Can email fraud be reduced by sending full statements, PKI technologies?

By Robert Westervelt, News Editor 20 May 2008 | SearchSecurity.com

Security technology news and tips for financial services pros Digg This!     StumbleUpon     Del.icio.us

Some banks and financial firms are considering the use of consumer authentication-style PKI products, enabling them to securely send financial statements and account information to customers.

I don't want to have to build a whole secure email distribution service. Robert Weaver, information security and policy officer, ING Direct

The goal is to cut down on phishers who construct phony email messages and trick customers into clicking a link and ultimately into giving up their personal information, such as passwords and date of birth.

Many banks and financial services firms use pull authentication to email customers, sending them a message to let them know that their statement is available online. A URL to the bank website is usually in the body of the message. The recipient is expected to click on the link and authenticate at the financial institution's website. But the method is less secure and could result in higher fraud rates, said Mark Diodati, a senior analyst at Midvale, Utah-based Burton Group.

Diodati expects the Federal Financial Institutions Examination Council (FFIEC) to issue guidelines on the insufficiency of single factor authentication. The guidance could force banks and other financial firms to send out more secure email to customers.

"The challenge is getting customers away from blindly clicking on URLs," Diodati said. "It's very hard for a user to read a complicated URL and determine if it's from their bank."

PKI strengths, weaknesses: Choosing from the top PKI products and vendors: In this expert response, security pro Joel Dubin discusses the best ways to compare PKI products and vendors for enterprise implementation of PKI. Will the costliness of PKI architectures prevent their growth? Implementing a public key infrastructure takes time and money, leaving some wondering if PKI technologies will continue to grow. The strengths and weaknesses of PKI and PGP systems: PKI and OpenPGP can enhance the security of your data, but these services differ in how they manage digital certificates.

Robert Weaver, head of IT security at ING Direct in the U.S., said the company constantly measures ways to build security that doesn't affect customer convenience.

"The industry is quickly moving in that direction of getting links entirely out of emails," Weaver said. "The problem is that there is a significant difference in the amount of click through. If it's right there and hot-linked it's a lot easier for the consumer to do it."

Weaver said pushing out statements to customers would be possible but it would take a costly investment in new infrastructure to secure the message. The procedure would not only involve sending out an encrypted email, but it would need a secure envelope and include a message delivery notification.

"It's more than just a run of the mill encryption on an attachment in the email," Weaver said. "It would take a lot more infrastructure. I don't want to have to build a whole secure email distribution service."

The Burton Group's Diodati said customers and financial institutions could benefit if banks distribute account statements via email. Consumers would get the convenience of storing the information securely on their computer and banks would see a cost savings since the process would become paperless.

He said he knows of at least one major financial institution considering a consumer-based PKI product to deliver statements to customers. PKI is a public repository that houses digital certificates used to verify authenticity of public keys. Joel Dubin, a Chicago-based independent computer security consultant said PKI technologies were known for their complexity but they are improving.

Diodati warns that this method of authentication comes with its own set of security issues. For example, an attacker could hack into an unattended computer, accessing a consumer's bank statements or other private data, he said. Also, many people access their email via POP3, which passes user credentials in cleartext.

"Anyone with a network sniffer along the path can grab the consumer's credentials and re-use them to access the consumer's emails," Diodati said in a blog entry on the issue at the Burton Group's Identity and Privacy Strategies blog.

Still, the FFIEC is not likely to issue specific guidance on sending statements via email, said Don Rhodes, director of risk management policy at the American Bankers Association. Rhodes said he believes the agency has intentionally not issued prescriptive guidelines, "because what works for a big bank might not work for a small one. The guidance gives banks the opportunity to develop an approach that suits their bank."

"I don't' think they're interested in being that prescriptive," Rhodes said. "That would be telling someone how to operate a branch and I don't think the agency wants to go down that road."

A recent survey by Cambridge, Mass.-based Forrester Research Inc. found content aware, policy-based email encryption on the rise. Thirty-two percent of U.S.-based companies said they deployed such email encryption technology to send sensitive messages to other customers and employees. The trend is being driven primarily by healthcare organizations that need to comply with the Health Insurance Portability and Accountability Act (HIPPA). The survey was commissioned by email security vendor Proofpoint. It received 424 responses from companies with 1,000 or more employees.

Sill, the survey found that of those with such encryption capabilities, less than half of email that should be encrypted is actually sent in that form. Proofpoint spokesman Keith Crosley said the finding suggests there is still a great need for more advanced email encryption solutions in today's enterprise. He said using policy based encryption is still an expensive endeavor.

Crosley sees growth in the financial services industry, where there is a big concern about consumer financial data leaking into the wrong hands.

"Healthcare leads the way because there is such a big requirement," Crosley said, "but there's a big uptake in encryption for banks, retailers and online merchants."

Tags: FFIEC compliance guidelines,  User IDs and passwords, privileges and federation,  Secure user and consumer authentication methods,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT FFIEC compliance guidelines Gartner's Avivah Litan on the online banking fraud surge Multifactor authentication options to secure online banking Five mistakes banks make in pandemic planning Data breach lawsuit puts spotlight on bank's security measures Get ready for remote deposit capture risk management scrutiny Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Defendants in banking fraud scheme accused of exploiting regulation FFIEC guidance on RDC: Guidance overview FFIEC guidance on RDC: Risk management basics User IDs and passwords, privileges and federation Symark acquires BeyondTrust How to streamline role-based access control Audit requirements drive demand for privileged account management Study of banking malware analyzes underground economy Gartner advises banks to shore up online channels Emerging themes in identity access management Security on the street with SearchFinancialSecurity.com: Mobile banking IBM USB banking device stops keyloggers, malware Privileged password management steps to success Best practices in managing privileged access Secure user and consumer authentication methods Gartner's Avivah Litan on the online banking fraud surge Multifactor authentication options to secure online banking Survey: Consumers don't trust banks to keep their data secure Data breach lawsuit puts spotlight on bank's security measures Credit union launches online banking suite with strong authentication Winning the war: Personal information protection BITS releases guide for implementing email authentication protocols Banks, e-commerce sites use device identification to stop fraud Evolving authentication methods in the financial industry Identity management for financial firms in turbulent times

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Bank Secrecy Act (BSA)  (SearchFinancialSecurity.com) FFIEC compliance  (SearchFinancialSecurity.com) Financial Crimes Enforcement Network (FinCEN)  (SearchFinancialSecurity.com) Podcast: What is FFIEC compliance?  (SearchFinancialSecurity.com) remote deposit capture (RDC)  (SearchFinancialSecurity.com) Suspicious Activity Report (SAR)  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary