New U.S. Rules Expected to Strengthen Online Banking

By Tom Schmidt

Will online banking customers be more secure by the end of this year? They will if the U.S. government has its way. By the end of 2006, financial institutions are expected to have improved their online security systems, as mandated by the Federal Financial Institutions Examination Council (FFIEC), which manages U.S. banking rules. The FFIEC is calling for banks to go beyond the conventional methods of user IDs and passwords by using an additional form of user authentication. This article looks at the FFIEC's guidance and its ramifications for secure online banking.

Responding to 'increasing incidents of fraud'

According to the FFIEC's new rules, titled "Authentication in an Internet Banking Environment," banks must now rely on two-factor authorization, which adds another identity check along with a password system. This guidance replaces rules issued to banks in 2001. The FFIEC said it was issuing the guidance now due to "increasing incidents of identity theft and fraud, and the introduction of improved authentication technologies and other risk mitigation strategies."
 
The guidance is divided into two parts. The main portion provides financial institutions with guidance on authentication and discusses appropriate risk assessments, customer authentication, verification of new customers, and monitoring and reporting. An appendix provides more detail about various authentication technologies.
 
Banks can choose from a number of authentication methods, such as hardware tokens, personal identifiers (e.g., fingerprint scans or iris scans), bank-issued passwords that can be used only once, or emerging risk-based multifactor authentication. The technology selected will depend on the results of a financial institution's own risk assessment process. According to the FFIEC, that process should:

• Identify all transactions and levels of access associated with Internet-based customer products and services
• Identify and assess the risk mitigation techniques, including authentication methodologies employed for each transaction type and level of access
• Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access

As an article in the tech publication TechNewsWorld puts it, in the case of hardware tokens, "banks would provide users with a small device like a smart card or a password generator that plugs into a USB port and provides passwords that are identical to those used by a bank's security system."

Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods, says the FFIEC:

"Properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN)."
 
Financial institutions should also rely on multiple layers of control or defense-in-depth to prevent fraud and safeguard customer information.

"Much of this control is not based directly upon authentication. For example, a financial institution can analyze the activities of its customers to identify suspicious patterns. Financial institutions also can rely on other control methods, such as establishing transaction dollar limits that require manual intervention to exceed a preset limit."

Adequate reporting mechanisms are needed "to promptly inform security administrators when users are no longer authorized to access a particular system and to permit the timely removal or suspension of user account access." In addition, if critical systems or processes are outsourced to third parties, "management should ensure that the appropriate logging and monitoring procedures are in place and that suspected unauthorized activities are communicated to the institution in a timely manner."

Education will be key

While financial institutions have been trying to address problems with passwords by making consumers aware of potential dangers and forcing them to work with more complex passwords, further education is needed. According to the FFIEC, financial institutions should evaluate their consumer education efforts to determine if additional steps are necessary.
 
"Methods to evaluate a program's effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (e.g., ID/password), the number of clicks on information security links on Web sites, the number of statement stuffers or other direct mail communications, the dollar amount of losses relating to identity theft, etc."

Conclusion

The FFIEC is blunt in its opinion of the reliability and security of current methods used to authenticate online customers: "single-factor authentication, as the only control mechanism, [is] inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties."
 
Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
 
The FFIEC's guidance couldn't be timelier. As the latest edition of the Internet Security Threat Report observed, there has been an ongoing shift in the threat landscape toward threats motivated by profit, with a corresponding rise in identity theft, extortion, and fraud. The government's new rules make clear that an effective authentication system is necessary for financial institutions' compliance with requirements to safeguard customer information.

As Avivah Litan, an industry analyst with the Gartner Group, told TechNewsWorld: "The government initiative gives a clear and loud wake-up call to a procrastinating U.S. banking industry that has not moved beyond relying on single-factor reusable password authentication."

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.