Banks Hustle to Secure Web Apps
Feds call for stronger end-user authentication; IT execs weigh tech costs vs. business risks
October 24, 2005 12:00 PM ETComputerworld -
With the clock ticking for banks to comply with new federal guidelines calling for stronger user authentication measures during online transactions, companies are rushing to evaluate the various technologies available to help meet the requirements.
But in many cases, the choices may not be cut and dried, IT and security managers warned last week.
"There is no one single technology that is appropriate for all your authentication and authorization needs," said Robert Garigue, chief information security officer at Bank of Montreal in Toronto. He added that banks "have to look at it in the context of the business value at risk" and also consider whether authentication technologies are user-friendly enough.
"It's a cost-benefit issue, and [one of] trying to make sure you don't put any additional inconveniences on your customers," said Donald Duggan, chief technology officer at San Francisco-based Bank of the West, which manages $41 billion worth of assets.
"As a consumer, I wouldn't want to carry a token around everywhere I went," Duggan said, referring to token-based forms of authentication. As an alternative, Bank of the West is evaluating technology from PassMark Security Inc. that uses the combination of a user-selected image, a secret phrase and a challenge question to authenticate users who are trying to access banking Web sites.
The Federal Financial Institutions Examination Council (FFIEC) on Oct. 12 released guidelines that call on banks to upgrade single-factor authentication processes, which are typically based on usernames and passwords, by adding a second, stronger form of authentication. Compliance is expected by the end of next year.
The guidelines leave it up to the banks to choose the kind of authentication technology they want to implement. But the FFIEC, an interagency council set up to develop standards for the auditing of financial institutions by government bodies, listed options such as biometrics, tokens and one-time passwords.
The FFIEC's guidelines don't have the weight of a law and are more like a set of best practices. But financial institutions will be audited against them as of the end of 2006 and will be written up by examiners if they aren't in compliance, said a spokesman for the Federal Reserve System.
"I'm not a big fan of regulations in general, but this one has the right intent," said Kevin Doyle, information security officer at the Pennsylvania State Employees Credit Union in Harrisburg. "Online threats are going more and more toward the end users, and the FFIEC is simply reacting to that trend."
In March, the credit union started rolling out a two-factor authentication technology from Cyota Inc. that analyzes and scores risks on individual online banking transactions. The scoring is based on criteria such as the end user's computer, IP address, geographic location and transaction history. Users trying to conduct online banking transactions that the system flags as being high risk are authenticated via telephone calls or a challenge-and-response process.
Security
Additional Resources



White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
