By Jeff Marshall, Vice President
Electronic Banking Business
Harland Financial Solutions
www.harlandfinancialsolutions.com  • 800-989-9009

 

 

Two locks guard access to almost any Internet financial account: a user name and a password. Users typically provide both pieces of information as part of a single log-in to gain access to their online accounts. But are two locks enough to protect sensitive financial and personal information?

This white paper offers an overview of current risks and threats to online security. Next, it examines the current technology and possible solutions discussed by the Federal Financial Institutions Examination Council (FFIEC). Finally, it explores some of the more promising options for online Internet banking.

The FFIEC updated its 2001 guidance Authentication in an Electronic Banking Environment to recognize the new threats and technology available to both criminals and financial institutions.

Since 2001, there have been significant legal and technological changes with respect to the protection of customer information; increasing incidents of fraud, including identity theft; and the introduction of improved authentication technologies. This updated guidance replaces the 2001 Guidance and specifically addresses why financial institutions regulated by the agencies should conduct risk-based assessments, evaluate customer awareness programs and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services. 

The FFIEC strongly recommended that all financial institutions make a fresh review of their online services and consider providing additional safeguards at the authentication stage.

Financial institutions should periodically ensure that their information security program:
– Identifies and assesses the risks associated with Internet-based products and services
– Identifies risk mitigation actions, including appropriate authentication strength
– Measures and evaluates customer awareness efforts 

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.

However, they noted that a technological solution only provides strong protection if it is willingly accepted by consumers and adopted for ongoing use as part of every Internet banking session. The FFIEC recognized that all security solutions must be cost-effective for the financial institution, compatible with existing technology and capable of being maintained and improved over time.

They set four criteria for an effective authentication method:
•    customer acceptance
•    reliable performance
•    scalability to accommodate growth
•    interoperability with existing systems and future plans

The Council left security decisions in the hands of online financial institutions. In making their decisions, financial institutions must carefully balance consumer acceptance against critical elements of their internal operations, such as:
•    the limitations of the institutions installed technology base
•    the technical sophistication of their staff
•    the capabilities developed by their technology providers
•    their own capital and operating budgets

The standards for implementing a commercially reasonable system may change over time as technology evolves, security threats mutate and new solutions emerge. Financial institutions and technology service providers need to develop an ongoing process to review authentication technology and ensure appropriate changes are implemented.

The best solution for online security is, therefore, an ongoing partnership between the financial institution, its online customers and its technology partners. Each party shares the same, vital interest: keeping the customer's financial information safe in this increasingly dangerous online environment. To succeed, they must work together, but sometimes their other interests - such as convenience or cost - conflict. 

Consumers want safety, but also convenience. While they recognize the need for security, consumers often chafe at taking extra steps to get to their accounts. Consumers want extra protection, but also freedom to access their accounts from many different platforms. The financial institution needs to understand these conflicting needs and balance them with the ever-present issues of cost and complexity of their online systems.

Technology vendors in the financial arena also face the constant challenge to innovate and integrate. Technology drives new and innovative approaches to authentication and security, so a technology company must constantly be alert to innovations and integrate those that make sense for their financial institution customers.

Financial institutions bear the burden of choosing the best solutions for their online users. They must balance their users’ desires for speed, convenience and anytime/anywhere access with the limitations of their own business systems and the range of solutions proposed by their technology vendors. They must educate Internet banking users about the importance of online security and the need for tradeoffs between convenience and protection.

We will examine some of the common threats that a financial institution and its online users must consider. For many of these threats, consumer education is a key weapon against cyber fraud. Financial institutions must go beyond reassuring customers about their online security to educating them about what to look for to make sure they have reached the right login page and Internet banking site.

Phishing
Phishing occurs when a cyber criminal sends out phony emails that pretend to be from the victim's credit card company or financial institution. The phishers often borrow the logo and the “look and feel” of the financial institution's legitimate site to make the email look official. The phishing emails ask the victim to log into a phony site. When users open this spoofed site, they are asked to "verify" confidential information, such as credit card numbers and PINs. Armed with that information, the phishers run up credit card charges and then move on to their next victims.

