Compliance Management

Cover story: If once is good, twice is better

With limited brick-and-mortar operations, E*Trade's success depends primarily on the health of its online banking operations. As chief information officer for the company, Framke oversees transactions for more than 4.3 million active online members, and more than 400,000 unique logins light up his servers daily. If users don't trust the security of the site, the business fails.

This is why Framke and his team began exploring options for strong authentication more than two years ago -- well before the Federal Financial Institutions Examination Council (FFIEC) released guidance last fall mandating significant strides in use of two-factor authentication in online banking by the end of this year. This preparation paid off last year when E*Trade rolled out RSA Security tokens to its users, becoming the first major financial institution in the country to introduce multi-factor authentication to its customers using services on the web.

While some organizations did begin to follow in E*Trade's footsteps before the feds had their say, Framke believes that others lagged. So Framke was hardly surprised by the announcement of the FFIEC guidelines.

"I think the industry definitely has room to improve," he says. "We've been pretty vocal about that. So FFIEC has the effect of advancing some institutions' plans around online security, and I welcome that."

Guiding light

Established by Congress in 1987, the FFIEC coordinates regulations among the five-member federal agencies that oversee savings institutions, commercial banks and credit unions, such as the Federal Deposit Insurance Corporation (FDIC). Not surprisingly then, its edicts command attention from the industry -- especially since failure to take on its suggestions could mean a cease and desist ordered against financial operations.

The organization has kept online banking safety on its radar for years. It issued some of its initial guidelines on authentication in 2001, but as the criminals grew savvier it became clear that these mandates were inadequate, says Jeff Kopchick of the FDIC. He says that consumers have become increasingly wary over the safety of online banking, and the resulting slowdowns in growth of online financial services unsettled government officials.

"I think it's fair to say that all of the agencies were very concerned about customers and consumers losing faith in the security of electronic banking," says Kopchick, who is a senior policy analyst at the FDIC and participated in the team that drafted the guidance.

He says that the FFIEC chose to shy away from formal regulation. As guidance, the new authentication decree gives financial organizations the freedom to decide how they want to layer one or more additional modes of authentication on existing systems. It offers vendor-neutral suggestions to accomplish this. The only absolute is that companies make significant headway by the end of the year toward implementing at least one additional factor of verifying users.

The leeway given by the guidance allows forward-thinking organizations, such as E*Trade, the ability to continue current technological deployments and practices with little modification.

But there still are those who are struggling to find a way to make the FFIEC's end-of-year compliance deadline. And no matter the phase in which these financial institutions find themselves, they all face similar challenges to improve identity management.

Making strides

As with any kind of compliance issue, one of the first concerns that crops up when the government makes demands is the cost of obeying the rules.

"The biggest challenge is the cost of the solution, which is always going to be important," says Andy Cole, vice president of sales and business development for Swivel Secure, a company that specializes in authentication. "How do you deploy to millions of public users? How do you educate those millions of users?"

Firms such as Swivel, RSA, Strikeforce Technologies and others have recognized the banking industry's need to balance compliance requirements and the effectiveness of authentication procedures against the cost of the solution. These vendors have responded with an array of lower-cost products that can suit organizations who need to comply but hadn't made long-term budget plans for two-factor authentication.

The problem, however, is not always related to the direct cost of the solution. Many financial institutions are worrying over how to implement strong authentication without alienating customers.

"The challenge for companies is going to be if you look at what customers want [and] if you ask them [about guarding online transactions], everyone will say, 'yes, I want to have the safest and most secure experience that I can possibly have,'" Framke says. "But if you talk to them about how much inconvenience they would accept, [the answer is] not a lot."

In the case of E*Trade, Framke and his team initially chose tokens as an additional method of authentication for its more technologically savvy users rather than the general consumer population, who might view these devices as a bit intrusive. He realized early on that not all of his users were going to be willing to use such a disruptive method of validation, especially when accounting for his former brick-and-mortar-only status.

Other financial professionals have the same concerns about tokens, and other more intrusive devices disaffecting customers. Alex Hart, CEO of Corillian, a third-party provider of online banking software and hosting, is among those in favor of using different kinds of authentication options. Some of the country's biggest banks outsource their online banking operations to Corillian. Because the company supports 30 million online banking users, it must cater to a wide range of consumer needs.

"In reality we don't think that the average consumer is going to carry around a daisy chain of tokens," Hart explains. "They become the equivalent of a high-tech janitor. And that may be fashionable for some, but the average person isn't going to put up with that."

For many financial institutions, the middle ground lies in risk-based authentication. Less safe behavior, such as checking a balance, is governed by transparent modes of authentication, such as IP authentication. If users up the ante by making a payment or asking for a small transfer within the bank, they might be asked to confirm who they say they are by enlisting some kind of shared secret. And if they do something truly risky, such as a large wire transfer, the bank might escalate the security even further -- perhaps by opting for an out-of-band phone call or email that would confirm that a user really wants to go forward.

For Framke, Cyota, which was acquired by RSA last year, offered the best option for adding just such an out-of-band verification of larger online transactions for all its users -- particularly given E*Trade's existing token program with RSA.

