Page 1 of 3 1 2 3
Thread Options
#440124 - 10/13/05 04:22 PM FIL-103-2005 Authentication in an Internet Banking
Oursisnottoreasonwhy Offline
Gold Star
Oursisnottoreasonwhy
Joined: Nov 2004
Posts: 459
Central Illinois
In reading this FIL it states that: "The agencies consider single-factor authentication (eg. Login and Password), to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." I read this to say any internet banking access that provides account information or transaction capabilities needs to have more than a login and password.

What types of other authentication factors are other internet banking providers using? What are the costs involved in adding additional authenticating factors? Are banks passing the additional costs on to the customer? How is customer acceptance of additional login procedures?

Return to Top
eBanking / Technology
#440125 - 10/14/05 12:55 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
In many countries, and here at some institutions, you'll have a key fob or card with an access code that changes every minute or so. It is in sync with the main system and is needed to login. In some cases a scratch-off card may have the daily codes on it and it is mailed to the customer. That code is needed to login.

There are many versions of dual authentication. I can't quantify the costs or acceptance. But there will be costs, especially at start-up, and people resist change. So neither the bank nor the consumer will especially like it unless they really perceive the risk this is intended to mitigate.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440126 - 10/14/05 04:30 PM Re: FIL-103-2005 Authentication in an Internet Banking
Czargazer Offline
Gold Star
Czargazer
Joined: May 2003
Posts: 298
Pacific Northwest
I for one am really interested in what folks think about this. The whole thing seemed rather vague to me and relied too much on the institutions' risk assessments--which generally means the assessment will come out less than high so we then don't have to institute any additional safeguards...

The FIL did mention that the agencies are concerned about "high-risk transactions" but what are they classifying as high risk? What does it mean in this context?

We do a moderate amount of online banking, involving Bill Pay, and other transactions. Is this "high-risk" by default or do certain factors apply that would possibly make it "high-risk"? If so, I'd love to know what the agencies think these factors would be! Anybody got any ideas?
_________________________
Everyone has to make a living, mine just happens to involve thumbscrews.

Return to Top
#440127 - 10/14/05 04:41 PM Re: FIL-103-2005 Authentication in an Internet Banking
SusyG Offline
100 Club
Joined: Oct 2001
Posts: 120
Andy, what are your thoughts on browser-based dual authentication methods? I have done some research on several methods and browser-based seems the most economical for the bank and least intrusive for the customer, but it does have weaknesses as does every method. I just can't see our customers using cards, tokens, etc. The cost of delivering the additional hardware required for other methods would also be costly to the bank. But, I don't want to go with the browser-based method just because it is less costly and easier to implement if I'm not really getting a benefit out of it....

Return to Top
#440128 - 10/17/05 05:32 AM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
I haven't finished reading that document yet. (Just look at when I posted this.) I believe you'll have to find what is effective first, for now and the future, and what your customers will adopt. The latter is secondary. Many will complain because people resist change. Fewer will drop the product because of it.

You'll have to make your case as one of security and "this is for your own good." I think you'll work your way down to serious IB users and predict that you'll have a level if IB that doesn't allow transfer of funds and therefore doesn't require such authentication. This may be a way to take customers up to a higher level. You'll have to decide where, or if, IB can be profitable as well.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440129 - 10/18/05 02:29 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I'm a bit surprised that there has not been more reaction to this since it likely will result in some of us having to pull a valued service from our customers (for their own good). Even if we can find a cost effective way to provide a secondary authentication factor for internet banking, I'm not sure I can see a way to provide the same for the telephone banking product (It will be included in your risk assessment, won't it?).

What we have is here is regulation imposed without hearings, comment or other public input. We are not only told to do a risk assessment but told what the result must be.

More broadly the whole concept of "regulation by guidance" seems to be getting out of hand. A review of FDIC FIL's, indicates that in the year 2000 there was one such guidance. In 2001 - 3; 2002 - 2; 2003 - 5; 2004 - 12; and YTD 2005 - 15. These guidances focus on methodology rather than results. For example, it is not enough to have an adequate loan loss reserve, you must follow a specific methodolgy to determine its adequacy.

