Thread Options
|
#440149 - 11/10/05 10:05 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
Anonymous
Unregistered
|
I just recently attended a seminar that discussed this topic. According to the speaker, this particular guidance indicates that only when the financial institution conducts its risk assessment on e-banking activities and it is determined that single factor authentication is not sufficient, then implement multi-factor authentication, layered security, and other controls.
I read this guidance a couple of times prior to the seminar, then re-read it again afterwards. It mentions the above statement several times throughout the document and it does appear that as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable.
However, based on this line of thinking, we may think one thing is sufficient and the regulators may not see it the same way.
Of course, it is always better to be pro-active in these instances.
|
Return to Top
|
|
|
|
#440151 - 11/16/05 05:16 AM
Re: FIL-103-2005 Authentication in an Internet Ban
|
Anonymous
Unregistered
|
"it does appear that as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable."
I don't think this is correct. The Guidance clearly says that it considers single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
|
Return to Top
|
|
|
|
#440152 - 11/16/05 04:59 PM
Re: FIL-103-2005 Authentication in an Internet Ban
|
Platinum Poster
Joined: Oct 2004
Posts: 822
midwest
|
So will there be additional guidance regarding the internet banking risk assessment? Has anyone already completed their risk assessment, if so what did it amount to? Thanks.
|
Return to Top
|
|
|
|
#440153 - 11/16/05 05:50 PM
Re: FIL-103-2005 Authentication in an Internet Ban
|
Diamond Poster
Joined: Jun 2001
Posts: 1,339
TX
|
As I read the Guidance regarding the risk assessment, if you have a transactional website, that is "high risk" and high risk means two-factor authentication.
_________________________
Opinions are mine not my employer's, and should not be taken as legal advice.
|
Return to Top
|
|
|
|
#440154 - 11/16/05 09:54 PM
Re: FIL-103-2005 Authentication in an Internet Ban
|
Anonymous
Unregistered
|
|
Return to Top
|
|
|
|
#440155 - 11/18/05 04:04 PM
Re: FIL-103-2005 Authentication in an Internet Ban
|
Anonymous
Unregistered
|
Information Technology's Sizemore said that tokens will cost banks at least $10 to $15 apiece. Some estimates peg the cost of purchasing a token at $50 each.
|
Return to Top
|
|
|
|
#440156 - 11/18/05 08:01 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
Anonymous
Unregistered
|
Our bank is taking a different route entirely, due to reports that will be made available by our website host provider. Customer bill pay and transfer transactions will be monitored and any outside the norm will generate a real-time high-risk report that we will have to review, and possibly contact the customer. We can also e-mail a randomly-generated one-time pin or have additional security (additional security questions) at bill pay/transfer login.
We don't allow wires or ACH originations from our website, and require business customers to enroll in person to limit risk. So hopefully this will be sufficient; we live in an area at low risk for terrorist activity and money laundering.
|
Return to Top
|
|
|
|
#440157 - 11/19/05 03:33 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
Anonymous
Unregistered
|
I don't beleive being in an area considered low risk for terrorist activity and money laundering would negate the requirement of using dual authentification methods for online banking per the FIL. Your risk level has already been identified by the regulatory agencies and if you don't use dual authentifaction methods you are not complying.
|
Return to Top
|
|
|
|
#440158 - 11/26/05 10:04 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
Junior Member
Joined: Nov 2005
Posts: 32
|
Has anyone thought about using electronic software tokens? They are much less expensive and can be delivered using a secure email system. And, if you feel portability is necessary to allow access to on-line banking from different computers, the end-user can store the token on a USB drive that can be further secured through encryption and/or password protection. I currently use this method to remotely access our corporate intranet and it is easy to distribute, install and execute. And, I use an encryption tool that was downloaded for free to securely store the token and other confidential files on my laptop when I'm traveling or it's not in my presence. (Just in case) Is it obvious?..after I made the transition from an extended career in the banking industry to information security consulting, I am becoming paranoid! But trust me, it's not without good reason.. My personal home system is now protected by Anti-virus, Anti-spam, Anti-spyware and a firewall (with very few open ports ). I also store some files in encrypted folders and when at all feasible, I have very few microsoft products installed. I don't however, use IE! I have also wondered how my own bank would react if I were to ask if they have an effective patch management program, periodic vulnerability scans and pen tests. But, I'm relatively certain that once their dazed and confused look subsides, my account would be flagged and I would forever be cast under a cloud of suspicion. If my account were not immediately closed that is!
|
Return to Top
|
|
|
|
#440159 - 11/27/05 08:58 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
10K Club
Joined: Oct 2000
Posts: 27,763
On the Net
|
The tokens are not a viable means to prevent phishing, according to the bulletin. But I am not very familiar with this via email. How does it work and what are the strengths and weaknesses?
_________________________
AndyZ CRCM My opinions are not necessarily my employers. R+R-R=R+R Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell
|
Return to Top
|
|
|
|
#440160 - 11/28/05 05:39 AM
Re: FIL-103-2005 Authentication in an Internet Banking
|
Junior Member
Joined: Nov 2005
Posts: 32
|
Andy - Obviously the biggest benefit of Soft vs. Hard tokens will be the cost and deployment. But, other than that, in my opinion it will depend on the product itself because there are so many variables. Several vendors are now providing soft tokens and the dynamics differ. However, based on the small amount of research I have done to date, most are based on the same challenge/response authentication method as hard tokens but they can be directly installed on your PC or laptop. Here is a very general summary that I found: Quote:
Soft tokens are software-based token generating devices. The software token is installed on PCs, laptops, and hand-held computers. Once the PIN is activated, the token creates and sends the users's one-time password. The system's memory stores the secrets and the system's CPU is used to generate the password. Although there is some risk associated with storing the secrets on the system's memory, this risk is reduced by having the secrets encrypted. Also, because the token is installed on the system, anyone with physical access to the system can use it to authenticate, but they must know or guess the PIN to use it.
I'm not sure why this method would not be as effective as hard tokens to prevent phishing, as you can see, even if a user were to unknowingly give up passwords and/or PINs, the soft token has to be executed each time the user requests access to the protected site. And IMO, unlike a smartcard or key fob, when installed on a desktop, it is not likely that you will misplace the device. Your risk of this obviously does increase when stored on a USB drive and possibly a laptop.
The installation file can be received via email, and just as I have done, it can be further secured by storing it in an encrypted file. I'm not sure how feasible or easy to communicate to all end-users/customers this would be. I personally use True Crypt and it was not that difficult to install or to use.
Google "Software or Soft Tokens" and review the various vendor products.
|
Return to Top
|
|
|
|
#440161 - 11/28/05 07:52 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
New Poster
Joined: Jul 2005
Posts: 10
God's Country, Montana
|
So, is the conclusion that tokens are not effective and we should be looking into "mutual authentication?"
_________________________
Never insult seven men when all you have is a six shooter -- Col. Potter
|
Return to Top
|
|
|
|
#440162 - 11/28/05 10:21 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
Platinum Poster
Joined: Nov 2005
Posts: 620
|
Superior mortgage got sued by the FTC for not encrypting emails. Although they claimed they were securing transmissions to their customers. I don't remember how much they got sued for though.
|
Return to Top
|
|
|
|
#440163 - 01/06/06 08:19 PM
Re: FIL-103-2005 Authentication in an Internet Ban
|
New Poster
Joined: May 2005
Posts: 14
|
How can a hard token not be a viable means of security? For instance the RSA token changes its PIN every 60 seconds or so. So even if I did give it and my password and username to someone they would have to use it in 60 seconds or less. This seems highly unlikenly and very unreasonable to assume. If for some reason I lost my token it is my responisbilty to notify the bank, if someone was to find it and my username and password, how can I the customer have anyone to blame but myself?
