Compliance Management

Two minutes on…multi-factor compliance

A recent news story jumped off the page at George Waller. The report stated that U.S. companies will lose $2.8 billion this year alone to online fraud, according to a survey released by CyberSource.

To Waller, executive vice president of StrikeForce technologies, the report was another red flag that financial institutions need to protect customers' identities and personal information in new, multifaceted ways.

The Federal Financial Institutions Examinations Council agrees with him. In October, the alliance of agencies, charged with setting standards for the financial industry, released new guidelines calling for online financial groups to use multi-factor authentication techniques and additional levels of risk assessment by the end of 2006.

According to a statement released by the FFIEC, single-password authentication methods still used primarily by many banks have become woefully inadequate.

"Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multi-factor authentication, layered security or other controls reasonably calculated to mitigate those risks," the FFIEC said.

The group gave financial institutions a mandate to identify a level of risk involved with all transactions, from ATM use to online transfers. All levels of transactions, the FFIEC said, should be covered under a company's risk-assessment process.

Companies can also use a number of methods to ensure they're not dealing with fraudsters. Among the suggested methods are smart cards, password-generating tokens and biometric techniques, such as fingerprint or voice recognition or retinal and iris scans.

A vital part of the multi-factor process is using "something you know," Waller said about one technique his company uses.

"We're utilizing something that everyone has, which is a phone," he said, adding that some transactions would call for a customer to verify its authenticity via that method.

The mandate has been misrepresented in some press reports, and does not simply require two-factor authentication, said Naftali Bennett, chief executive officer of Cyota, an ecommerce security firm.

"Companies do need extra controls and extra measures," he said. "But they do not need only two-factor compliance as their only solution."

Most importantly, companies must complicate their password standards by a variety of techniques, as well as tracking the transactions of customers, to replace single-password acceptance.

One technique Bennett mentioned was visible transaction monitoring of online banking, where a financial institution would assign a level of risk to every transaction made. This would enable banks "to look at everything you're doing."

"If someone were to access your account from Guyana and try to transfer an amount of money to a bank in Italy, that would be flagged as high-risk," he said, adding that the cost for such a service would only cost banks about 30 cents per customer annually.

"In the credit card world, they have been doing this for about two decades," he said.

Monitoring a fraudster once he or she has accessed an account should be as much a priority as deterrence for financial institutions, Bennett said.

"The notion is not only to build stronger walls, but you also need a camera inside looking for fraud," he said.

By Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.