Oops, I seem to be slipping into a rant. The point is that maybe we should be concerned about a trend that is unfavorable to us and our customers; and begin raising the issue with our associations and advocates.

Return to Top
#440130 - 10/18/05 05:35 PM Re: FIL-103-2005 Authentication in an Internet Banking
mtcrossranch Offline
New Poster
Joined: Jul 2005
Posts: 10
God's Country, Montana
What is the general opinion out there about what is "high risk." Because BillPay is payment to a third party, it is definately higher risk than just looking at balances, transfering between accounts and viewing images. But, is it high risk enough to warrant a secondary authentication requirement? What will the OCC say about this one?
_________________________
Never insult seven men when all you have is a six shooter -- Col. Potter

Return to Top
#440131 - 10/18/05 08:00 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

Just an observation or two:

Requiring (certain types of) two-factor authentication would almost entirely eliminate "fake online banking websites" from the identify theft arena (once users understand they should be required to have the fob/code/etc.).

I believe they (regulators) have really already done a "risk assesment" for the entire industry and decided the risk of using transactional websites is too great without the two-factor authentication. Without the "big picture" from all the reports they get, we'll never know the how much fraud and identity theft is actually occuring.

Return to Top
#440132 - 10/18/05 09:57 PM Re: FIL-103-2005 Authentication in an Internet Banking
Czargazer Offline
Gold Star
Czargazer
Joined: May 2003
Posts: 298
Pacific Northwest
Quote:

Requiring (certain types of) two-factor authentication would almost entirely eliminate "fake online banking websites" from the identify theft arena (once users understand they should be required to have the fob/code/etc.).




Emphasis on the "certain types". There was recently a case of a phishing scam in which the perpetrators were aware of the second authorization factor (a scratch-off card with codes), and included it in their fake web-site enabling them to acquire codes to use in conjunction with the passwords they gleaned. Article
_________________________
Everyone has to make a living, mine just happens to involve thumbscrews.

Return to Top
#440133 - 10/18/05 11:42 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

A client with multiple banking relationships would carry multiple authentication devices, be they tokens, scratch cards, etc. So (rhetorically) do you think that there would be confusion about which device belongs to which bank, account, etc? If the devices are then labeled, does it not compromise the security? Will their not be client backlash as a result?

No solutions, just problematic questions.

Return to Top
#440134 - 10/19/05 05:07 AM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I heard someone in law enforcement give an opinion on the best way to stop crime on the Internet: Stop using the Internet.

Now for my opinion: There is no way to stop Internet fraud (short of stopping Internet use). Dual factor authentication will be significantly more effective than single factor authentication. It will not prevent certain customers from compromising their own security, falling for fraud schemes, etc., but it will reduce it significantly. Dual factor authentication is going to happen for all transactions. It is happening. The agencies are going to force the banks to implement it and educate the population. The decision to be made is to get on board now or try to delay it until later. Identity theft is a huge problem and it's getting bigger every day. Organized crime in the US and abroad are getting into the act. As stated above, the regulators are in a better position to see the "big picture."

Return to Top
#440135 - 10/19/05 04:10 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

If you look at the statistics on identity theft from the FTC, the vast majority of information that is compromised is still from a paper document either stolen out of a mail box, from dumpster diving or company employees with access to sensitive customer information. Once the thieves have this information, they turn around and use it on the internet for fraudulent activity because of the anonymity of the internet. The stolen information is very seldom actually stolen from an electronic source to begin with, but the media and others confuse consumers by focusing on how the information was used electronically and not the fact that the information was gained from a paper document to start with.

So, why don't the regulating agencies make me have a smart card or token for the mailbox or trash can that sits outside my house that anyone driving by has access to?

Return to Top
#440136 - 10/20/05 05:20 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

The REAL problem is that consumers willingly (and unknowingly) provide theives with the information that they need. What's to say that a thief (using a phishing site) doesn't setup fake "dual authentication" input fields or creates the email and just says , "make sure you put in your token"? The phisher will still get debit or credit info which is the #1 problem.

