FFIEC Authentication: The Need for Out-of-Band Mobile Viable, But U.S. Banks Are Slow Adopters
Fraud is winning in the fight against cybercrime. Why? Because financial institutions continue to rely on ineffective technology and controls, says fraud analyst Tom Wills says.

Wills, a senior analyst of risk, security and fraud for Javelin Strategy & Research, says banking institutions are relying on risk controls that are out-of-date and inadequate to meet today's threats. From ATMs to call centers and now mobile, banks are being attacked in ways they never imagined.

Wills' insights come at a time when the Federal Financial Institutions Examination Council has released its updated online authentication guidance which calls for stronger multifactor authentication to help mitigate the risks.

New technology and guidance certainly helps in combating cyberattacks, Wills said. "But any technology solution should be supported by empowering the risk management team to act as independently and as quickly as possible," he says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].

Out-of-band authentication is the most viable option, Wills says, because it happens on a different channel than the one that carries the credentials provided by the customer. Wills recommends institutions consider very closely the mobile option for out-of-band. "Your cell phone is something you have, and at least with post-paid cell phone plans in the United States, there is some level of KYC that is required to get a mobile account," he says.

Yet compliance requirements shouldn't be the only measure driving security and fraud investments. "Make sure that you have a comprehensive risk assessment done, and then update it at least once a year or whenever a new material threat surfaces," Wills said. "And of course that means keeping yourself informed on a daily basis. It's really, really important to stay on top of the threat landscape here."

During this interview, Wills discusses:

  • Why banks need mobile as an out-of-band authentication layer;
  • How learning from what institutions overseas are doing in the way of authentication, through out-of-band measures that rely on biometric voice recognition and other emerging technologies, can help U.S. banks and credit unions intelligently compare vendor solutions;
  • Why the lack of budgetary agility is a bigger problem for most fraud departments than inadequate technology.

Wills serves as an independent senior analyst of risk, security and fraud for Javelin, where he leads the firm's strategic risk management, security, fraud, and compliance advisory services.

Today's Anti-Fraud Technology

TRACY KITTEN: Many financial institutions have made significant investments in anti-fraud technology that aims to secure their online banking channels. But it's clear from the recent uptick in corporate account takeover incidents, the phishing attacks and the malware behind them are increasing in sophistication. They are increasing at a rate with which many banks have not been able to keep up. How do you view anti-fraud technology most financial institutions continue to rely on today?

TOM WILLS: Unfortunately, the vast majority of banks are relying on a set of risk controls that is out-of-date and not at all adequate to meet the material threats that are out there today. The evidence of that that we're seeing is just simply the number of security breaches that just keep coming. Institutions of all shapes and sizes are getting hit with new kinds of attacks that nobody imagined just a few years ago. Zitmo is a great example of that, and they are getting hit in multiple service channels, not just mobile, but ATMs, call centers, the Internet. And now mobile has been added to that. In my view the industry is getting rather beaten up at the moment. I think the basic problem behind that we're seeing is not necessarily technological, even though it's being played out through technology.

What I mean by that is I think the basic problem is systemic and it's organizational. It's in the bank's lack of ability to react fast enough to the new waves of threats, and it's basically what we're seeing is a kind of asymmetric warfare. You remember that term asymmetric warfare was first used in reference to terrorist attacks, where the terrorists were able to inflict massive damage using tools that were extremely easy and inexpensive to obtain and use. The classic example of that is of course the Al Qaeda hijacker using box cutters to bring down an airplane on September 11th. The comparison point here is that even though the banking industry has tremendous resources compared to the hackers that are going after them to deploy technology and to fight fraud, the industry is being toyed with by a group of cyber thugs, and judging by the arrests that have happened in the past couple of months, a lot of them are teenagers. There is a real asymmetric situation that is going on here.

Steps to Improve

KITTEN: Where could financial institutions make improvements when it comes to the technologies that they are investing in to build on what they already have?

WILLS: That would take way more time than we have in a podcast to go over that thoroughly, but I'll offer a few basics. The first is, and again not only being based on technology, it's to develop the ability within the organization to react much faster than you can today to the new threats that are coming out. Technology definitely plays a part in that - don't get me wrong here. We can help by deploying better authentication and transaction analytics, and some of the new solutions from companies like Guardian Analytics, Iovation, Trusteer and RSA can definitely help to get a bank out from behind the eight ball here, but any technology solution should be supported by empowering the risk management team to act as independently and as quickly as possible.