Since a financial institution never knows when it may be the target of a sophisticated phishing attack, its best course of action is consumer education. Although most financial institutions' consumer information stresses basic rules, such as "we will NEVER ask you for a password," consumers can be lulled into a false sense of confidence when they think they are dealing with a legitimate financial institution online. A customer education campaign needs to warn customers against phishing attacks and inform them how to determine whether an e-mail represents legitimate correspondence from their financial institution.

Pharming
Domain Name Service (DNS) spoofing, also know as pharming, occurs when a consumer opens an email containing a virus that alters the host file on their computer, or when an Internet Service Provider (ISP) alters the DNS record for a domain. That means that when the consumer opens his or her browser and types in the name of the financial institution, they are redirected to a fake site that mimics the original in appearance and functionality. The phony site collects the consumer’s user identification and password, which criminals can use to gain access to accounts.

Again, proactive customer education is the best defense. Internet banking users may need to be reminded to update their virus protection regularly and to be suspicious of opening email attachments – preferably scanning them first with antivirus software.

In an effort to combat Phishing and Pharming attacks, Harland Financial Solutions offers a free Phishing Response Kit providing step-by-step instructions to help financial institutions get the message out to customers as quickly as possible. The kit offers step-by-step guidance for notifying authorities, educating staff and informing online banking users about phishing attacks. The free kit can be downloaded at www.harlandfinancialsolutions.com/NewsAndEvents/WhitePapers.asp?SuiteID=92.

Spyware and Malware
Most antivirus programs contain protections against spyware and malware – the automated bits of code that report where a user has been on the Internet.

Again, the financial institution cannot dictate where or how its customers surf, but it can educate consumers about common traps. Financial institutions could even partner with a reputable online security product and offer discounts or rebates if they feel strongly that the security protection would be worthwhile.

File Sharing
File sharing – whether for music, movies or free programs – is possibly the most dangerous online behavior for any computer user. However, the freedom to share music, films and programs outweighs the risk in the minds of almost all computer users.

For its online customers, the financial institution can only educate – talk sensibly about the risks and give sound advice about protection. The financial institution can discuss the need for an up-to-date firewall and virus protection for file sharing users, and caution against downloading from new and relatively unknown sites.

Attachments
The daily flood of email into any business or active online user's mailbox brings a steady stream of threats to the user's system. Even with virus protection, a financial institution needs to educate both its staff and customers to be automatically suspicious of any emails from unknown parties bearing attachments, to subject those files to virus scans before opening them and to delete them if in serious doubt.

Shared or Public Connections
Our mobile society has created public options for connecting to the Internet from cafes, airports, Internet cafes, libraries and even the lobbies of financial institutions. The financial institution's security education should also cover the basic rules for protecting banking session from prying eyes in public places. Users need to know that it is important to log out of an online banking site if they are using a public terminal so the next user does not simply browse back a few screens to their account information. They should also be aware that a keystroke logging utility can be planted in public use computers to capture login and password information.

Social Engineering
Only awareness and education can protect against one of the most insidious tools of the cyber criminal – social engineering. Americans are naturally friendly and ready to help someone in need. When a pleasant-sounding person calls up and asks for our help, we are willing to offer it with a minimum of suspicion.

Unfortunately, that's how social engineering works. A criminal who knows a little bit about you calls to ask for other pieces of information they need to guess a password or steal an identity.  They may start with a birth date or a mother's name before shifting to, “Oh, and what was her maiden name?” The best operators are smooth, pleasant and never tip their hand.

Inadequate Mutual Authentication 
While the FFIEC report focuses on measures that financial institutions must take to strengthen authentication, it also stresses the need for consumer education. Consumer education, coupled with stronger security measures on the financial institution site, could create stronger mutual authentication. Two vital issues to address include the use of Secure Sockets Layer (SSL) and Hyper Text Transfer Protocol Secured (HTTPS) technology.

•    SSL is used to securely transport information between Web servers and Web browsers by encrypting the information and sharing it over a “socket,” which is a secure channel within the Internet connection. An image of a padlock is often placed on the screen to indicate an SSL session.

•    HTTPS differs from the more familiar term Hyper Text Transfer Protocol (HTTP). The addition of the “S” indicates that the HTTP session has been secured through the use of encryption. HTTPS is a vital step for protecting user information and is highly recommended for any financial institution. When HTTPS is used, the term “HTTPS” will replace “HTTP” in the address bar of the browser.

