Banks Parley on Security Issues
George Tubin, senior analyst in the Delivery Channels research service at TowerGroup, recently led a roundtable session where top financial institutions shared their experiences in trying to comply with the FFIEC guidance. Issues raised by online banking leaders included multifactor authentication techniques, implementation best practices and concerns, customer education, and usability.
Mr. Tubin shared some of the key findings with BankInfoSecurity.com (BIS).
BIS: What initiatives are banks taking to protect online security?
TUBIN: The participants in the roundtable reflect a range of institutions, from small community bank on up to one of the top three banks. All are looking at the issue of online authentication from different perspectives. One large non-U.S. bank is using a hardware approach, in which customers are given tokens that display a new password every 60 seconds. Two large U.S. banks are developing internal solutions patterned after Bank of America's SiteKey, which authenticates both the user and the bank. One of those two banks is also looking at the concept of federated identity, in which digital certificates are issued in a hierarchical scheme to accommodate single sign on.
BIS: Which vendors are considered to be leading edge?
TUBIN: Banks are struggling with sorting out who among the many providers are viable business partners. Many of them are small companies and lack a large client base, and there is concern about their staying power. As a result, banks are having to go through a lengthy vendor selection process, trying to determine which security vendors which will succeed in the risk-based authentication space.
A lot of banks got burned during the dot-com era by fly-by-night companies that were hired to build online sites, and then the bubble burst and the companies were gone. They don't want to have that happen again.
RSA Security's recent acquisition of Passmark Security was motivated in part by Passmark's success in the financial sector; Bank of America has implemented Passmark's technology for its SiteKey system. In this case, BofA chose to go with an outside provider despite its possessing strong in-house skills in online authentication. They concluded that it wasn't a core competency, and that an outside vendor could dedicate the necessary resources need to enhance the product and provide continual maintenance.
BIS: What's the status of federated identity?
TUBIN: The industry is trying to come up with common authentication scheme, in which an individual can be authenticated once for all transactions. There continues to be a lot of interest on a theoretical level in things like SAML [Security Authentication Markup Language] and Liberty Alliance. But it's going to take a concerted effort by the technology, business, and government sectors to turn it into a practical solution.
BIS: What about the FFIEC?
TUBIN: There's a lot of confusion among banks as to what the FFIEC is directing. The regulators want financial institutions to do more with online security but leaves them with a lot of leeway in implementation; too much flexibility creates confusion. Some banks are looking to comply with just the letter of compliance, while others are looking at complying with the spirit of the FFIEC's guidance.
BIS: What are the typical attack vectors for online fraud?
TUBIN: Phishing and pharming, which use social engineering to get users to divulge passwords at phony Web sites, are proliferating and getting more dangerous. In addition, criminals are deploying spyware and Trojan horses; one group in Brazil sent out three million e-mails with keylogging software, and stole millions from bank accounts.
BIS: Where does responsibility lie for online security?
TUBIN: It varies from bank to bank, but most are forming steering committees comprising elements of the online banking, info security, and IT organizations.
BIS: What's the status of biometric authentication?
TUBIN: The consensus is that biometrics is still not ready for prime time. There are some innovative approaches starting to emerge, however. One is voiceprint verification, the advantage there is that no new hardware is needed; consumers can be authenticated through their mobile phone or home phones. One or two private banks in Florida are using voice verification for high-value wire transfers.