What we are looking for is agility here, not just technology, giving the team an adequate budget for them to be effective. I've worked with institutions, large ones and medium size ones, where there were layers and layers of committees, approvals and red tape that had to be obtained before making a software purchase could be approved. I understand that what I'm really advocating is not so easy today with budgets being under pressure in the financial institutions. But the budget should be ... certainly considered by top management and given a high priority. The budget should also of course be supported by a risk analysis, showing what you stand to lose financially vs. what you have to spend to protect against those losses. To summarize that, technology certainly has its place but there are some organizational and budgetary factors as well.

FFIEC and New Solutions

KITTEN: That is a great point that you make about budgets and all the different things that institutions are looking at when it comes to cutting expenses and then trying to make wise investments. I wanted to ask you, in light of the new FFIEC guidelines, many institutions of course are considering investments in new technology. But how should banks analyze these new solutions before they make a decision to buy? How can they adequately compare the many solutions that are now available in the market?

WILLS: It's really hard to do this kind of analysis because the creativity and the imagination that we're seeing on the black-hat side, on the hacker side, is being met by a lot of creativity and innovation on the vender side of things to come up with solutions both in authentication and back into analytics. It's actually pretty hard to do an apples-to-apples comparison of different vendor solutions. A lot of the times vendors actually don't help too much because they don't want you to dig too deeply because they might lose a sale. I would say outsource this work. And maybe this is a bit of a shameless plug but get a hold of all the reports like the annual comparison of mobile authentication vendors that we deal with at Javelin, which is something that is done by a dedicated team that is really digging under the hood with some of these complex technology offerings that are out there. You'll end up with a much smarter basis to make a purchasing decision.

KITTEN: Multilayered authentication is something that we continue to hear and read about, and there are countless vendors in the market today that are pushing their solutions. Everything from biometrics that relies on voice recognition to tokenization has been tagged as being superior to the competition. How can institutions evaluate these solutions to determine which solution best fits their needs?

WILLS: Well again I don't have a simple answer to that unfortunately, because it's the whole plethora of different offerings with different features and different functionalities that are out there. I guess my advice would be once again to stay on top of the technology landscape as well as the threat landscape, making sure that there's someone on your risk management team who is tapped with doing that. Keeping up with business intelligence essentially should be part of their job description. Subscribe to the right reports, subscribe to the right blogs and basically try and outsource the work of doing the analysis because you can really get bogged down on it. There is literally so much complexity out there on the number of vendor offerings. That is probably the best advice I could give there.

Types of Authentication

KITTEN: When we're talking about authentication we have different types of authentication to consider. What about out-of-band versus in-band authentication. Can you define the nuances or differences between the two?

WILLS: Sure, I'll just quickly explain the differences there. Out-of-band authentication simply means that the request from the bank, from the bank's server, through authentication credentials like your user name, password and whatever extra factor is being used, that information goes out over a different channel from the one that carry the credentials provided by the customer. An example of that is the customer is logging into a webpage. The request comes in by the web or HTTP but a token ... is used to generate a one-time password which is not happening over HTTP. The request comes in over the web, but the reply goes back over a different channel.

In-band on the other hand means that the request and the credentials go out or they come in and they go out over the same channel. The user name, password and additional authentication factors are requested in a web page and the customer enters that information in fields in the same web page. In-band is less safe because if the channel is compromised, say by the man-in-the-middle attack, the attacker now is able to just harvest all of the credentials that are going back and forth, as well as the request for the credentials, and go back and access the account much more easily. Out-of-band, all other things being equal, is a safer method than in-band authentication.

KITTEN: What role does and should the mobile channel play in a bank's plan for stronger online authentication, especially when we consider this out-of-band authentication?

WILLS: I would recommend considering very closely the mobile option to do out-of-band authentication. It's great because it can work as an additional authentication factor. It's something you have. Your cell phone is something you have, and at least with post-paid cell phone plans in the United States, there is some level of KYC that is required to get a mobile account. You need to go in and show your government ID to the phone dealer and you need to have a credit check run to open your mobile accounts. There is a fair amount of strength in the identity that is provided by a mobile phone. That is one point.

The second is, where mobile is useful is that technically it can work, as I described just in the last question, as a separate channel for the out-of-band authentication that we were talking about.

