29 August 2006

Authentication Risk: Solving the Multifactor Question...

U.S. Bankers are in crunch mode to make decisions and finish risk assessments by year end. Multifactor Authentication is the issue at hand as Operational Risk Managers wrestle with vendors and their own IT organizations.

"Less than four months remain for banks to meet the Federal Financial Institutions Examination Council's year-end deadline for Internet banking authentication, but some confusion remains over what is an acceptable solution. When the FFIEC agencies initially released the guidance on Oct. 12, 2005, many banks were left scratching their heads as the guidance explicitly states that it "does not endorse any particular type of technology." Rather, the FFIEC says, banks should assess their own risk and decide which solutions best meet their individual needs.

Adding to the confusion, bankers, vendors and experts have fixated on the term "multifactor authentication." But the FFIEC never explicitly states that multifactor authentication is the only way to comply. According to the FFIEC's guidance, "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."

While authenticating the person who is logging into the secure Internet banking site is important, it is equally important for the consumer's chosen banking site to be simultaneously authenticated.

Mutual Authentication

Mutual authentication is a process whereby customer identity is authenticated and the target Web site is authenticated to the customer. Currently, most financial institutions do not authenticate their Web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed Web sites during the collection stage of an attack. The spoofed sites are so well constructed that casual users cannot tell they are not legitimate. Financial institutions can aid customers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the customer.

Techniques for authenticating a Web site are varied. The use of digital certificates coupled with encrypted communications (e.g. Secure Socket Layer, or SSL) is one; the use of shared secrets such as digital images is another. Digital certificate authentication is generally considered one of the stronger authentication technologies, and mutual authentication provides a defense against phishing and similar attacks.

One way to solve the issue is to find a company who has taken all of these technology hurdles and has found a viable solution for FFIEC compliance. See Boulder, Colorado based Authenticol to add to your short list.

No comments:

Post a Comment