Bank's Road to Stronger AuthenticationCase Study: Why Phone Verification Made Sense
A recent wave of fraudulent wire-transfer attempts convinced United Bank & Trust that it needed to invest in two-factor authentication to protect itself and its customers.
See Also: Top 50 Security Threats
"It just takes one transaction," says Marsha Whitehouse, vice president of treasury management for the $1 billion bank based in Ann Arbor. "That incident that we caught could have cost us over $10,000. And it's not just the monetary loss; it's the reputational risk you have to deal with."
All banks should consider that risk when building an authentication strategy, Whitehouse says - particularly when looking to conform to the FFIEC's updated Authentication Guidance.
In April 2011, soon after word of the expected guidance started to circulate, United Bank began assessing its online risks, in anticipation of the updated guidance.
The primary areas of improvement called for in the updated Authentication Guidance revolve around the need for institutions to invest in more layered security controls, including multifactor authentication, regular and ongoing risk assessments, and more education for customers and members about emerging online fraud threats.
"One thing we kept hearing was that you need to increase your security," Whitehouse says. "Username and password are just not enough, and we know that."
United Bank's customer base comprises small businesses. Knowing that small businesses are increasingly targeted by cybercriminals, the bank wanted to enhance its authentication and begin steps toward FFIEC conformance.
During the risk-assessment phase, the bank commissioned an external audit to identify conformance gaps. Its IT and risk departments met to determine where online security could be enhanced and they gathered information from other institutions about the technologies they were reviewing.
In the end, United Bank determined it needed to improve its authentication practices by adding an additional layer to its username and password authentication.
In October 2011, United Bank implemented two-factor authentication for ACH and wires initiated online. The technology, provided by PhoneFactor, adds a critical layer of security, Whitehouse says.
PhoneFactor's second-factor authentication secures account logins and transactions. The verification can be provided in one of three ways: through a phone call, text message or downloadable mobile application. United Bank chose the phone option.
Once an ACH or wire is initiated with a username and password, an automated phone call is immediately made to the client. To confirm the transaction, the client must answer the call and enter a PIN. No funds are transmitted without the confirmation. The two-factor authentication process combines username and password - "something you know" - with a telephone - "something you have" - satisfying the FFIEC's recommendation for multifactor authentication, Whitehouse says.
United Bank now expects to be in full conformance with the updated FFIEC Authentication Guidance, she adds. "Our [external] auditor liked the PhoneFactor authentication strategy, and that makes us feel confident," she says.
The bank now requires all of its corporate clients to use the phone-call authentication method for all high-risk transactions.
"We hold on to that transaction until we get it authenticated, so a fraudulent transaction would never make it to the bank's back-end for processing," Whitehouse says.
Before choosing PhoneFactor, United Bank considered tokenization, which requires that a security code sent to a fob be entered online to authenticate a transaction. But after talking with clients, United Bank concluded that hardware tokens weren't attractive.
"Our clients said they hated them," Whitehouse says. "Tokens are easy to lose, easy to break and are hard to manage."
After ruling tokens out, Whitehouse says PhoneFactor made the most sense.
"This was a non-intrusive and convenient process to use," Whitehouse says, because everyone has a phone and knows how to use it. The authentication method is not complicated or overly technical.
"We found that there wasn't a lot of education involved, because the phone was being used as the security device," Whitehouse says. "We found that the clients really liked that; it was easy for them.
"It also was a cost-effective solution that could ensure we were [FFIEC] compliant," she adds. "That was important."
Integrating PhoneFactor into United Bank's online-banking platform went smoothly. "We had already been using PhoneFactor internally for our employees with remote access, so we were familiar with how it worked," Whitehouse says.
To manage the rollout, United Bank launched PhoneFactor one client at a time to every employee within each client organization. The rollout started with high-risk clients - those with the highest transaction and monetary volumes.
"We had to be sure we provided this to everyone, since anyone could be touching a transaction," Whitehouse says.
United Bank's "one client at a time" approach to its rollout proved beneficial.
"Other banks may decide to handle their projects differently, but we found that by working closely with our clients, we eliminated confusion," she says. "One of our larger customers said he was pleasantly surprised by how simple this process was, and that was a nice thing to hear."