Financial houses strengthen authentication with challenge questions, phone authentication and other means of outsmarting hacker sleuths
By Marisa Torrieri, Contributing Editor
Bank of America’s answer to the new federal guidelines isn’t a biometrics apparatus that detects a legit banker’s paw print or a hardware token that generates passwords on the fly. For now, it’s much simpler.
The Charlotte, N.C., national bank chain just started rolling out SiteKey, its free, new online security technology intended to better protect its 13.2 million online banking customers. The risk-based authentication software works behind the scenes, passing information back and forth between the user and bank. When logging on, customers select an image, write a brief phrase and select three challenge questions. When the customer signs in to online banking, they view their image and phrase before inserting their password – confirming that they are at the real Bank of America site. If a customer uses a computer the bank doesn’t associate with them, SiteKey will issue a challenge question to confirm that it is the appropriate customer.
“We see this as [part of] an ongoing process,” says Betty Reiss, a spokeswoman for Bank of America’s online activities, adding that the upgrades will protect online bankers from phishing and other fraudulent activities.
The decision to install SiteKey to increase online security is based on months of market research involving focus groups, Reiss says. BOA’s potential customers favored the idea of a challenge question because of its convenience over other two-factor authentication methods. Additionally, the bank’s corporate headquarters favored the method because it was less costly to implement than other methods.
“It adds an added layer of authentication but doesn’t require an additional purchase in software,” Reiss says.
Like Bank of America, many banks and credit unions serving regular Jane Does (the “horizontal markets” composed of consumers) are charging full speed ahead to improve the security of online banking. The recent guidelines put out by the Federal Financial Institutions Council (FFIEC) sped up that process. In the recent guidelines, “Authentication in an Internet Banking Environment,” financial institutions are instructed to analyze risks of fraud attacks and enhance systems with some form of two-factor authentication.
The good news for the companies that make two-factor authentication products is that banks must do something to show they are evaluating risks of customers’ data being exposed to the wrong parties via their existing information technology in palace.
“The FFIEC guidance has had a huge impact of making people move,” says Stu Vaeth, chief security officer at Diversinet, a company that develops soft tokens and provisioning for two-factor authentication. “It’s putting a lot of the banks over the edge, saying, let’s do something now.’
Banks also want to do something because of the growing media attention to phishing, identity theft, and the risks related to online banking. The more their consumers read about online attacks, the more fear they have to do their banking outside of a branch setting, Vaeth says.
Since online banking costs a bank far less than branch-based activities, it’s easy to see why financial institutions are weighing their options, wallets in hand.
Great security versus keeping customers happy: How banks are handling the FFIEC guidelines for two-factor authentication
For the producers of two-factor authentication products, courting a U.S.-based bank is far easier today than in the past … though still not a slam dunk. They must show that their software or other “solution” provides high level of security, is cheap to install, and won’t inconvenience customers. Cost and convenience are the biggest factors influencing banks’ investments, according to bank analysts and IT staff.
“The consumer I think is to blame in a lot of cases,” says Doug Graham, a security consultant for BusinessEdge Solutions, Inc. “They want their cake, and they want to eat it as well.”
The biggest challenge is making online banking more secure while inconveniencing consumers as little as possible. This challenge may explain the hesitancy for banks to start issuing hard tokens, or one-time passwords (OTP), says Vaeth, as they lack universal authentication.
Because of the lack of a single, authentication standard for all online transactions, you have to use multiple hard tokens for different transactions – you can’t use the same password to transfer money that you use to order goods from Amazon.com, for example. This is perhaps one the biggest reasons why the sale of OTP devices hasn’t exploded in America, says Vaeth.
“Hard tokens are less desirable for those who don’t want to carry around a necklace of tokens,” says Diversinet’s Vaeth, who doubles as a co-chair for the Initiative for Open Authentication’s (OATH) technical group. The organization, formed in February 2004, is one of a growing number of consortiums meeting to address the “necklace” problem by developing an open standard for strong authentication for any online application.
Although the larger 180 or so national institutions like Bank of America have been aware of the need to build to build stronger online security systems to deter fraud, smaller institutions with $5 billion or less in assets are still trying to figure out the best solution, says George Tubin, a security analyst with TowerGroup, who just authored a new report that interprets the FFIEC regulations (Tubin’s report endorses the risk-based authentication technologies such as that used by Bank of America, over hard tokens).
Not turning off customers was International Bank of Miami’s primary consideration when it decided to overhaul its infrastructure and use a voice-based biometric authentication system for high-end customers doing wire transfers or making account changes.
After upgrading desktop computers and back end systems, the company contracted with Diaphonics to install the voice authentication system, says Ray Guzman, the bank’s vice president of IT. Such a system enhances security for such customers. Now that the FFIEC made it clear that the bank needs to do more to amplify its security for the rest of its “few thousand” customers, Guzman is comparison shopping different soft token-based “solutions.”
“The biggest concern is customers,” Guzman says. “Will they accept the technology?”
What’s next for two-factor authentication, 2006 and beyond
Methods in place such as SiteKey are good deterrents for fraudsters today. But just as security for protecting customer information improves, so do the methods for circumventing a bank’s firewalls. And so, whatever banks are doing today may need an upgrade in the not-too-distant future.
In his report, the TowerGroup’s Tubin addresses a series of cyber threats that continue to emerge, including Trojan horses, Drive-by Downloads and DNS cache poisoning. Because of the growing level of sophistication, the TowerGroup recommends institutions to look beyond the FFIEC’s minimum requirements and implement comprehensive authentication solutions to protect against the potential for enterprise-wide fraud within an institution.
One way of doing this is by offering multiple solutions to different customers, says Graham. For example, a bank using one vendor’s risk-based authentication technologies may find itself interested in another provider’s hard tokens for corporate-level bankers who conduct online transactions at multiple locations.
What is likely to happen is a growing number of banks offering a range of products for different customers – high-end users, corporate bankers and low-risk users. For example, a bank might offer an internal, behind-the-scenes risk management system for one customer, but give another customer an OTP to do mobile transactions from afar.
Products that allow cross authentication – customers to use a single solution to interact with multiple financial entities they have relationships with – will become more important in the future, says Graham.
Instead of multiple security devices, “the industry needs to come up with a solid solution where one single authenticator can be used to validate identity to multiple entities, or where trust relationships can be leveraged from one institution to another through the use of identity federation,” Graham says. “Simply put, we need to give the consumers one method of validating their identity, or authenticating to multiple sources.”