Return to Top
#440137 - 10/21/05 05:41 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
It isn't "sexy" news so it has hit the press, but with little fanfare. El Paso Yahoo

If you want activity, tell your customers the price is now $5.95 a month for scratch-offs mailed to them or $7.95 for a fancy key fob.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440138 - 10/26/05 09:56 PM Re: FIL-103-2005 Authentication in an Internet Banking
Still Developing Offline
100 Club
Joined: Mar 2002
Posts: 199
What is the general opinion out there about what is "high risk."

mtcrossranch,

Our FDIC examiners have told us on more than one occasion if you have an internet site for the bank that allows customers access to their information - these accounts and method of access is automatically considered high risk.

Return to Top
#440139 - 11/02/05 09:52 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

The whole area of two factor authentication is not deeply understood from a total risk perspective. fob tokens are deemed to prevent being attacked by a fraudsters when using internet banking. However, the truth of the matter is that traditional solutions are deemed obselete when it comes to preventing emerging threats such as DNS poisoning and Man in the Middle attacks. These piggyback off an authenticated session. ValidSoft have a solution that have got Gartner really excited because it achieves mutual authentication (ie. host to user, user to host), it has the flexibility to apply 2FA to certain 'high risk' transactions and it can combat Man in the Middle. When a users session is compromised having been under the impression that their fob token has protected them, there's going to be a lot of unhappy customers of Banks and their confidence will diminish out of sight.

Return to Top
#440140 - 11/03/05 01:36 AM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I also am surprised that there has been so little reaction to this guidance. Most compliance officers I've polled are not concerned. As I read the guidance, any transaction involving NPPI or movement of funds requires two factor authentication. If that is so, kiss internet account origination channels goodbye. Call me Chicken Little, and please tell me I'm wrong on this...

Return to Top
#440141 - 11/03/05 04:45 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
A) I don't think it has sunk in yet.
B) Some may still be studying it and trying to determine is it IT, security, compliance, all of the above.
C) Too many things to worry about today, mush less tomorrow, and,
D) Vendors will come out of the woodwork to sell these systems.

Nothing will stop it all, but the more layers of protection we have, the more secure we can be. Using the right layers, the right way is what is important.

This brings back some reasons many laws addressing e-commerce do not have specific requirements on technology practices. The older systems where a customer has to dial up their "internet banking" application, which is not housed on the web as we know it, can be safer. The customer may have a special banking program on their PC. It works with the bank. Browsers do not. And the bank can accept the connection from only certain phone numbers, as examples. These can be better security than what is offered today. Obviously they have less appeal to the average user as they are less convenient. Such is the evolutionary process.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440142 - 11/04/05 07:02 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

Just learned this morning that management conducted a risk "assessment" and has determined that there is "no-to-low risk" in our transactional online accounts! So they want to make the dual authentication optional at the customer's request and sell a solution only to interested customers.
I'm heading for the closet now looking for my 20 lb sledge hammer to pay a visit to the IT manager. Where is it written in my job description I have to save management from themselves?

Return to Top
#440143 - 11/06/05 06:20 PM Re: FIL-103-2005 Authentication in an Internet Ban
Princess Leia Offline
Diamond Poster
Joined: Jun 2004
Posts: 1,975
Alderaan
Quote:

Our FDIC examiners have told us on more than one occasion if you have an internet site for the bank that allows customers access to their information - these accounts and method of access is automatically considered high risk.




That's exactly what we were told also. Doesn't matter if the customer can do anything other than view their account information. The mere fact that there is customer information makes it high risk.

It's definitely receiving more and more publicitity. Here's an article from last week's USA Today about it and what BofA is doing.

I hope other non-bank type of financial institutions follow suit soon. Schwab makes you put in your SSN to access your account!
Last edited by Princess Leia; 11/06/05 06:26 PM.
_________________________
Duct tape is like the force: It has a light side and a dark side and it holds the universe together.