Mobile Authentication and U.S. Institutions

KITTEN: Where do you see most U.S. banking institutions currently missing the mark when it comes to mobile's ability to offer this second layer of authentication?

WILLS: In most cases they simply haven't implemented these type of solutions yet. It took about three years from when the FFIEC guidance on multifactor authentication came out ,which I believe was 2005, to when it was implemented by the vast majority of institutions in the U.S., which was around the middle of 2008. It took all of that time, and during the time that it took to do that implementation, the hackers were getting busy analyzing the "chinks in the armor" if you will and coming up with ways to go around it. I wouldn't say banks are missing the mark in terms of considering this technology but it's just now out there and it's not deployed fast enough. I've seen very few places where it's deployed in combination with a very robust risk management and security program that includes ongoing risk analysis, back-end analytics, strong application security and other things. I guess my main point is the authentication is just one piece of a broader information security program that needs to be in place to make it robust. I'm not seeing too much of it at the moment.

KITTEN: What lessons could U.S. institutions perhaps learn from overseas institutions where the use of mobile for out-of-band authentication is more widely spread?

WILLS: Around the world, I'm seeing a lot of banks experiment with some of the newer methods of authentication like voice biometrics for example. And I would encourage U.S. banks to pay more attention to what's going on offshore internationally, to follow some of these banks that are using some of the methods that are less tried-and-true, that hold a lot of promise, and attend the conferences, listen to the presentations off of the case studies and try to get some idea of how these things are actually working in the real world. If you listen to a vendor pitch, they are going to show it in the best light. That is, naturally, to be expected. But in real life these technologies are a considerable investment. They are often a half a million dollars to purchase the package and the support package. Watch the banks that are implementing these things outside of the states, and pay attention to what is happening and learn from them.

In Singapore where I live it's interesting. Banks are still into issuing one-time password tokens, the RSA tokens, to the consumers. I'm not a big fan of those things from a user-friendly point-of-view, but they do, as long as the vendors' back-end database isn't compromised, offer some fairly strong security. The banks in Singapore have opted for more security vs. usability and user-friendliness. I'm not sure if the banks in the U.S. with a much more competitive environment could get away with that.

Compromising the Mobile Channel

KITTEN: That's right; it's a good point that you make. It might not work well here, but at least we could perhaps take variations of things taking place in different parts of the world. I wanted to go back to some of the discussion made earlier about manning the mobile attacks or these MITM attacks. Should banks be worried about compromises of the mobile channel if they do decide to lean on mobile for stronger authentication?

WILLS: They should absolutely be worried about it. But as always, authentication in the mobile channel and authentication in any other channel has to be part of a layered defense system. It can't be the only control that you put up there. Any good security design of a mobile banking system or a mobile payment system has to start with the premise that one of the controls can get compromised with enough determination and time, and you know these hackers do have determination and time. They have a big motivation. We're really talking about the bank robbery of the 21st century here. Put up as many barriers as possible, but also put in your other layers. You have to have a complete risk management security system. Don't deploy these things in isolation.

KITTEN: Before we close, what final thoughts would you like to leave our audience with as they relate to anti-fraud investments generally, and steps institutions should be taking to incorporate mobile into their authentication practices?

WILLS: I would say number one, and I may be sounding like a broken record saying this because I've been saying it for several years now, don't let your security and fraud investments be driven only by compliance requirements. Compliance does not equal security. Make sure that you have a comprehensive risk assessment done, and then update it at least once a year or whenever a new material threat surfaces. And of course that means keeping yourself informed on a daily basis. It's really, really important to stay on top of the threat landscape here.

Second thing is: don't just rely on technology as I mentioned before. Empower your risk management team to act quickly and act independently when a new threat comes up. Give them some serious consideration to their budget requests, backed by the proper analysis. I just want to make a closing point about the malware that we've seen in the mobile space in the past 12 months because it was a threat before but it hadn't actually been realized. We've just seen an explosion of malware, especially with Android because of the fact that Android is an open-source platform for mobile. We have credible variances of online banking Trojans like Zeus, Zitmo, that have hit the market and mobile channel, and they steal user names and passwords from users. We have malware that will turn the phone into a brick that will just shut it down and cause denial of service. We have malware that deletes critical data on the phone and will just shut it down. It's very important to pay attention to these things and be able to react when they come up within a matter of weeks and months, not a matter of years.

Around the Network