Banks Hustle to Secure Web Apps

Computerworld - With the clock ticking for banks to comply with new federal guidelines calling for stronger user authentication measures during online transactions, companies are rushing to evaluate the various technologies available to help meet the requirements.

But in many cases, the choices may not be cut and dried, IT and security managers warned last week.

"There is no one single technology that is appropriate for all your authentication and authorization needs," said Robert Garigue, chief information security officer at Bank of Montreal in Toronto. He added that banks "have to look at it in the context of the business value at risk" and also consider whether authentication technologies are user-friendly enough.

"It's a cost-benefit issue, and [one of] trying to make sure you don't put any additional inconveniences on your customers," said Donald Duggan, chief technology officer at San Francisco-based Bank of the West, which manages $41 billion worth of assets.

"As a consumer, I wouldn't want to carry a token around everywhere I went," Duggan said, referring to token-based forms of authentication. As an alternative, Bank of the West is evaluating technology from PassMark Security Inc. that uses the combination of a user-selected image, a secret phrase and a challenge question to authenticate users who are trying to access banking Web sites.

The Federal Financial Institutions Examination Council (FFIEC) on Oct. 12 released guidelines that call on banks to upgrade single-factor authentication processes, which are typically based on usernames and passwords, by adding a second, stronger form of authentication. Compliance is expected by the end of next year.

The guidelines leave it up to the banks to choose the kind of authentication technology they want to implement. But the FFIEC, an interagency council set up to develop standards for the auditing of financial institutions by government bodies, listed options such as biometrics, tokens and one-time passwords.

The FFIEC's guidelines don't have the weight of a law and are more like a set of best practices. But financial institutions will be audited against them as of the end of 2006 and will be written up by examiners if they aren't in compliance, said a spokesman for the Federal Reserve System.

"I'm not a big fan of regulations in general, but this one has the right intent," said Kevin Doyle, information security officer at the Pennsylvania State Employees Credit Union in Harrisburg. "Online threats are going more and more toward the end users, and the FFIEC is simply reacting to that trend."

In March, the credit union started rolling out a two-factor authentication technology from Cyota Inc. that analyzes and scores risks on individual online banking transactions. The scoring is based on criteria such as the end user's computer, IP address, geographic location and transaction history. Users trying to conduct online banking transactions that the system flags as being high risk are authenticated via telephone calls or a challenge-and-response process.