New Authentication Guidance Coming?Experts Weigh in on What's Needed to Improve Strong Authentication
Sources within the agencies confirm that a subgroup of the Federal Financial Institutions Examinations Council is currently looking at amending its 2005 strong authentication guidance. But there are no solid indications of when the new guidance might be issued or what it will include.
In anticipation of this new guidance, industry experts offer their assessments of what's right and wrong with the current authentication guidance, as well as what should be expected from the new.
'Badly Misinterpreted'When it was first revised five years ago, the FFIEC guidance was "badly misinterpreted" by the industry, according to George Tubin, an analyst at Tower Group. "Everyone read multifactor authentication and thought that was the only thing that mattered."
Among the topics covered in the 2005 guidance:
- Customer Account Authentication -- Where the risk assessment indicates that the use of single-factor authentication is inadequate for the types of services period, institutions should employ multifactor authentication, layered security or other controls.
- Monitoring and Reporting -- Institutions should have policies and procedures in place that adequately monitor the system access. If they detect unauthorized access to applications and members' accounts, they must report to local law enforcement.
- Customer Awareness -- Customer education is critical in terms of reducing account fraud and identity theft. Institutions should implement a customer awareness program and evaluate current education efforts to determine if additional steps are necessary.
Some analysts believe the existing guidance already contains the core elements necessary to protect online transactions. Namely, banking institutions should assess the risks for their electronic banking applications and channels and implement controls commensurate with those risks.
"The problem is that the guidance the FFIEC issued was confusing because they talked a lot about multifactor authentication and Internet banking only, as opposed to all electronic banking," says Avivah Litan, an analyst at Gartner Group. suggests the FFIEC needs to issue an FAQ and restate "the good, core principals of their guidance."
Security and privacy expert Rebecca Herold says that there need to be more detailed instructions, making for easy comprehension and examples. "The guidance that was provided made sense," she says, "but it was too high-level for many small to medium sized banks to be able to actually implement with their lack of staff and expertise available to do such implementations."
Needed: Non-Prescriptive ApproachSecurity experts agree that it is best for regulators to stay out of the business of prescribing specific technologies or approaches. According to Tom Wills, a senior analyst at Javelin Strategy and Research, a "non-prescriptive" approach is best. The reason: Regulators, by nature, are always going to be behind the curve in enacting mandatory security controls.
The 2005 FFIEC guidance was basically obsolete by the time it was widely implemented, Wills says, and new attacks will continue to evolve at lightning speed compared to the "snail's pace" at which regulators work.
"A voluntary approach by the banks, based on total risk management, would be the most effective way to assure the security of online banking," Wills says. "I think the regulators should focus more on assigning liabilities than prescribing technical controls."
In the end, a non-prescriptive approach may be the only solution that regulators could offer financial institutions because of the wide range of sizes and sophistication among the thousands of banks and credit unions in the country. The idea of "one-size-fits-all" doesn't work well in the financial services industry, says David Navetta, an attorney specializing in information security and privacy law.
Faces of AuthenticationThe protection of online banking accounts is best done by using a layered approach to authentication. This approach is only just beginning to be seen in the marketplace, says Javelin's Wills. The layered approach to authentication should build on the FFIEC minimum of user name and password plus an additional factor that can include the following approaches:
- Out-of-band authentication - This method sends the additional authentication factor to the user via a different channel from the one he or she is using to access the bank site. For example, a one-time password sent via text message to the user's mobile phone when logging in with a web browser on a PC. The user has to enter the correct OTP within a short time window (usually a few minutes) in order to initiate the session. This authentication helps against man-in-the-middle attacks.
- Out-of-band transaction verification - This sends a verification request to the user in the same way as out-of-band authentication, so that the user is required to review and authorize a high-risk transaction that takes place within an online banking session before the transaction is allowed to proceed. This authentication method helps against MITM and man-in-the-browser attacks.
- Device identification - This authentication method uniquely identifies the software and hardware being used to access the online banking session. The device, in effect, becomes an authentication factor. This method helps against manipulation of this information by fraudsters such as spoofing IP addresses or deleting cookies.
- Mutual authentication - This method is used in addition to authenticating the user to the site, authenticating the site to the user. The most prevalent way of doing this is with Extended Validation SSL certificates. EV/SSL causes the address bar in the browser to turn green when he or she is on the bank's actual website. Other methods include displaying electronic seals on the server and displaying of a user-selected icon in the browser when the user is accessing the genuine bank server. This method helps against phishing, DNS cache poisoning, and other re-direct attacks.
- Transaction monitoring - This is not strictly an authentication tool, but monitoring online sessions for high-risk activity such as known trojan behaviors, both at initiation and while the session is in progress, is a very strong complement to these other various authentication techniques described here. Flagged activities have to be acted upon in real time - examples of appropriate responses include sending an alert to the user or an out-of-band transaction verification as described above, blocking access to the online account, or blocking the bank account. Helps against all types of fraud attacks.
- Browser-based controls - Institutions can use client-side tools that lock down the user's web browser against malware infection and exposure of sensitive data. This approach helps against a wide array of online fraud attacks, particularly MITM and MITB.
Regulatory Action AheadThe continuing rise in corporate account takeovers and ACH fraud has some in the industry wondering how soon regulators will move in to protect banking customers -- especially businesses. "The greatest motivation is knowing that significant sanctions and penalties will be applied," says Herold.
If the fraud incidents were targeting consumers, Navetta believes there would be faster action. The issue of corporate account takeover is mainly a business-to-business dispute, which is probably why regulators have not been as active, he says. This will become a bigger issue for banks, as more may face litigation and potential liability for online banking.
"Perhaps regulators are waiting to see if this litigation/liability threat acts as enough incentive to spur on change," Navetta says.