Multi-Factor Authentication is Getting Hot
2006 promises to be another busy year for those involved in information technology, internet banking, security and compliance. Add to this that bankers wear many hats and more and more we're seeing a cross-over as one field of expertise touches the others. Technology is blending more of our tasks into one another's space. Multi-factor authentication is one more example of this.
Depending on the size and infrastructure of your financial institution you may be involved in multi-factor authentication of your e-banking customers. The days of a username and password to log on will disappear, and for good reason. Examiners know that err is human, but to really suffer a loss, takes a computer. Well, it is something like that.
The Chicago FDIC recently held a conference call on this topic. The regulators in general are concerned that institutions are not doing enough to protect themselves and their depositors. Often bankers will cite the weakest link in e-banking security as the customer. While that may be true, it doesn't dramatically change the risks you have if your system is breached because of it, or if you pay many dollars in claims for unauthorized transactions. You still lose. At best customers get frightened and abandon this effective delivery channel. Again, the institution will be the loser.
On October 12, 2005 the FFIEC released Guidance that financial institution's need to be more aware of, and acting on. This Guidance emphasizes that transaction capabilities in e-banking raise the risk level of these accounts. Concurrent with this risk, accessibility needs to be raised a notch from where it is. Authentications should be based on
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).
The FDIC noted that most institutions were aware of the guidance but getting little done. This apathy is based on waiting for vendors to provide answers. That may not be good enough. You have to complete your own risk assessment. You need to determine what layered approach you want and what security processes work best for your customer base. Key fobs may be an answer, but that could be more costly than some others. Passwords and verifications input with a mouse pointer may be the most cost effective, but could be compromised with new technologies. You need to integrate your chosen processes, involve the varied departments within your institution (those mentioned above) and understand why it is necessary to mitigate the identified risks. Then you have to communicate this with your customers (perhaps adding Marketing to this mix), so they understand and more readily accept the changes. Regulators are seeing an over-reliance on vendors for the answers.
A strong evaluation of your systems, including telephone and IVR delivery is required. The time to start is now.
Depending on the size and infrastructure of your financial institution you may be involved in multi-factor authentication of your e-banking customers. The days of a username and password to log on will disappear, and for good reason. Examiners know that err is human, but to really suffer a loss, takes a computer. Well, it is something like that.
The Chicago FDIC recently held a conference call on this topic. The regulators in general are concerned that institutions are not doing enough to protect themselves and their depositors. Often bankers will cite the weakest link in e-banking security as the customer. While that may be true, it doesn't dramatically change the risks you have if your system is breached because of it, or if you pay many dollars in claims for unauthorized transactions. You still lose. At best customers get frightened and abandon this effective delivery channel. Again, the institution will be the loser.
On October 12, 2005 the FFIEC released Guidance that financial institution's need to be more aware of, and acting on. This Guidance emphasizes that transaction capabilities in e-banking raise the risk level of these accounts. Concurrent with this risk, accessibility needs to be raised a notch from where it is. Authentications should be based on
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a fingerprint).
The FDIC noted that most institutions were aware of the guidance but getting little done. This apathy is based on waiting for vendors to provide answers. That may not be good enough. You have to complete your own risk assessment. You need to determine what layered approach you want and what security processes work best for your customer base. Key fobs may be an answer, but that could be more costly than some others. Passwords and verifications input with a mouse pointer may be the most cost effective, but could be compromised with new technologies. You need to integrate your chosen processes, involve the varied departments within your institution (those mentioned above) and understand why it is necessary to mitigate the identified risks. Then you have to communicate this with your customers (perhaps adding Marketing to this mix), so they understand and more readily accept the changes. Regulators are seeing an over-reliance on vendors for the answers.
A strong evaluation of your systems, including telephone and IVR delivery is required. The time to start is now.
posted by Andy at
8:16 AM
0 Comments:
Post a Comment
<< Home