|
Return to Top
|
|
|
|
#440164 - 01/13/06 07:05 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
Member
Joined: Sep 2001
Posts: 70
VT, USA
|
Attended a NYCE webinar and a rep from FDIC said that this is NOT optional and will need to be in place by the end of 2006. Saw a demo of Bof A and that is the ideal solution. We're not sure our core bank processor is going to offer something along these lines. We know our customers will balk at a token and know the calls about lost tokens, etc would be a call center nightmare. Hopefully, the ideal solution will arrive- yes, I am a pollyanna.
|
Return to Top
|
|
|
|
#440165 - 03/03/06 12:05 AM
Re: FIL-103-2005 Authentication in an Internet Banking
|
New Poster
Joined: Nov 2005
Posts: 5
|
Does anyone recall hearing that the risk assessment must be complete by March 31 (then with implementation by December 31)? Some of our group recalls this but none of us can find it in any documentation. Thanks!
|
Return to Top
|
|
|
|
#440166 - 03/04/06 09:31 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
10K Club
Joined: Oct 2000
Posts: 27,763
On the Net
|
Implementation has a deadline, but not the testing. That may have been a recommendation so that you have time to review and implement what is needed.
_________________________
AndyZ CRCM My opinions are not necessarily my employers. R+R-R=R+R Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell
|
Return to Top
|
|
|
|
#440167 - 03/19/06 09:02 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
New Poster
Joined: Mar 2006
Posts: 2
|
Hi Andy,
I'm not sure what you mean by "testing"? Is there a working theory that a bank can have a multi-factor authentication solution in place in 2006 but does not need to have it tested and rolled out to all of it's customers until some time in 2007?
|
Return to Top
|
|
|
|
#440168 - 03/21/06 02:33 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
10K Club
Joined: Oct 2000
Posts: 27,763
On the Net
|
By "test" I am referring to your risk assessments as you test/review your systems. And no, you don't really have into 2007. Examiners expect this to be done in 2006. They'll look at problems on a case by case basis but we have no idea how forgiving they'll be.
_________________________
AndyZ CRCM My opinions are not necessarily my employers. R+R-R=R+R Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell
|
Return to Top
|
|
|
|
#440170 - 06/08/06 05:19 PM
Re: FIL-103-2005 Authentication in an Internet Banking
|
New Poster
Joined: Jun 2006
Posts: 7
|
Instead a better option we are thinking of is to send a one time password to the e-mail ID of the customer. This OTP should be valid for that particular transaction only & will expire in say 3 minutes. Everybody who is accessing Internet Banking would be able to view his / her e-mail account.
Is this solution acceptable to FDIC/FFIEC?
|
Return to Top
|
|
|
|
#440171 - 06/08/06 09:17 PM
Re: FIL-103-2005 Authentication in an Internet Ban
|
10K Club
Joined: Oct 2000
Posts: 27,763
On the Net
|
I have had email server issues that slowed my email up more than that. And if you had a customer at an Internet cafe, would they be inhibited? (This situation may be far fetched, or it may not be.)
_________________________
AndyZ CRCM My opinions are not necessarily my employers. R+R-R=R+R Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell
|
Return to Top
|
|
|
|
#440172 - 06/09/06 04:30 PM
Re: FIL-103-2005 Authentication in an Internet Ban
|
New Poster
Joined: Jun 2006
Posts: 7
|
Is Internet Cafe a safe place to do online transactions ?
|
Return to Top
|
|
|
|
#440173 - 06/09/06 04:35 PM
Re: FIL-103-2005 Authentication in an Internet Ban
|
New Poster
Joined: Jun 2006
Posts: 7
|
Such instances may be very rare? However is it not better than opting for costly tokens which also generate OTPs at regular intervals. Besides it definitively seems better option than the solutions which work on IP address recognition? What do others think?
|
Return to Top
|
|
|
|
|
|