Banks urged to look beyond passwords, usernames for security

Computerworld - As banks turn their attention to stronger authentication technologies in the wake of recent guidance from the Federal Financial Institutions Examination Council, it's important that they don't overlook transaction-level controls, several security experts said.
The FFIEC on Oct. 12 released guidelines that call on banks to upgrade single-factor authentication processes, which are typically based on usernames and passwords, by adding a second, stronger form of authentication during online transactions (see "Banks get new online authentication guidelines").
The FFIEC guidelines, which banks will be audited against starting in December 2006, has focused considerable industry attention on technologies that will allow banks to add a second form of authentication on top of those already used. While such measures will play a part in security, it would be a mistake to focus on stronger authentication alone as a way to mitigate online risk, said Alenka Grealish, an analyst at Celent LLC, a financial services consultancy in Boston.
"I think its important to not only pay attention to how we secure the door to the bank, but also to what should be done when or if a criminal finds his way through that door," Grealish said. "The entire antifraud strategy of a bank needs to be emphasized," not just stronger authentication, Grealish said.
From a security standpoint, threats such as phishing and Trojan horses can already bypass some of the strong authentication technologies available today, said Jonathan Penn, an analyst at Forrester Research Inc. in Cambridge, Mass. As a result, better transaction monitoring, account monitoring and behavior modeling are needed to detect and prevent fraud, Penn said.
Swedish bank Nordea AB, for example, was forced to shut down its online services for several hours earlier this month after phishers reportedly tried to trick bank clients into parting with one-time passwords Nordea AB had supplied as part of a strong authentication system.
More recently, the Bank of New Zealand was forced to suspend Internet banking services for several hours after phishers attempted to steal customer log-ins and passwords by directing them to a spoofed Web site that was an exact replica of the bank's site, according to a statement from the bank.

Stronger authentication by itself is of little value in protecting users in such cases, according to Penn.
"It's not just about the authentication," he said. "If all of a sudden I change my address and then request a replacement credit card, that should raise a lot of red flags -- and it has nothing to do with authentication."

That advice is appropriate given