Return to Top
#440144 - 11/08/05 02:38 AM Re: FIL-103-2005 Authentication in an Internet Ban
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
Everyone will be on board soon, like it or not. I wonder if some banks will eliminate internet banking? While it wouldn't be competitive, I can see it happening in Smallville USA.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440145 - 11/09/05 10:16 AM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

This comment it so true. I have seen solutions that use the mobile phone as the device for token delivery via speech (not SMS), such as VALid from ValidSoft. The solution is practically unbreakable and achieves mutual authentication for the user simply from the architectural design and implementation method. Customers don't have to carry multiple devices, just the single device they never leave the house without ... the mobile phone. There's no software required to be installed so there is zero footprint required.

Return to Top
#440146 - 11/09/05 11:07 AM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

A zero footprint, shareable device will be essential for wide scale deployments. Fobs were designed for enterprise access, not Internet banking protection and certainly not for mass retail deployment. As it is already known they cannot protect against even simple phishing scams (e.g. link to fake web site that collects username, password and OTP), what happens when a customer (who's had to pay the bank for the privilege) finds they've been ripped off despite using their fob in accordance with instructions???

Return to Top
#440147 - 11/09/05 03:05 PM Re: FIL-103-2005 Authentication in an Internet Ban
JacF Offline

Power Poster
Joined: Nov 2001
Posts: 6,719
PA
Quote:

Everyone will be on board soon, like it or not. I wonder if some banks will eliminate internet banking? While it wouldn't be competitive, I can see it happening in Smallville USA.



Greetings from Smallville! As we tend to use vendor provided systems, I would think that the Smallville contingent will not have trouble finding a solution, it would be suicide for online banking platform providers to not offer something. That said, the downside is that Smallville will undoubtedly have fewer choices, as compatability will be out of the banks' control, so we will pretty much have to go with the options offered by the vendor.

Return to Top
#440148 - 11/09/05 05:02 PM Re: FIL-103-2005 Authentication in an Internet Banking
Czargazer Offline
Gold Star
Czargazer
Joined: May 2003
Posts: 298
Pacific Northwest
Quote:

Customers don't have to carry multiple devices, just the single device they never leave the house without ... the mobile phone.




And what would be offered to those who do not use a cell phone? An alternative, or a waiver indicating that any breaches are the customer's fault for not having a cell phone to enhance security? It may be a good option to those it's available to, but believe it or not there is still a good number of people who don't own cell phones.
_________________________
Everyone has to make a living, mine just happens to involve thumbscrews.

Return to Top
#440149 - 11/10/05 10:05 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I just recently attended a seminar that discussed this topic. According to the speaker, this particular guidance indicates that only when the financial institution conducts its risk assessment on e-banking activities and it is determined that single factor authentication is not sufficient, then implement multi-factor authentication, layered security, and other controls.

I read this guidance a couple of times prior to the seminar, then re-read it again afterwards. It mentions the above statement several times throughout the document and it does appear that as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable.

However, based on this line of thinking, we may think one thing is sufficient and the regulators may not see it the same way.

Of course, it is always better to be pro-active in these instances.

Return to Top
#440150 - 11/10/05 10:20 PM Re: FIL-103-2005 Authentication in an Internet Banking
1 Peter 5:7 Offline
Diamond Poster
1 Peter 5:7
Joined: Jun 2001
Posts: 1,339
TX
Quote:

as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable.





I believe the Guidance also says that the capability of your customer to conduct transactions on your site almost dictates dual authentication. Don't treat the risk assessment exercise too lightly.
_________________________
Opinions are mine not my employer's, and should not be taken as legal advice.

Return to Top
#440151 - 11/16/05 05:16 AM Re: FIL-103-2005 Authentication in an Internet Ban
Anonymous
Unregistered

"it does appear that as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable."

I don't think this is correct. The Guidance clearly says that it considers single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.

Return to Top
#440152 - 11/16/05 04:59 PM Re: FIL-103-2005 Authentication in an Internet Ban
complygirl Offline
Platinum Poster
Joined: Oct 2004
Posts: 822
midwest
So will there be additional guidance regarding the internet banking risk assessment? Has anyone already completed their risk assessment, if so what did it amount to? Thanks.

Return to Top
#440153 - 11/16/05 05:50 PM Re: FIL-103-2005 Authentication in an Internet Ban
1 Peter 5:7 Offline
Diamond Poster
1 Peter 5:7
Joined: Jun 2001
Posts: 1,339
TX
As I read the Guidance regarding the risk assessment, if you have a transactional website, that is "high risk" and high risk means two-factor authentication.
_________________________
Opinions are mine not my employer's, and should not be taken as legal advice.

