Banks scramble to boost online security

By Sue Hildreth, Contributor 25 Oct 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

By January 2007, anyone who banks online should be better protected against fraud and identity theft. That's because, by the end of this year, all financial institutions – brokerages, banks, credit unions – must add an extra layer of security for high-risk transactions, such as account access and money transfers. A simple name and password combination will no longer be sufficient for most types of transactions.

Banks will have solutions in place, but they may not be their final solutions ... It's what they can get in now to meet the deadline and then upgrade it as they go. Sally Hudson, analyst, IDC

This increased security is mandated by the Federal Financial Institutions Examination Council (FFIEC), an organization of five financial industry enforcement agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.

Any institution that is governed by one of those agencies is also covered by the new guidelines. And it also faces a potential fine or other penalty if it fails to comply.

The new rules are leading to a scramble by banks to purchase security technology. It has also resulted in a surge of sales in identity and access management compliance products. IDC estimates the market shot up 78% in 2006, worldwide, with about half of that growth in the U.S. market.

"Financial institutions are working to get out in front of the deadline," said Rose Ryan, a research analyst for Framingham, Mass.-based IDC. "They're not dragging their feet on this."

Nevertheless, many banks won't make the January deadline. Estimates vary, but Ryan believes that only a little over 50% will complete the first major step, a risk assessment, by the end of the year and be in the process of deploying additional security.

As might be expected, those who are farthest along tend to be larger organizations, which have more IT resources and high-value, high-risk transactions to justify the investment.

"Most of the national and super-regional institutions have done [risk assessment] and many of the smaller ones have too," said Jonathan Penn, principal analyst for identity and security issues at Cambridge, Mass.-based Forrester Research. "Most of the laggards are very small banks and credit unions who just haven't gotten their act together."

Meeting the Mandate

An initial risk assessment can be done by an outside consultant, by internal staff, or automated by risk assessment software. But a risk assessment must be completed before new security technology is deployed..

Spotlight: FFIEC Two-factor authentication and compliance: What it is and isn't What is the best authentication method for protecting an online banking site? Identity and Access Management Security School Feds 'banking' on financial industry to tell us we're for real

"The guidance calls for a risk assessment that identifies all high risk transactions through the Internet and call center IVR," said Ed Neumann, managing director for the banking practice at CCPace Systems Inc., a Fairfax, Va.-based consulting firm that provides risk assessment services and software. "For instance, some banks offer wire transfers, or display differing amounts of personal information."

Banks can simply stop offering high-risk activities, he said. But few banks will want to risk losing customers by cutting popular services such as online bill payment and account information. That leaves most banks with the need to adopt a second layer of security, Neumann said.

What kind of extra security?

Banks may turn to hardware-based authentication, such as a smart card or token that can be plugged into the user's USB port. But that is a high-cost, high-maintenance option best suited for high-end customers.

"There's been a flurry of technology innovation over the last 18 months in response to the guidance," said Chris Voice, chief technology officer of Addison, Texas-based Entrust Inc., a security software company that makes fraud detection and authentication products.

At the lowest-cost end of the spectrum, banks might try to add a second password requirement. But that won't satisfy the FFIEC mandateguidance, according to experts.

"The guidelines are very clear that using multiple passwords is not a valid control. But multiple types of 'what you know' authentication – a mix of password plus challenge-response, out-of-wallet questions-- is valid. Most banks are doing this as a second factor," Penn said. "But they are usually doing it conditionally, rather than at every login, based on the user profile information."

Penn is referring to software programs that monitor user behavior and compare it to a profile of past behavior to look for anomalies. Such risk-based monitoring tools watch things such as the type of computer normally used, the user's IP address, typical account activities, etc. Only if a user does something odd does the system ask for additional authentication.

"Passively monitoring behavior behind the scenes can minimize the disruption to the customer," Voice said.

Amir Orad, vice president of marketing for RSA Consumer Solutions, a division of RSA Security, agrees that monitoring software, what RSA calls "risk-based authentication" is a popular option.

"The beauty is that 99% of users can be authenticated behind the scenes, with no disruption to their online experience," Orad said.

Orad warns that some banks will be tempted to install inadequate or outdated security measures to meet the deadline, then have to re-do it later.

Nevertheless, that is what many will do, said Sally Hudson, IDC analyst in identity and access management.

"Banks will have solutions in place, but they may not be their final solutions," Hudson said. "It's what they can get in now to meet the deadline and then upgrade it as they go."

Sue Hildreth is a freelance technology writer based in Waltham, MA. She can be reached at sue.hildreth@comcast.net.

Tags: Secure user and consumer authentication,  Site Highlights,  FFIEC compliance,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure user and consumer authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Identity management for financial firms in turbulent times Biometrics project studies ways to combat bank fraud Study of banking malware analyzes underground economy Emerging themes in identity access management IBM USB banking device stops keyloggers, malware Integrating biometric authentication with Active Directory Biometrics: Taking authentication to the next level Pros and cons of multifactor authentication technology for consumers Site Highlights Five steps to building information risk management frameworks Black Hat 2007: For financial firms, availability too often trumps security Insuring compliance: Nationwide tackles GLBA FFIEC compliance Red Flags Rule compliance Download presentations from Financial Information Security Decisions 2009 How AML compliance applies to remote deposit capture Swine flu: Pandemic planning wake-up call The truth about vendor management Industry reaction to FFIEC remote deposit capture guidance positive so far, says FDIC official Book chapter: Remote deposit capture risks Understanding the FFIEC remote deposit capture guidance FFIEC releases risk management guidance for remote deposit capture Using the FFIEC Examination handbooks to produce a harmonized audit guide

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary FFIEC compliance  (SearchFinancialSecurity.com) Podcast: What is FFIEC compliance?  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary