-factor authentication is."
There's a good deal of debate among and between both institutions and tech providers as to the most sound method of two-factor authentication, or even what "counts" as two-factor authentication. That debate's likely to continue.
"Two factor isn't cookie technology," Waller says. "Lots of firms say they are offering two factor authentication because they drop a cookie into a machine. But that cookie can be easily removed if someone drops a key logger onto your system, or someone can 'screen scrape.'"
For Waller, two-factor authentication means carrying physical tokens, or using "two channel" methods like Internet and phones, or smart card technology. "We also use a back up method. If you're at a hotel and log in to your online bank but don't have a token, you can activate the phone ID."
Security tokens have also been controversial among institutions, which are concerned in part about the expense, but also the likelihood that customers will either loose them or forget to carry them around at all times.
"More than 99 percent of Internet banking users are general users, and it's not realistic to trust all of them to carry a token. You can't expect tens of millions of people to carry tokens in their pockets. They're not relevant for the mass consumer market," Orad says.
Greg Framke, CIO of E*Trade Financial, says that while he understands the concerns over tokens, they're still among the options offering the highest levels of protection for multi-factor authentication available in the industry. "Tokens were easy for us to do because of how we're set up," Framke says, adding E*Trade was exploring alternatives to tokens.
Framke says he was expecting some sort of regulatory action on authentication, in part because of the dramatic growth of online banking-which makes the channel an attractive target for thieves. "It's no different than credit card adoption. When there were 100 credit cards, there wasn't a lot of theft. Now that there are 100 million, there's a lot."
He also says that as important as authentication is, it's only one aspect of ID security among many that need to be considered, such as keeping accounts secure once they're inside an institution. "Authentication is only the front door. It's important, but there are other things to look at as well."
As the 2006 FFIEC-imposed deadline for compliance draws close, Waller says the guidance will lead to a "land grab" on the part of tech providers, who are in a race to provide solutions. The pressure will be on these tech firms to find solutions that are not only sound, but not intrusive for customers.
Orad says that whatever measure an institution takes, it's important to refrain from interfering with the transaction. "You should also use something that you have always used to authenticate, such as answering another identifying question or the phone."
The FFIEC's guidance signals a higher involvement in the problem of electronic ID fraud on the part of the government. The Securities and Exchange Commission, for example, recently issued its own "investor guide" designed to help the public protect their online brokerage accounts.
The SEC says it has become aware of numerous situations in which unauthorized individuals have gained access to other people's online brokerage accounts, with some fraudsters stealing money from investors by transferring funds from the online brokerage accounts to outside accounts. It suggests installing a personal firewall and security software package, using a security token, and ignoring emails requesting confidential or sensitive information.
