Skip to content
BOL Conferences
Thread Options
#661767 - 01/05/07 04:38 PM Multi-factor authentication for phone banking
leolady Offline
100 Club
Joined: Jun 2006
Posts: 101
Midwest-dead center
I need to know if anyone has run into a requirement for multi-factor authentication in regards to telephone banking. I know the parameters for internet banking but haven't been able to find anything for the phones. Thanks for any help you can give me.
_________________________
"It takes two to speak the truth - one to speak, another to hear."
Henry David Thoreau

Return to Top
eBanking / Technology
#661825 - 01/05/07 05:15 PM Re: Multi-factor authentication for phone banking leolady
califgirl Offline
Diamond Poster
califgirl
Joined: Mar 2002
Posts: 2,355
The O.C., California
There is no "requirement" for MFA. You should, however, include telephone banking in your risk assessment and determine, for your bank, if MFA is called for. It depends on the type of information and transactions available on your telephone banking system.
_________________________
I can explain it to you. I can't understand it for you.

Return to Top
#663448 - 01/09/07 06:01 PM Re: Multi-factor authentication for phone banking califgirl
LibraLady Offline
Junior Member
LibraLady
Joined: Aug 2005
Posts: 30
Somewhere it rains a lot
We know our telephone banking system does allow for high risk transactions. We are looking for guidance reguarding multi-factor authentication. We would like to know if we need 2 out of the 3 methods of authentication (what you know, what you are, what you have) for our telephone banking system as we do for on-line banking.

Return to Top
#663561 - 01/09/07 08:16 PM Re: Multi-factor authentication for phone banking LibraLady
FraudHorn Offline
Member
FraudHorn
Joined: Dec 2005
Posts: 60
Maine
Just curious, what kind of high risk transactions can your telephone banking system do? Can a caller actually transfer money out of the bank or to another customer's account? Ours is not that fancy. Customers can only move funds between their own accounts, which is not considered high by the guidelines. Since account numbers already have to be known in order to login, the only risky thing we identified is that the system can fax a statement to a phone number entered by the caller. We are considering turning this feature off.
_________________________
The cannons don't thunder there's nothin' to plunder.

Return to Top
#663632 - 01/09/07 09:24 PM Re: Multi-factor authentication for phone banking FraudHorn
LibraLady Offline
Junior Member
LibraLady
Joined: Aug 2005
Posts: 30
Somewhere it rains a lot
Through our telephone banking system a customer can transfer funds from accounts that they are not a owner or signor on into their account, if they complete the authorization form.

Return to Top
#664912 - 01/11/07 06:11 PM Re: Multi-factor authentication for phone banking califgirl
Granny P Offline
Junior Member
Granny P
Joined: Jan 2007
Posts: 32
Illinois
Good afternoon. Your answer to the MFA for phone banking was just what I was looking for, but (always a but) what source did you get your information from? Thanks much in advance. Granny P

Return to Top
#665035 - 01/11/07 07:54 PM Re: Multi-factor authentication for phone banking Granny P
FraudHorn Offline
Member
FraudHorn
Joined: Dec 2005
Posts: 60
Maine
Don't mean to step on your toes CaliGirl, but I had this right at my finger tips for a repsonse I gave someone else. This first link is for the FAQ's about the guielines. Q-2 indicates that the guidelines do apply to all forms of electronic banking, including telephone banking.

http://www.ffiec.gov/pdf/authentication_faq.pdf

This next link is to the guidelines themselves. At the top of page two, at the end of the "Summary of Key Points" section, they state that: "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks". Although MFA is mentioned and it is getting all the fanfare, it is not the only mitigating control that can be used. As long as your risk assessment is done reasonably and can show that some other control will suffice. Hope this helps.

http://www.ffiec.gov/pdf/authentication_guidance.pdf
_________________________
The cannons don't thunder there's nothin' to plunder.

Return to Top
#665064 - 01/11/07 08:18 PM Re: Multi-factor authentication for phone banking Granny P
califgirl Offline
Diamond Poster
califgirl
Joined: Mar 2002
Posts: 2,355
The O.C., California
http://www.bankersonline.com/tools/security/ffiec_authentication_faq.pdf

Also, there was a BOL webcast on MFA which I participated in. BOL sent out a follow-up document after the webcast which addressed this.
_________________________
I can explain it to you. I can't understand it for you.

Return to Top
#665487 - 01/12/07 03:53 PM Re: Multi-factor authentication for phone banking califgirl
Granny P Offline
Junior Member
Granny P
Joined: Jan 2007
Posts: 32
Illinois
Thank you to both Califgirl and FraudHorn. Your quick response eases my mind on researching issues, this from a Day One user. Califgirl referred to a BOL webcast and a followup document. How do I locate that followup document? Thanks again, from Day Two user Granny P

Return to Top
#716335 - 04/13/07 06:32 PM Re: Multi-factor authentication for phone banking Granny P
B2BTrade Offline
New Poster
Joined: Jun 2006
Posts: 23
did you ever get an answer to your question to Califgirl regarding the followup document from the BOL webcast. I'd be interested in a copy as well. Thanks for your response.

Return to Top
#716340 - 04/13/07 06:37 PM Re: Multi-factor authentication for phone banking B2BTrade
Mary Beth Guard Offline
Platinum Poster
Mary Beth Guard
Joined: Oct 2000
Posts: 797
Oklahoma City, OK
Here is the excerpt from the follow-up document on the webinar I co-presented with Jeff Patterson on MFA.

Question 8. I wanted to know what's going on with IVRs. The FAQ was the first time to mention it and you did today, but I don't see anything in here discussing it!!

Answer: The concepts of additional security requirements, including multi factor authentication, being implemented to mitigate the risks associated with access to confidential customer information and funds transfer capabilities do apply to
IVRs. VRUs, and telephone banking. Each of these types of services should be included in the risk assessment, and where the risk associated with access to confidential information or capabilities to transfer funds warrant additional security, then multi factor authentication should be employed.

Look at the same types of factors you would look at for online banking: Can a caller gain access to sensitive customer information by posing as your customer and bypassing authentication safeguards? Can a caller engage in high risk transactions if they successfully impersonate your customer?

Possible additional authentication options include phone number verification (caller ID), call back verification, and possible voice prints. The initial set-up for a customer to use IVR should be reviewed to determine if it is robust enough. The more information that can be accessed through the system, and the greater the transactional capability it has, the greater the need to guard against unauthorized use.

Return to Top

Moderator:  Andy_Z