Banks urged to look beyond passwords, usernames for security

Transaction-level controls and account monitoring systems are important, too

As banks turn their attention to stronger authentication technologies in the wake of recent guidance from the Federal Financial Institutions Examination Council, it's important that they don't overlook transaction-level controls, several security experts said.

The FFIEC on Oct. 12 released guidelines that call on banks to upgrade single-factor authentication processes, which are typically based on usernames and passwords, by adding a second, stronger form of authentication during online transactions (see "Banks get new online authentication guidelines").

The FFIEC guidelines, which banks will be audited against starting in December 2006, has focused considerable industry attention on technologies that will allow banks to add a second form of authentication on top of those already used. While such measures will play a part in security, it would be a mistake to focus on stronger authentication alone as a way to mitigate online risk, said Alenka Grealish, an analyst at Celent LLC, a financial services consultancy in Boston.

"I think its important to not only pay attention to how we secure the door to the bank, but also to what should be done when or if a criminal finds his way through that door," Grealish said. "The entire antifraud strategy of a bank needs to be emphasized," not just stronger authentication, Grealish said.

From a security standpoint, threats such as phishing and Trojan horses can already bypass some of the strong authentication technologies available today, said Jonathan Penn, an analyst at Forrester Research Inc. in Cambridge, Mass. As a result, better transaction monitoring, account monitoring and behavior modeling are needed to detect and prevent fraud, Penn said.

Swedish bank Nordea AB, for example, was forced to shut down its online services for several hours earlier this month after phishers reportedly tried to trick bank clients into parting with one-time passwords Nordea AB had supplied as part of a strong authentication system.

More recently, the Bank of New Zealand was forced to suspend Internet banking services for several hours after phishers attempted to steal customer log-ins and passwords by directing them to a spoofed Web site that was an exact replica of the bank's site, according to a statement from the bank.

Stronger authentication by itself is of little value in protecting users in such cases, according to Penn.

"It's not just about the authentication," he said. "If all of a sudden I change my address and then request a replacement credit card, that should raise a lot of red flags -- and it has nothing to do with authentication."

That advice is appropriate given the current threats facing banks, said Donna Pfeil, vice president of information security and compliance at ShoreBank Corp. in Chicago.

"It really is all about thinking through the process and making sure you understand what the best solutions are for mitigating the risk of having your customer information compromised," she said.

ShoreBank was evaluating strong authentication technologies even before the FFIEC guidelines were released. It is now trying to understand where security threats exist by monitoring online transactions and the use of its Internet products. Its plan is to implement an authentication process tied to the level of risk associated with a particular online transcation.

Regulations such as the U.S. Patriot Act already require banks to do a certain level of account and transaction monitoring, which can be useful in detecting fraud, said Tom Robertson, senior vice president of IT at Charter Bank of Bellevue, Wash. Also cruical when it comes to mitigating risks from phishing and pharming are measures such as education and awareness campaigns, he said.

Real-time transaction monitoring and account behavior modeling techniques have been used for years to combat fraud in the credit card industry, said Ted Crooks, vice president of global fraud solutions at Fair Isaac Corp. in Minneapolis.

Fair Isaac's Falcon fraud management technology has been widely used by credit card issuers since the early 1990s to detect and prevent fraud. At a high level, the technology works by monitoring transactions and account activity in real time, looking for and flagging any behavior that deviates from the norm, Crooks said.

Such tools have helped credit card companies reduce fraud from roughly 18 cents per $100 about 15 years ago to just over 5 cents per $100 currently, and can help in the retail banking sector, he said.

"Because you can't possibly know all the places where there might be leaks, what you need is this final view of the entire behavior of an account," Crooks said.

Another company that offers similar technology is New York-based Actimize Ltd., whose suite of fraud-prevention products is aimed at helping financial institutions deal with online issues such as account takeovers, identity theft, and check and account application fraud.

"Today in the credit card world, every single transaction is scored for the chance of it being fraudulent," said Naftali Bennet, CEO of Cyota Inc., a New York-based vendor of fraud management technologies for the banking sector. Banks, too, need to put in similar monitoring systems to score every single activity for risk, particularly at a time when phishing, pharming and targeted Trojan attacks are becoming more common, he said.

"It's important to secure against today's and tomorrow's threats," Bennet said. "Many authentication solutions that seem like magic bullets today will not stop fraudsters," he said.

Eric Lai contributed to this report.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon