FFIEC guidelines mandate financial services security upgrades
Selling "trust" in web-based banking, in other words, has been a major boon to the institutions which serve our financial needs online. PARDA Federal Credit Union, an Auburn Hills, Mich.-based credit union with 12 branch offices in six Midwest and East Coast states, is a case in point.
With about 20 percent of the institution's 23,000 members taking advantage of online banking, PARDA "definitely uses the online channel to drive operational efficiencies," says Melissa Auchter, PARDA's chief information officer.
For one thing, giving members access to their online account statements reduces the cost of paper statements in consumables, postage and time, says Auchter. More importantly, users actively taking advantage of PARDA's online services "frees our employees to spend time addressing more complex needs, like new member orientation and education, and it gives our members the ability to handle some of their own transactions, such as opening certificates and applying for loans."
None of that could happen without a secure platform, however.
"Letting the membership know that we're securing the connection allows them to trust that we're doing everything in our power to take care of their private financial information," says Auchter. "We want our members to know that we take security seriously."
Securing online activity is also critical to PARDA because, she says, "We're not a typical credit union. Our members are all over the place, and that adds one more level of complexity in trying to deploy and secure our environment."
Forced to take another look
When the Federal Financial Institutions Examination Council (FFIEC) released its 2005 guidance rules,"Authentication in an Internet Banking Environment," which require multifactor user authentication methods, PARDA was forced to review its security practices. In general, Auchter says she liked what she saw.
"To be honest, the only change we made to meet the FFIEC mandate was to add a multifactor authentication solution that relies on BioPassword's keystroke-profiling application," she explains. They had already started implementing a number of the required risk-related items, such as adding intrusion-detection and incidence-response policies, before the FFIEC released its ruling, she adds.
Admittedly, banks and other financial institutions have offered what they called "secure" online financial services since the internet boom of the late 1990s popularized online banking. Generally, they relied only on username and password for authenticating customers, however.
It wasn't until the FFIEC released its guidance two years ago that financial organizations had to take a hard, serious look at the authentication policies of their online offerings. Most notably, the FFIEC regulations stipulated that single-factor user authentication (i.e., a password combined with username) for access to "high-risk" online transactions — such as when customers access their personal information or transfer funds — was inadequate. The FFIEC stipulated that by the end of 2006, financial services institutions had to assess their online banking sites and, when necessary for the risk involved, deploy a multifactor authentication system to provide access to them.
The mandate had two direct consequences, says Bruce Cundiff, a senior analyst with market research firm Javelin Strategy & Research. Most obviously, it sent a large number of financial institutions scurrying to comply with the guidelines. But, Cundiff says the banks were guilty of foot dragging in 2006, leaving them only 14 months to roll out their two-factor authentication solutions to meet the January 2007 deadline for auditing their compliance with the rules.
Not surprising, "selling trust" also opened a floodgate of authentication products for institutions to deploy, adds Cundiff. These include back-end fraud-detection and computer-profiling systems that end-users are generally unaware of, a variety of biometric solutions (as noted, PARDA deployed a system that validates users based on their keystroke rhythm), and token-based implementations.
The FFIEC guidance didn't say it had to be any specific type of authentication — it left it up to the financial institutions what form it would be, Cundiff says. "It didn't matter what technology, as long as it was above and beyond username and password, which are not enough and easily obtainable and used by and for fraud."
The need for stronger user authentication also stirred an industry of providers, Cundiff says, calling it the "topic of the year" among financial sector vendors and professionals in 2006.
Many of the vendors have been doing this for years, but not necessarily in the financial sector, he says. It also spawned a number of start-ups, who say they're building a better mousetrap and all claim they have the best solution that is simple and easy to use for customers, he adds.
For its part, PARDA went with the BioPassword product because it was least intrusive to its membership, Auchter says.
Simplicity a key
End-user experience has been one of the major issues surrounding two-factor authentication systems deployed by the industry, says Ed Sarama, vice president and CSO at CheckFree, which provides e-commerce services.