Return to Top
#440154 - 11/16/05 09:54 PM Re: FIL-103-2005 Authentication in an Internet Ban
Anonymous
Unregistered


Return to Top
#440155 - 11/18/05 04:04 PM Re: FIL-103-2005 Authentication in an Internet Ban
Anonymous
Unregistered

Information Technology's Sizemore said that tokens will cost banks at least $10 to $15 apiece. Some estimates peg the cost of purchasing a token at $50 each.

Return to Top
#440156 - 11/18/05 08:01 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

Our bank is taking a different route entirely, due to reports that will be made available by our website host provider. Customer bill pay and transfer transactions will be monitored and any outside the norm will generate a real-time high-risk report that we will have to review, and possibly contact the customer. We can also e-mail a randomly-generated one-time pin or have additional security (additional security questions) at bill pay/transfer login.

We don't allow wires or ACH originations from our website, and require business customers to enroll in person to limit risk. So hopefully this will be sufficient; we live in an area at low risk for terrorist activity and money laundering.

Return to Top
#440157 - 11/19/05 03:33 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I don't beleive being in an area considered low risk for terrorist activity and money laundering would negate the requirement of using dual authentification methods for online banking per the FIL. Your risk level has already been identified by the regulatory agencies and if you don't use dual authentifaction methods you are not complying.

Return to Top
#440158 - 11/26/05 10:04 PM Re: FIL-103-2005 Authentication in an Internet Banking
Click Here Offline
Junior Member
Joined: Nov 2005
Posts: 32
Has anyone thought about using electronic software tokens? They are much less expensive and can be delivered using a secure email system. And, if you feel portability is necessary to allow access to on-line banking from different computers, the end-user can store the token on a USB drive that can be further secured through encryption and/or password protection.

I currently use this method to remotely access our corporate intranet and it is easy to distribute, install and execute. And, I use an encryption tool that was downloaded for free to securely store the token and other confidential files on my laptop when I'm traveling or it's not in my presence. (Just in case)

Is it obvious?..after I made the transition from an extended career in the banking industry to information security consulting, I am becoming paranoid! But trust me, it's not without good reason.. My personal home system is now protected by Anti-virus, Anti-spam, Anti-spyware and a firewall (with very few open ports ). I also store some files in encrypted folders and when at all feasible, I have very few microsoft products installed. I don't however, use IE!

I have also wondered how my own bank would react if I were to ask if they have an effective patch management program, periodic vulnerability scans and pen tests. But, I'm relatively certain that once their dazed and confused look subsides, my account would be flagged and I would forever be cast under a cloud of suspicion. If my account were not immediately closed that is!

Return to Top
#440159 - 11/27/05 08:58 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
The tokens are not a viable means to prevent phishing, according to the bulletin. But I am not very familiar with this via email. How does it work and what are the strengths and weaknesses?
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440160 - 11/28/05 05:39 AM Re: FIL-103-2005 Authentication in an Internet Banking
Click Here Offline
Junior Member
Joined: Nov 2005
Posts: 32
Andy -

Obviously the biggest benefit of Soft vs. Hard tokens will be the cost and deployment. But, other than that, in my opinion it will depend on the product itself because there are so many variables. Several vendors are now providing soft tokens and the dynamics differ. However, based on the small amount of research I have done to date, most are based on the same challenge/response authentication method as hard tokens but they can be directly installed on your PC or laptop. Here is a very general summary that I found:

Quote:

Soft tokens are software-based token generating devices. The software token is installed on PCs, laptops, and hand-held computers. Once the PIN is activated, the token creates and sends the users's one-time password. The system's memory stores the secrets and the system's CPU is used to generate the password. Although there is some risk associated with storing the secrets on the system's memory, this risk is reduced by having the secrets encrypted. Also, because the token is installed on the system, anyone with physical access to the system can use it to authenticate, but they must know or guess the PIN to use it.




