2 minutes on … multi-factor authentication

The report stated that U.S. companies will lose $2.8 billion this year alone to online fraud, according to a survey released by CyberSource.

To Waller, evp of StrikeForce Technologies, this was a red flag that financial institutions need to protect customers' personal information in new, multifaceted ways.

The Federal Financial Institutions Examinations Council (FFIEC) agrees with him. In October, the formal interagency body charged with setting standards for the financial industry, released new guidelines calling for online financial groups to use multi-factor authentication techniques and additional levels of risk assessment by the end of 2006.

"Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multi-factor authentication, layered security or other controls reasonably calculated to mitigate those risks," the FFIEC said. Companies can also use a number of methods to ensure they are not dealing with fraudsters, including smart cards, password-generating tokens and biometric techniques, such as fingerprint or voice recognition or retinal and iris scans.

The mandate has been misrepresented in some press reports, and does not simply require two-factor authentication, said Naftali Bennett, ceo of Cyota, an ecommerce security firm.

"Companies do need extra controls and extra measures," he said. "But they do not need only two-factor compliance as their only solution."

To increase security confidence online, the new guidelines also encourage risk-based assessment, customer education/awareness, and the implementation of more layered security measures that are still easy enough for home end-users to enlist.

One technique Bennett mentioned was visible transaction monitoring of online banking, where a financial institution would assign a level of risk to every transaction made. This would enable banks "to look at everything you're doing."

"If someone were to access your account from Guyana and try to transfer an amount of money to a bank in Italy, that would be flagged as high-risk," he said, adding that the cost for such a service would only cost banks about 30 cents per customer annually.

Monitoring a fraudster once he or she has accessed an account should be as much a priority as deterrence for financial institutions, Bennett said.


"The notion is not only to build stronger walls, but you also need a camera inside looking for fraud," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.