The Financial Services Sector Coordinating Council, an industry group working to protect financial services companies from cyber attacks, had made identity assurance a top priority in its latest research agenda.
The council is looking at two aspects of identity assurance, identity vetting during enrollment and authentication when later accessing services, says Bob Blakley, director of security innovation at Citi and co-chair of the council’s research and development committee.
“We have a set of problems with processes and documentation for establishing identity, Blakley says. “A lot of identities are established online and that limits the ability to examine authoritative identity source information, such as birth certificates and other documents.”
Combine that with the fact that some of authoritative records are not resistant to theft or fraud, it can be difficult to make sure that an individual is who they claim to be.
The council has worked on a pilot with the U.S. Department of Homeland Security to improve identity vetting during account enrollment, says Dan Schutzer, co-chair of the council’s research and development committee and chief technology officer for BITS, the technology policy division of The Financial Services Roundtable. The tests have included connecting to state driver licenses issuer’s to make sure the information provided matches what is on record.
On the authentication side there are a number of issues bring reviewed, Blakley says. The problems with user names and password are well documented and knowledge-based questions – what’s your favorite movie – can be found out and social engineered. One-time passcodes and text message are better but can also be circumvented with man-in-the-middle and man-in-the-browser attacks.
“What we’re asking for is some attention paid to how to establish identity at enrollment with high degree of assurance and how do we authenticate an identity when they login without traumatizing the user,” Blakley adds.
The council plans to collaborate with the research community to find promising use cases, Schutzer says. If a technology shows particular promise the council will help conduct pilots.
“The point of any of these research items and the ID research is to make sure our ability to protect customers remains strong,” Blakley explains. “The whole idea is to authenticate someone so only they can decide what to do with their money.”
In addition to identity assurance, the council is also looking into:
- Security analysis and intelligence;
- Transaction protocols;
- Risk management;
- Human behavior;
- Proactive measures;
- Software technology assurance;
- Testing financial applications;
- Training; and
- Internet ecosystem architecture.