Multi-Factor Authentication Takes Hold
Lee Carter, President of Online Banking at Zions Bank in Centerville, UT, was on the panel and he voiced optimism about the multifactor authentication guidance. He explained the Zions Bank’s implementation of its new authentication method, “It was days if not hours after the implementation that we had people [hackers] banging on our front door trying to figure out what we were doing. They were pretty persistent, and put up phishing sites to try to figure it out, we got those taken down, and they since have stopped.†Carter said Zions Bank customers were well aware of the changes, as the bank had done a lot of advertising up to 45 days before the implementation and information was sent to its customers prior to the cutover, so they would be informed as to what to expect with the new changes. With Zion’s success, Carter expressed concern for smaller institutions “who have not implemented a solution yet, because more structured things may be coming their way, because they [phishers] will move to where they think they have new ground to plow.â€
The panel noted that phishing attacks were up an estimated 40 percent in the last year, and thought that this may point to phishers trying to get in as many phishing attacks as possible before institutions implement the stronger authentication for their customers.
"From an industry perspective, I think most of the community financial institutions are ahead of the curve as far as the adoption of multifactor authentication because they don't host/manage their Internet Banking infrastructure. Typically, financial institutions have their Core Provider host their Internet Banking website, and most Core Providers already have adopted some form of multifactor authentication," said audience member Matt Riley, CTO and VP of Security at Gladiator Technology Services, a managed security service provider for financial institutions.
The panel noted that regulatory agencies gave signals two years before this guidance came out. So what might be next? While the authentication guidance deadline was fairly short in comparison to other previously issued guidance, a less dramatic movement toward mutual authentication, and encryption, may be possible next steps, noted panelist Doug Johnson, senior policy analyst for the American Banking Association.