Financial institutions that truly want to bolster their online security need to look beyond the requirements of new strong authentication guidelines set to take effect Dec. 31, IT users and industry analysts said.
The guidelines are from the Federal Financial Institutions Examination Council (FFIEC) and call on banks and credit unions to implement strong authentication measures to protect online users against ID theft and other types of fraud. They also urge financial institutions to upgrade current single-factor authentication processes -- typically based on usernames and passwords -- with a stronger, second form of authentication. The guidelines are not required by law, but the FFIEC has said it will start auditing banks for compliance next year.
The guidelines have been successful in getting the financial industry to turn its attention to the issue of online security, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn. About two-thirds of the financial institutions in the U.S. are likely to have stronger authentication processes in place by the time the deadline passes, she said.
But because the focus is largely on front-end access controls -- and less on what happens at the transaction level -- the FFIEC guidance by itself is inadequate against emerging security threats, said Don Phan, an analyst at Javelin Strategy and Research in Pleasanton, Calif.
"We don't consider FFIEC guidance alone to be strong enough to make the consumer safer" against online security threats," he said. "Financial institutions must set their goals higher than FFIEC compliance."
Phan recommends using risk assessment and alerting measures both at the log-in stage and for real-time monitoring of an account holder's activities in-session. Such measures are needed to fight fraud that can result if hackers manage to compromise strong authentication processes during log-in, he said. Already, for instance, fraudsters have found a way to break the one-time passwords that some banks have begun using as a second form of user authentication, Phan said.
Similarly strong authentication measures, such as two-factor authentication, don't offer protection against so-called man-in-the-middle attacks where hackers are able to intercept and modify the traffic between two parties.
Strong authentication "certainly isn't a silver bullet," said Melissa Auchter, CIO at the Parda Federal Credit Union, an 18,000-member financial institution in Rochester, Mich. "It just protects one doorway. It's one more measure in a whole comprehensive approach to protecting" data assets, she said.
Parda has just finished rolling out a multifactor authentication product from Issaquah, Wash.-based BioPassword Inc. that combines users' standard log-in credentials with information about their keyboard typing rhythm to authenticate users to their accounts. The tool meets FFIEC's strong authentication requirement, but it is only part of a layered defense that includes transaction-level fraud monitoring, Auchter said.
The University of Wisconsin Credit Union in Madison has for the past year used technology from Corillian Corp. to authenticate users during log-in and, to a limited extent, at the transaction stage. Corillian's technology lets the credit union profile users' systems and their online behavior and then challenges them to provide extra proof of identity if there is a change from the norm. Looking ahead, the credit union plans to complement those measures with a stronger out-of-band process, where automated phone calls will be made to account holders to authenticate their identity if there's reason to doubt it, said Eric Bangerter, the credit union's director of Internet services.
The move is necessary because phishers have begun to figure out how to compromise most challenge/response forms of strong authentication, he said. "Eventually, I would like to eliminate the challenge questions completely because they don't add much to security" beyond what is offered by passwords, Bangerter said.
FFIEC's guidance is mostly aimed at dealing with current threats such as phishing, said Chad Graves, vice president of IT at the Ent Federal Credit Union in Colorado Springs. Since Oct. 1, the credit union has required its 18,000 members to use a multifactor authentication process based on technology from Hillsboro, Ore.-based Corillian.
Based on a risk assessment, there appears to be no immediate need to extend that sort of authentication to the transaction level, Graves said. "Right now, our highest risk at the transaction level is an outbound bill pay," he said. But in the future, if the credit union decides to implement electronic clearinghouse or wire transfer transactions, it will consider transaction controls.
Financial institutions will also need to pay close attention to securing their phone-based transactions said Gwenn Bezard, research director at the Aite Group, a Boston-based consultancy focused on technology issues in the financial industry. "The way banks authenticate customers through the phone is weak," Bezard said. "Fraudsters will soon start finding it more difficult to compromise online channels, so they will migrate to the phone channel where the defenses are weaker and the opportunities for social engineering are greater," he said.
Such threats have not become a big issue yet in the financial industry, so there may be a tendency to see FFIEC's guidelines as adequate, Bezard said. "But is it going to be adequate in 12 months, or 18 months? Fraudsters adapt pretty quickly, so they will find new ways to attack. So sooner rather than later, these measures are going to become obsolete."