Bank regulators raise the bar on authentication

By Ellen Messmer, NetworkWorld.com, 10/24/05

The Federal Financial Institutions Examination Council (FFIEC) is one of those inconspicuous government organizations that probably only grab your attention if you operate a bank or credit union, since their regulators are going to show up from time to time to audit you. But when the FFIEC last week spelled out its dissatisfaction with simple password and ID for Internet-based banking, it raised a topic every security professional is forced to confront: authentication of online identity.

It would be hard to find a security professional who gets enthusiastic about re-usable password and ID as a form of authentication since this information is so easily compromised through sharing or theft.

But the fact is this most elemental form of authentication remains widely used, even as the Web and the Internet have made it possible for ordinary folk to manage their money through online banking. And that's not to mention a host of other financial services, such as stock brokerages, not covered under the FFIEC guidelines.

The multi-agency FFIEC includes the Federal Reserve System, the Federal Deposit Insurance Corp., the National Credit Union Administration, Office of the Comptroller of the Currency and Office of Thrift Supervision, among others.

Together, these influential federal agencies charged with keeping the banking ecosphere healthy outlined how little they think of password and ID in the document they issued last week entitled "Authentication in an Internet Banking Environment" [provide link to document].

Basically, they'd like to see banks and credit unions do better for their customers through stronger forms of authentication, although many of the technologies they mention, including biometrics such as fingerprint and facial recognition, are not in much use in the banking industry.

A few banks are starting to hand out variable-password generation tokens to their online customers. More are turning to challenge-response security methods that display images and personal phrases aimed at authenticating the user to the Web site and the Web site to the user to eliminate phishing.

Technically, this challenge-response security probably still has to be considered a "single-factor authentication" method, which like password and ID, depends on "something you know," as the FFIEC describes it in its own guidance document.

Jeff Kopchik, senior policy analyst at the FDIC, says the FFIEC has a favorable view of these challenge-response technologies, which he notes "are fundamentally different than a password" because they can potentially foil phishing attempts.

He and his colleague, Nathan Johns, chief of the technology supervision branch of the FDIC, say regulators aren't dictating technologies in the "Authentication in an Internet Banking Environment" because they know new attacks and new defenses are certain to appear.

But the FFIEC authentication guidance document "says in a nutshell the banks are expected to ratchet it up a bit in terms of the security systems in place," Kopchik explains.

"We're not saying what they need to do," said Johns. "Some may have the basics, some the gold standard." He acknowledged, "Cost varies significantly."

The FFIEC guidance, based on the idea that banks should undertake a risk assessment to determine use of any new technologies, does say it expects to see financial institutions providing their online banking customers with something stronger than single-factor authentication when customers are allowed to move funds to another party. The same demand also pertains to "high-risk transactions involving access to customer information."

Since a customer accessing his or her own account is seeing customer data, I asked whether this means that all online transactions should be performed with more than simple password and ID, in the eyes of the FFIEC.

Kopchik said bank auditors are likely to evaluate how much sensitive information gets blocked out every time the customer looks at his own account, and that would be evaluated "on a case by case basis."

Johns and Kopchik say there are a lot of different security approaches out there -- including one known as "geo-location technology" they say was mentioned by the National Security Agency when they asked them for ideas.

The FFIEC description of it is "geo-location software inspects and analyzes the small bits of time required for Internet communications to move through the network. These electronic travel times are converted into cyberspace distances. After these cyberspace distances have been determined for a user, they are compared with cyberspace distances for known locations. If the comparison is considered reasonable, the user's location can be authenticated. If the distance is considered unreasonable or for some reason is not calculable, the user will not be authenticated."

It's probably safe to say banks aren't using geo-location technology for online authentication today.

Whatever approaches a bank chooses for more than simple password and ID, the end result is that it's likely to eventually become mandatory for customer use, not optional, since the FFIEC's auditors will be expecting better security.

And the FFIEC may not be done on the topic. Don't be surprised if there are additional guidance documents related to this in the future.

Read more: FFIEC: Authentication in an Internet Banking Environment.

Back to Security Notes

Comments

Post a comment

Name:


E-mail address:


URL:


Comments:


Remember info?