Two-factor authentication: ask the right questions
Two-factor authentication: ask the right questions
If you were to ask a security strategist at a leading financial institution how they might combat banking fraud and online identity theft, their response just may involve the use of a well-known picture or a personal question.

And this would be inline with recommendations from the Federal Financial Institutions Examination Council (FFIEC). Technologies that ask end-users to answer questions about a family member or to recognize a picture are accepted strategies used, along with traditional passwords, by institutions seeking good standing with FFIEC guidelines.

With a bevy of authentication technologies available, most financial institutions have opted for user-friendly solutions, such as visual identifiers, for multiple reasons. For one, some are fearful that end-users will run to a competitor at the first perceived inconvenience. Financial organizations are also cogniscent of their bottom lines, often finding that an affordable security tool fits best, even if more expensive solutions are also more robust, says Tim Renshaw, vice president of field applications and evangelism at TriCipher, a Los Gatos, Calif.-based company that issues digital credentials via the web.

“Financial institutions have to do more. FFIEC guidance fails to protect users, but it may have been a success from a public relations standpoint of making users feel that they were better protected by banks,” he says.

These institutions also don't believe that the users are interested in security, he adds. “They believe their primary interest is in convenience, and customers may leave if you raise the inconvenience factor. The fact is that the user isn't much more protected than they were yesterday.”

The FFIEC, established in 1979, is charged by the federal government with assigning uniform principals and standards to the private institutions that save and invest the nation's money. The most recent revision of FFIEC guidelines called for financial institutions to install multifactor authentication processes so customers could confirm their identities with “something they know,” such as a password or PIN; “something they have,” such as a hardware token or smart card; or “something you are,” such as biometric technology.

The requirements were partially a reflection of the threat landscape of more than two years ago, which was dominated by phishers. Still fearful of phishing attacks, customers are most comfortable using applications that they understand, says Greg Fairbanks, solutions marketing manager at ActivIdentity, a Fremont, Calif.-based provider of identity assurance solutions.

“I think it was a response to more media attention around phishing attacks and things like that. I think there will be additional rounds of requirements in the future,” he says. “I think customers want a solution that is very user friendly.”

Avivah Litan, Gartner vice president and distinguished analyst, says that the most popular multifactor tool used in the financial vertical — knowledge-based authentication — is effective, but also the impetus for next-generation attacks.

“Basically, what's being used is knowledge-based authentication, where you ask only questions that home users can answer, like your mother's birthday. Or you can have the user enroll the questions. There's evidence that scammers are phishing for the questions and answers and looking for the information that happens to be the most commonly used today,” she says. “The other widely used technology is PC fingerprinting, and you can do that using cookies, Flash or geolocation information. In addition, many are using fraud detection systems on the inside to look for unusual behavior.”

The financial sector is mindful that the FFIEC guidelines aren't the only form of oversight with which they must contend. Therefore, organizations often look for services or solutions that can help with FFIEC requirements, as well as regulations, such as the Payment Card Industry (PCI) Data Security Standard, says Ed MacBeth, senior vice president, marketing/development at ActivIdentity.

One major complaint lobbed at the FFIEC is that the council did not give institutions a realistic shot at implementing solutions to meet the group's guidance. With the most recent revisions more than two years old, some financial CSOs and CISOs believe that another round of guidelines is in the works.

Glenn Veach, CTO of 2factor, a security breach solutions provider based in Maumee, Ohio, says officers are hoping they are notified of future revisions with enough time to adjust their budgets.
“The biggest complaint about the guidance is that it was released without any lead time for the institutions,” he says.

If the guidance is altered in the near future, a primary reason would be that cybercriminals have adjusted to the last round of requirements. Mass-phishing attacks are now outclassed by targeted attacks aimed at corporate execs and deep-pocketed end-users. Keyloggers are also more prominent than a few years ago, says TriCipher's Renshaw.

“One reason for the most recent revisions was generic phishing. Most things on the list aren't sufficient to battle other attacks. Keylogging, man-in-the-middle attacks — there's no way that the FFIEC guidance could handle those high-scale attacks,” he says.

However, Litan doubts that the FFIEC will alter the guidance in the near future, saying that while the federal government has done its job, the onus for improvement now falls to the financial organizations to improve their security.

Meanwhile, the FFIEC guidelines, announced in late 2005, have a solid legacy as a mandate that effectively increased end-user security, she says.

“It definitely had an impact on online banking. Back in 2005, 95 percent of consumers signed on with a single password, and now 95 percent sign on with more than one password,” she says.


ROOM FOR CHANGE:
FFIEC shortcomings

Man-in-the-middle attacks:
The FFIEC guidelines don't recognize the emergence of man-in-the-middle attacks, which can work around two-factor authentication technologies. For such an attack to be successful, a malicious user would have to execute trojans or other malware from a PC or remote proxy server after the victim logs in.

ATM machines: The guidelines also point to ATM machines and PINs as examples of two-factor authentication, without citing the deficiencies of the technology. If PIN and account numbers are stolen, ATM cards are easy to counterfeit.

Data at rest: The guidance also fails to call for the protection of data at rest. Attacks that find a backdoor into a network or otherwise circumvent controls can access data even with a working multifactor solution.

Source: Avivah Litan, Gartner research