I'm not sure why this method would not be as effective as hard tokens to prevent phishing, as you can see, even if a user were to unknowingly give up passwords and/or PINs, the soft token has to be executed each time the user requests access to the protected site. And IMO, unlike a smartcard or key fob, when installed on a desktop, it is not likely that you will misplace the device. Your risk of this obviously does increase when stored on a USB drive and possibly a laptop.

The installation file can be received via email, and just as I have done, it can be further secured by storing it in an encrypted file. I'm not sure how feasible or easy to communicate to all end-users/customers this would be. I personally use True Crypt and it was not that difficult to install or to use.

Google "Software or Soft Tokens" and review the various vendor products.

Return to Top
#440161 - 11/28/05 07:52 PM Re: FIL-103-2005 Authentication in an Internet Banking
mtcrossranch Offline
New Poster
Joined: Jul 2005
Posts: 10
God's Country, Montana
So, is the conclusion that tokens are not effective and we should be looking into "mutual authentication?"
_________________________
Never insult seven men when all you have is a six shooter -- Col. Potter

Return to Top
#440162 - 11/28/05 10:21 PM Re: FIL-103-2005 Authentication in an Internet Banking
02bonne Offline
Platinum Poster
Joined: Nov 2005
Posts: 620
Superior mortgage got sued by the FTC for not encrypting emails. Although they claimed they were securing transmissions to their customers. I don't remember how much they got sued for though.

Return to Top
#440163 - 01/06/06 08:19 PM Re: FIL-103-2005 Authentication in an Internet Ban
btfitz0 Offline
New Poster
Joined: May 2005
Posts: 14
How can a hard token not be a viable means of security? For instance the RSA token changes its PIN every 60 seconds or so. So even if I did give it and my password and username to someone they would have to use it in 60 seconds or less. This seems highly unlikenly and very unreasonable to assume. If for some reason I lost my token it is my responisbilty to notify the bank, if someone was to find it and my username and password, how can I the customer have anyone to blame but myself?

Return to Top
#440164 - 01/13/06 07:05 PM Re: FIL-103-2005 Authentication in an Internet Banking
VT Banker Offline
Member
Joined: Sep 2001
Posts: 70
VT, USA
Attended a NYCE webinar and a rep from FDIC said that this is NOT optional and will need to be in place by the end of 2006. Saw a demo of Bof A and that is the ideal solution. We're not sure our core bank processor is going to offer something along these lines. We know our customers will balk at a token and know the calls about lost tokens, etc would be a call center nightmare. Hopefully, the ideal solution will arrive- yes, I am a pollyanna.

Return to Top
#440165 - 03/03/06 12:05 AM Re: FIL-103-2005 Authentication in an Internet Banking
Risk Manager in Training Offline
New Poster
Joined: Nov 2005
Posts: 5
Does anyone recall hearing that the risk assessment must be complete by March 31 (then with implementation by December 31)? Some of our group recalls this but none of us can find it in any documentation. Thanks!

Return to Top
#440166 - 03/04/06 09:31 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
Implementation has a deadline, but not the testing. That may have been a recommendation so that you have time to review and implement what is needed.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440167 - 03/19/06 09:02 PM Re: FIL-103-2005 Authentication in an Internet Banking
gsunshine Offline
New Poster
Joined: Mar 2006
Posts: 2
Hi Andy,

I'm not sure what you mean by "testing"? Is there a working theory that a bank can have a multi-factor authentication solution in place in 2006 but does not need to have it tested and rolled out to all of it's customers until some time in 2007?

Return to Top
#440168 - 03/21/06 02:33 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
By "test" I am referring to your risk assessments as you test/review your systems. And no, you don't really have into 2007. Examiners expect this to be done in 2006. They'll look at problems on a case by case basis but we have no idea how forgiving they'll be.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440169 - 06/08/06 05:13 PM Re: FIL-103-2005 Authentication in an Internet Ban
inbtfa Offline
New Poster
Joined: Jun 2006
Posts: 7
This is all so confusing. There are varied views on what is high risk. Is transfer of money to pre authorised accounts in other country a High Risk.