"At the end of the day, internet [banking] is all about convenience — it's always open — and if we make it too obtrusive, we run the risk of consumers saying it's too difficult," he explains.
Financial services institutions are thus walking a fine line, providing security to prevent the bad guys while allowing consumers to do the job, he adds. "[Bank] security teams are working with marketing teams to understand whether their security solution is meeting needs of the consumer and what needs to be fine-tuned."
Some financial institutions may have gone out with initial solutions out of reaction just to meet federal regulations, he says. "They may not have had the funding or the resources, and now they're going back and finetuning their authentication programs."
This fine-tuning can come in several forms, including eliminating some of the upfront questions consumers are required to answer and taking advantage of back-end fraud-prevention capabilities. These tactics also range from relying on a historical view of consumer transactions to fingerprinting their PC to noting the IP address they usually connect from to using information banks have collected on consumers through other banking channels in which they have a relationship.
And the reviews of deployments don't stop there, adds Dennis Maicon, executive vice president at Digital Resolve, which provides authentication software. He says that more than a few of the larger organizations are now re-evaluating what they put in at the beginning, and are now looking to layer something on top of what they have in place. "They're looking for ways to grow what they put in place to meet the deadline — looking beyond login and now looking at transactions and the bigger picture in the online channel."
And from an operational perspective, the internet is a giant channel, says Marc Gaffan, director of marketing with the consumer solutions group at RSA.
"Any transaction at a branch [office] is 10 to 20 times more expensive than an online transaction, and the more [consumers] they drive to the online channel, the greater their efficiency is," he explains.
Many financial services organizations, including PARDA, use the security of their online systems as a marketing tool to drive users to that channel. Bank of America and E-Trade are other examples, Gaffan points out.
"They've put security in their marketing messages," he says. "Until 12 to 18 months ago, most [banks] would rather not have mentioned some of the security measures, vulnerabilities and confidence issues around their online channels."
Now, however, most financial institutions understand that most consumers not only know about malware and online fraud, but are concerned about them, he adds. So, they're taking steps to promote the fact that they're doing something about protecting their customers' personal information and online transactions.
"This is an aspect of the FFIEC guidance that sometimes gets overlooked — people think the banks have been forced to comply," Gaffan says. "I think banks have done a good job of assessing risks, establishing areas of vulnerabilities, developing a plan of action and selecting a solution and implementing it."
WORLDVIEW: Growing concern
From a strategic standpoint, the FFIEC guidance and the Gramm-Leach-Bliley Act (GLBA) have forced American financial institutions to rethink their security postures, says Tom Kellerman, vice president of security awareness for Core Security and a former World Bank executive. Instead of looking at customer-facing security as a technology problem, they're considering it a risk-management problem, he explains.
The operational risk has metastasized given the sophistication of the attacks on financial systems, he says.
"Various criminal groups have moved into the battle, trading personal identifiable information and access to banks' systems and networks. The evolution of the underground around financial data has become troublesome, forcing banks and their management to re-evaluate how they deploy technology and how it can decrease risk," Kellerman adds. "Many banks may be grappling while conducting vulnerability assessments and identifying their vulnerabilities and understanding the impact of the vulnerabilities on their payment systems and databases that store personally identifying information."
A particularly troublesome issue is determining where their networks begin and end, he explains. "How they deal with outsourcing, how they audit these arrangements and mandate remediating critical vulnerabilities in a timely fashion is difficult when they have outsourcing arrangements all over the world."
U.S. financial institutions have it easy compared to those in Singapore and the European Union, Kellerman notes. "The only region of the world that's seen a decrease in incidents of successful cyberattacks is Singapore, and many attribute that to the stringent regulations in that country."
Because of harsh penalties for losing personal information, financial institutions in the European Union have more incentive than U.S. banks to protect consumer information in their systems, says Chris Holland, vice president of information assurance products at SafeNet. "There's an EU law with stringent requirements for what you can do with personal information and how you treat it. That does not exist with the same strength in the U.S., at least, not that I'm aware of."
— Jim Carr