There are dozens of third-party solutions like Cyota's on the market, but some organizations, such as Corillian, chose to create a risk-based system in-house. The companies wanted to offer bank customers multi-factor authentication that is tightly integrated with the online banking software it offers. The approach seems to be paying off.

"Our approach is to use intelligent authentication as a base layer and then to layer on top of that things like out-of-band authentication or tokens or smart cards, but doing those things based on the attributes of the users," Hart explains.

Timely roll-outs

Because the FFIEC set a compliance deadline, planning implementation time is just as important as choosing the right solution. Every organization will need to tailor its roll-out differently, but it is universally understood that a bank needs to take its time lest it undermine user experience.

Framke says deployment planning is just another part of balancing security with convenience.

"Being able to walk that line is going to determine how long it will take," he adds.

Many organizations are rushing to implement, an error that can be disastrous for a financial institution whose users demand reliability, says Kevin Doyle, information security manager with PSECU, Pennsylvania's largest credit union.

"There are already horror stories about people [who] rolled something out quickly, but didn't think of how it would affect users," he says. "I think you have to be very careful with planning, and if you do it right it is probably going to take a good six months to roll it out."

At PSECU, Doyle and his team also moved forward on their strong authentication project before the feds released their mandate. Still busy with that process, Doyle says that it takes time not only to test systems, but also to gain user buy-in. That's why he's surprised with the number of organizations who are just now starting the process. He wonders whether they'll meet federal demands in time.

"I don't think people are moving quickly enough," he says. "If people don't start moving, they're going to have a shock when it comes close to the deadline."

While those organizations certainly are expected to begin the process soon, analysts aren't as worried about banks meeting the deadline. Avivah Litan, an analyst at Gartner, for instance, says that banks shouldn't worry so much about implementing before year-end as having plans in place by then.

"As long as they show regulators that they are moving in the right direction, and they've done a risk assessment, that'll be satisfactory," she says.

Ripple effects

Once everyone finishes deployments, experts believe the effects will be far-reaching. Many think that FFIEC-spurred authentication improvements will go a long way to not only raising the standard for identity management among banks, but also everyone else in online commerce.

"In a lot of ways retail banking is going to raise the bar for all retail organizations on the web," says Chris Young, general manager of RSA Cyota Consumer Solutions. "If you're seeing visible steps by your financial institution to protect your identity, you're going to say, 'why isn't my commerce site doing it, why isn't the auction site doing it?' That is going to set expectations across the board."

Litan agrees: "I really do think the age of passwords is coming to an end over the next three to five years."

AUTHENTICATE: Before it's too late

There are dozens of ways banks can comply with the FFIEC mandate for two-factor strong authentication. The following are some of the most popular methods.

Shared secrets: Passwords are the most commonly used type of shared secret. But there are others as well, including challenge-response, where users must answer very specific questions to which only they would know the answer; for example, the amount of their monthly mortgage payment. Users can also be asked to identify an image selected at registration among a group of images.

Tokens: Tokens are devices that come in a number of different forms. A USB token plugs into a user's computer. Once the system recognizes the unique device, the user is prompted for username and password. A smart card works similarly, but must be read by a compatible reader attached to the user's computer. Biometric devices, such as fingerprint readers, ask for a scan and then prompt for the password. And finally, password-generating tokens create a one-time password that the user enters on their computer each time they log in. Tokens are one of the most secure forms of additional authentication, but due to their cost and inconvenience many banks are steering clear of them.

One-Time-Password (OTP) methods: One-Time-Password (OTP) methods work on the same principal as password-generating tokens, but usually more affordably and less intrusively. Single-use passwords are created based on something users have or something they know. For example, some banks use wallet-sized laminated cards that have numbers and letters set up in rows and columns. Once logged in, users are asked to authenticate again by entering the character in a randomly chosen cell. In another method, users are given a long string of numbers and asked to extract the numbers in their PIN from the string. They then enter the new string as authentication.

Out-of-Band: Banks use out-of-band types of authentication to verify particularly risky transactions. Out-of-band requires the user to verify their identity through a channel different from the one in which the customer began the transaction. So if the user tries to do something through the web, a bank may require verification through a bank-initiated phone call, email or text message.

Internet Protocol Address (IPA) Location and Geo-Location: One of the most transparent modes of second-factor authentication is Internet Protocol Address Location and Geo-Location. These types of authentication verify the user's location and make sure that if a user is based out of Albuquerque, he or she isn't making shady transactions from Bulgaria. If red flags pop up during this type of authentication, the user must verify their identity in some other way before proceeding.

-- Ericka Chickowski

GREG FRAMKE: A seasoned pro

Greg Framke has a long history of working on technology in the financial services sector. As CIO of E*Trade Financial, Framke oversees the global management of all technology and infrastructure at the firm. Though his degree is in international finance, he has thoroughly educated himself about technology concerns during his 20-year career.

Framke gained expertise early in his career working in marketing and sales management positions at IBM in the financial service category. He later moved on to Wall Street, acting as a principal with Morgan Stanley & Co for equity technology. And prior to joining E*Trade in 2000, Framke was director and global equity technology chief operating officer for Deutsche Bank.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.