What is Effective Authentication?Top Methods for Conforming to FFIEC Authentication Guidance
The FFIEC will begin checking for conformance with the updated guidance in January 2012, which includes stipulations for adequate multifactor authentication and ongoing internal risk assessments.
Multifactor authentication, as it's defined by the FFIEC, comprises three basic factors:
- Something the user knows [e.g., password, PIN];
- Something the user has [e.g., ATM card, smart card]; and
- Something the user is [e.g., biometric characteristic, such as a fingerprint].
While various authentication techniques may be effective, every method can be compromised. Layered security, therefore, is suggested as being the most effective.
Here is a list of some of the authentication measures regulators and experts suggest banks and credit unions employ to effectively thwart cyber-fraudsters.
Out-of-Band AuthenticationOut-of-band authentication validates online transactions through an outside channel, such as a mobile device. This technique is deemed effective at curbing fraud that results after a desktop PC is compromised.
In "review and respond" authentication, a text alert can be sent to a consumer's mobile phone after a transaction is initiated. If the transaction is fraudulent, the consumer can immediately call the card-issuing bank or credit union to alert the institution.
Using "review and release" during a card-not-present transaction, the consumer can approve or deny a purchase via SMS/test message or phone call.
Improved Challenge QuestionsToday, most banking organizations require challenge questions for web authentication, but those questions have been criticized by regulators for being overly simplistic and easy to compromise. Question responses that involve a user's date of birth or pet name - information that many users divulge freely on social networks - are not considered strong when it comes to authenticating identity.
By asking more specific questions, whose answers cannot be easily found on social networking sites like Facebook and Twitter, financial institutions can better protect their customers and members.
Challenge questions should be out-of-wallet, meaning, if a thief stole a person's wallet, the information in it couldn't be used to answer a question, such as "What year were you born?" Some possible questions include:
- "What year was your first child born?"
- "What was the model year of your first car?"
BiometricsBiometrics is an effective authentication method that relies on "something a person is." Fingerprint recognition and facial recognition are gaining greater acceptance in the biometrics realm.
Smart-phones could aid in the development of biometrics authentication. Inexpensive software installed on a mobile device, such as an iPhone, could be used to scan an iris or record a voice, producing a biometric for authentication.
Tokens and Scratch CardsTokens [something a person has] are another method. Tokens are self-contained devices that physically connect to a computer or device. They often have small screens where one-time passwords are displayed, providing users with codes to enter for transaction authentication.
While they create an additional layer of security, tokens are prone to fraud, as the recent breach of RSA's SecurID tokens proved.
Scratch cards offer a less-expensive alternative, but have their vulnerabilities as well, since they're easy to lose. A scratch card is similar to a bingo card and contains numbers and letters arranged in row-and-column format. When verifying or authenticating a transaction, the user is asked to select characters contained in a randomly chosen cell or column on the scratch card.
IP Address and GeolocationMonitoring a user's IP address can be effective when it comes to device identification. But IPs can be spoofed easily, and the advent of mobile browsing has given IP addresses a fluid nature they did not have in the past.
Vendors have begun offering software that identifies several data elements, including location, anonymous proxies and domain name.
Geolocation, on the other hand, determines where a user is or is not. Software inspects and analyzes small bits of time required for Internet communications to move from endpoint to endpoint across the network. The electronic travel times are converted into cyberspace distances. After these cyberspace distances have been determined, they are compared with cyberspace distances for known locations.
The problem with geolocation, however, is that it currently produces results only for land-based or wired communications; it's not ideal for wireless networks.
Anomaly DetectionWhile improving authentication at the customer end is critical, financial institutions can't guarantee fraud is being mitigated. Anomaly detection should be a minimum requirement, experts say.
Device identification and log analysis play key roles in verifying user transactions. Both techniques, when used together, can shed light on behavior that could otherwise go undetected.
Anomaly detection works at an individual account holder level. It seeks to monitor an account holder's specific online behavior. If a user is performing unusual actions, anomaly detection will spot that.
Device identification helps indicate if a device logging in is trusted or not. When combined with other anomaly detection and anti-malware techniques, the institution can create a very comprehensive solution.