The financial institution can also use logical verification to ensure that information provided is consistent. Simple checks, such as matching the zip code with the telephone area code, or the street address with the zip code, can be done automatically through many fraud-screening services.

Financial institutions and consumers must evaluate for themselves the costs of each added protection – in time, convenience, added complexity or "nuisance factor" -- against potential gains in security. Security experts and the FFIEC advocate adopting a "layered" approach, which offers multiple and overlapping levels of authentication and protection. That is the best way to achieve the “two-way handshake” that ultimately offers a superior level of online authentication.

Four Forms of Authentication
"Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks," the FFIEC advises.

In other words, the FFIEC wants financial institutions to ask customers to confirm their identities online in more than one way. The FFIEC categorized authentication into three basic forms: something you know, something you have and something you are. In addition, some vendors have created a fourth category to cover solutions that are based on the user’s behavior, described here as “something you do.”

All four categories are described below, along with examples of how they can be applied.  The time, effort and intrusiveness of each form should be weighed against its potential to increase security.

1. Something the User Knows

This category can be described as a “shared secret.” The financial institution and the user agree to share a piece of information. The financial institution stores this information in a database and then asks the user to confirm it each time he or she logs in.

Passwords and User Names

Passwords and user names are the most common shared secrets, but are often insufficient to protect confidential information for two reasons.

1. The user fails to provide information that is truly secret.
2. The user fails to keep the secret.

Codes, Images and Screen Colors

Making the shared secret more difficult to guess or more difficult to penetrate from remote locations can provide additional protection. For example, the financial institution may choose to display a random security code on the log-in screen. The user must enter the code in a designated box to complete the login process.

A shared image is another option. In this version, the user submits a personalized image. This image is displayed on the login screen so the user knows whether he or she has arrived at the right site.

Personalizing the site with screen colors or other items refines the shared image to extend it to every site. This increases the likelihood that the user will notice if the appearance of the site is different because they have been redirected to a site created by a cybercrook.

Account Information

Another type of shared secret is created by drawing information from the user’s financial institution relationship. One option is a series of numbers linked to accounts, such as the last four digits of their financial institution credit card. Sharing account information has its own risks, however, which is why many financial institutions are switching from using account numbers to rely instead on user names for logins.

Challenge Questions

A type of shared secret that appears to be popular among many vendors and financial institutions creating additional layers of authentication is challenge questions. The financial institution provides a set of questions and asks the user to provide answers for one or more. They use complex “life” questions, such as “the model of the car that you used while learning to drive,” or “the name of your favorite childhood pet.” These are more difficult for cybercrooks to guess.

2. Something the User Has

ATM cards are often cited as an example of the improved security provided by requiring users to possess an item that can be used to validate identity. ATM users must present their card and then provide their PIN number to gain access to cash, which effectively combines something they have with something they know.

In the online environment, vendors are developing solutions that involve both tangible items, such as tokens, and intangible items, such as cookies placed on the user’s computer.

Hardware Tokens

A token is an item that the user presents to prove identity. Physical tokens are viewed as a highly reliable means of authentication for high-risk transactions. However, three limitations have slowed their adoption by financial institutions:

1.    They require the user to have a smart card reader or some kind of external connection to read the token.
2.    They require the user to carry a physical card or token.
3.    They require an additional investment.

The FFIEC reviews three common types of tokens:

•    USB token devices, which are small, chip-based electronic keys that plug into the computer's USB port. The token contains an encrypted bit of information that unlocks the program.
•    Smart cards, which typically use a plastic card format similar to credit cards and carry an encoded magnetic strip
•    Password-generating tokens, which generate a new one-time-use password (OTP) for each banking session.

Software Cookies, Tokens and Programs

Another solution involves asking the user to accept an authentication solution that is placed in their computer as part of a registration process. Two options are being explored.

•    Cookies and/or Tokens. A cookie is a text file placed on the user’s hard disk that can be “read” by the authenticating server. Another name for the identifying file is the term “software token,” which is used to indicate that the solution is something the user possesses.

•    Software programs. The financial institution can also opt to place some other type of security software on the user’s computer.

