The FFIEC recommended the introduction of enhanced security measures by the end of 2006 for all financial institutions offering Internet-based financial services. Although a number of the larger organizations have religiously adopted the FFIEC recommendations, a number of smaller banks have resisted.
The FFIEC (Federal Financial Institutions Examination Council) guideline recommended the introduction of enhanced security measures by the end of 2006 for all financial institutions offering Internet-based financial services. Although a number of the larger organizations have religiously adopted the FFIEC recommendations, a number of smaller banks have resisted.
Many smaller institutions view the FFIEC recommendations more as “suggestions” rather than literal rules. While this is true to some extent, the benefits that these institutions can gain from adherence to the guidelines are significant. Financial institutions, offering Internet-based financial services, will be audited against these recommendations provided by the new guidelines, and once the deadline for compliance is reached in 2007, federal examiners will document all cases where compliance is not demonstrated.
With compliance being mandatory, a question arises on whether these recommendations are really short of rules. So while this would mean expanding your security budget, not complying would mean significant fines in addition to loss of reputation and trust with the customer.
Why comply?
The continuous growth in cybercrimes such as phishing and spam has led to a heightened sense of apprehension towards online financial services, especially Internet banking, within the user community. Enhanced authentication mechanisms supported by specific measures to deal with cybercrime will help alleviate the customer fears. Studies indicate that an estimated 56 million households will bank online by 2008._The number could reach record heights if measures are taken to increase security.
Another big reason to comply is the increase in cyber attacks against small and mid-sized organizations. Many large organizations with a reasonable security budget have implemented stringent measures to counter cybercrime. A number of them such as the Bank of America and HSBC have already implemented stronger authentication mechanisms. This has shifted the focus of the attacks onto the smaller organizations that are more vulnerable because of their smaller IT budgets and, hence, typically weaker security mechanisms. Regulations and compliance aside, an attack could put these organizations out of business as it would mean a major risk to the customers who would become the next obvious targets of the attack.
What to do?
The first step to compliance is a Security Risk Analysis which aims to pinpoint specific areas of an organization’s IT infrastructure needing immediate allocation of a share of the security budget pie. At the end of this risk analysis, an organization will be able to answer the all important question: What are we protecting against?
The next step is to conduct a Cost-Benefit Analysis to ascertain which type of authentication mechanism fits best into organizational budget and business requirements. There are two things that need to be kept in mind while choosing an authentication mechanism: value and ease of use.
Value at risk
This is the maximum possible loss that could occur due to the risks that are identified. Quite logically, the cost of protecting an asset should be less than its value. An authentication mechanism that requires more funds to be deployed than the projected losses is hence not profitable.
Ease of use by the customers
Another important consideration is whether users are willing to use the enhanced authentication means. A complex or time consuming solution is inconvenient and will often scare away the average user. Customer buy-in is imperative and requires steadfast efforts to generate awareness.
Methods of authentication
So how does authentication really happen in the first place? The method by which users can be authenticated is by asking them to produce something that is unique to them. This could be any of the following:
- Something the user knows: passwords, PIN numbers, pass phrases, etc.
- Something the user has: token, smart card, etc.
- Something physical of the user: fingerprinting, face recognition, iris scanning, etc.
Some of the authentication methods that are enlisted in the FFIEC guidelines are shared secrets, tokens, biometrics, scratch cards, IP address location/geo-location and mutual authentication.
Shared secrets
Shared secrets are the oldest form of authentication. They include passwords, PIN numbers, etc. Shared secrets can be used efficiently in mutual authentication as will be explained later.
Tokens and scratch cards
Tokens and scratch cards are something that a user possesses and can be used along with a shared secret to implement two-factor authentication. However, the cost of implementation per customer can be prohibitive for smaller organizations. Customers might also not fancy the idea of carrying a device with them each time they need to use the service.
Biometrics
Biometrics uses methods like fingerprinting, face recognition and iris scanning. Each of these requires additional equipment to be installed at the user’s end. With biometrics, however, the complexity of authentication could often deter individuals from using it even if the organization has the funds required to install scanning devices on user computers.
IP address location and geo-location
The IP address location and geo-location involves determining the IP address of the system used by the customer and also the geographic location of the user. So if a user is on the move with a laptop, the IP address of the connection and the time taken for Internet communication with the machine are first determined. The time taken for communication is then compared to distances of known locations. A reasonable match allows further communication. If not, the user will need to authenticate via telephone. But this technique is susceptible to IP address spoofing and also limited by its ability to determine distances only for wired clients.
Mutual authentication with a shared secret
In this method, a user chooses an image and/or a pass phrase and checks for these at the time of each logon attempt. The user can now use the regular username-password scheme to authenticate with the website. This method relies only on shared secrets for mutual authentication between the website and the user, and therefore is not two-factor authentication. However, it adds an extra layer of security and can also bolster customer confidence.
What’s best for you?
The customer is all-important. Choosing the right authentication scheme requires an organization to assess risk in the light of the customer. Based on various focal points, such as customer type, nature of transactions, sensitivity of customer information, mode of communication, etc., the overall risk involved is the first issue any organization should be concerned about. With an understanding of this risk, the choice of authentication infrastructure will bring with it both compliance and business.
The FFIEC guidelines suggest an improved authentication scheme supported by a strong security policy. The guidelines are a step in the right direction as they bring with it the promise of credibility for the institutions and a sense of satisfaction for the customer. With regulatory compliance being only a by-product, it is about time that smaller financial institutions eye the profits that can be made by fortifying
their defenses.