3. Something the User Is

Every user possesses certain physical characteristics that cannot be imitated or duplicated. Biometrics translates these characteristics into algorithms that can be used to prove physical identity. Using biometrics to prove identity requires some type of scanner, making them impractical for home banking at this time. As more manufacturers begin to add biometric devices, such as fingerprint scanners to home computers, their use may become feasible.

4. Something the User Does

Some vendors have suggested that there could be a fourth category of authentication, described as “something the user does.” Authentication options placed in this category create a database of customers’ online visits based on their existing usage patterns for criteria, such as time of contact or location. When the user’s method of accessing the site falls outside his or her database profile, additional steps are used to confirm identity, such as placing a telephone call to the user or asking the user to answer a challenge question.

Additional Mitigation with Out-of-Band Authentication
Another option for reducing risk through authentication is called out-of-band authentication. The FFIEC excludes this from its list of the three formats for authentication, but recommends it as an additional step that can be used for risk mitigation. The FFIEC describes out-of-band authentication as "any technique that allows the identity of the individual originating a transaction to be verified through a channel different from the one the customer is using to initiate the transaction."

Financial institutions have relied on this kind of independent verification for years for very large transactions. The same tactic could be used for high-risk online transactions, with the financial institution calling the user on a previously provided cell or landline number and requiring the user to enter a four-digit confirmation code. If the user fails to answer the phone or enter the code, the transaction is cancelled.

Pursuing A Two-Way Handshake
Ultimately, authentication should provide a two-way handshake. That means that both the financial institution and the user are actively involved in reaching across the Internet to confirm the identity at the other end of the Web connection.

From the financial institution side, the handshake involves asking customers to provide information or submit “proof” that they have a token to confirm their identity. From the user side, the handshake involves being aware of the signals that mark the financial institution site as authentic.

The strongest forms of authentication typically combine behind-the-scenes authentication that confirms the identity of the user with on-screen signals designed to reassure the user. When combined, these systems balance the value of informing the user that the financial institution is actively strengthening security with the need to offer Internet banking that is easy-to-use.

Crucial Questions
In determining which type of authentication solution is right for your bank, consider these crucial questions.

•    Does authentication occur behind the scenes or on the screen?
•    Will members use it?
•    Is it secure?
•    Is there an extra fee, or is it free?
•    Is there a partnership?
•    Is it scalable?

Conclusion
Today’s changing online environment challenges everyone involved in Internet banking to stay on their toes. That means continuing to innovate, adopting proven best practices, assessing online security, offering consumer education and applying large amounts of common sense to the problems of online fraud misuse.

Placing choices and options in the hands of consumers helps prevent fraud and creates a safer online environment. Simple techniques, such as showing the time and IP address used for the most recent login during the current banking session, can reassure consumers that their account remains secure. Allowing users to set their own color schemes – a system enabled by a cookie on the user’s machine – will help consumers recognize when they have left the familiar territory of the financial institution site for the threatening Internet landscape occupied by phishers and pharmers.  Having several months of transaction history displayed during a single session will allow users to check records for suspicious transactions they might otherwise fail to spot for weeks or longer.

Equally important, financial institutions must adopt a layered system of security that takes authentication beyond the password and PIN stage. It is apparent that the threats currently facing consumers depend upon a higher level of authentication. As phishers, pharmers and other cybercrooks become more savvy in their attempts to circumvent online banking security, financial institutions must take a more aggressive approach to protecting online accounts from intruders.

Achieving and maintaining a high level of layered security will require a three-way partnership between consumers, technology vendors and financial institutions. That partnership is the best way to stay a step ahead of cybercrooks, while maintaining an online banking environment that is safe, friendly and easy to use.

About the Author
Jeff Marshall oversees software development, security and network operations for Harland Financial Solutions. Before joining Harland Financial Solutions, he developed software for various national industries. He wrote one of the first Internet Banking and Bill Payment systems in the country, as well as one of the first Internet lending systems with real-time credit decisions. In an effort to promote community-based financial institutions, he continually helps hundreds of banks and credit unions to think progressively about the risks and costs related to Internet delivery systems. Jeff is widely recognized in the software industry for his accomplishments, knowledge and vision.

 

View September 08 Digital Edition Today!
Harland Financial Solutions—Executive Summary on Page 61

Name

Email

Title

Comment smaller | bigger

Subscribe via email (Registered users only)

I have read and agree to the Terms of Usage.

Add Comment