Return to Top
#440170 - 06/08/06 05:19 PM Re: FIL-103-2005 Authentication in an Internet Banking
inbtfa Offline
New Poster
Joined: Jun 2006
Posts: 7
Instead a better option we are thinking of is to send a one time password to the e-mail ID of the customer. This OTP should be valid for that particular transaction only & will expire in say 3 minutes. Everybody who is accessing Internet Banking would be able to view his / her e-mail account.

Is this solution acceptable to FDIC/FFIEC?

Return to Top
#440171 - 06/08/06 09:17 PM Re: FIL-103-2005 Authentication in an Internet Ban
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,110
On the Net
I have had email server issues that slowed my email up more than that. And if you had a customer at an Internet cafe, would they be inhibited? (This situation may be far fetched, or it may not be.)
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440172 - 06/09/06 04:30 PM Re: FIL-103-2005 Authentication in an Internet Ban
inbtfa Offline
New Poster
Joined: Jun 2006
Posts: 7
Is Internet Cafe a safe place to do online transactions ?

Return to Top
#440173 - 06/09/06 04:35 PM Re: FIL-103-2005 Authentication in an Internet Ban
inbtfa Offline
New Poster
Joined: Jun 2006
Posts: 7
Such instances may be very rare? However is it not better than opting for costly tokens which also generate OTPs at regular intervals. Besides it definitively seems better option than the solutions which work on IP address recognition? What do others think?

Return to Top
#440174 - 06/09/06 05:04 PM Re: FIL-103-2005 Authentication in an Internet Banking
deppfan Offline
Power Poster
Joined: Dec 2000
Posts: 5,184
All over the map.
Quote:

Instead a better option we are thinking of is to send a one time password to the e-mail ID of the customer. This OTP should be valid for that particular transaction only & will expire in say 3 minutes. Everybody who is accessing Internet Banking would be able to view his / her e-mail account.

Is this solution acceptable to FDIC/FFIEC?




Hmmm. Interesting. I'm not sure if that would qualify as something you "know" or something you "have". I think I could argue that both ways.
_________________________
On the road again.....I just can't wait to get on the road again.

Return to Top
#440175 - 06/09/06 06:39 PM Re: FIL-103-2005 Authentication in an Internet Banking
MikeJ Offline
Member
MikeJ
Joined: Nov 2002
Posts: 76
MA
I don't know if you guys are aware of this company (and I have no comment or view on the actual product) but they have some pretty good information on this subject at http://www.phishcops.com

Return to Top
#440176 - 06/16/06 09:28 PM Re: FIL-103-2005 Authentication in an Internet Banking
Kahola Offline
Platinum Poster
Kahola
Joined: May 2001
Posts: 712
Scottsdale, AZ. 85255
Does this apply to telephone banking? Our customers can call our 24 hour banking line to access their account balances and perform inter bank transfers?

Return to Top
#440177 - 06/19/06 02:48 PM Re: FIL-103-2005 Authentication in an Internet Banking
Oursisnottoreasonwhy Offline
Gold Star
Oursisnottoreasonwhy
Joined: Nov 2004
Posts: 459
Central Illinois
It is my understanding per the Chicago FDIC Regional Office that it does encompass telephone banking products.

Return to Top
#440178 - 06/20/06 07:33 PM Re: FIL-103-2005 Authentication in an Internet Banking
Neytiri Offline
Platinum Poster
Neytiri
Joined: Jul 2002
Posts: 645
Pandora
The OCC wants all non-Internet e-banking products included. For us this is only telephone banking, which is balance inquiry only. From what I have read, internal transfers are not high risk transactions whether by IB or automated phone transfer.

Return to Top
#440179 - 06/20/06 07:38 PM Re: FIL-103-2005 Authentication in an Internet Banking
Sentient Offline
New Poster
Sentient
Joined: Jun 2006
Posts: 1
South Florida
Does anyone have a link to documentation that states Telephone banking should be included or excluded? I've heard verbal comments for either, but have yet to see any concrete documentation.

Return to Top
#440180 - 06/27/06 02:32 PM Re: FIL-103-2005 Authentication in an Internet Banking
vaforlovers Offline
100 Club
Joined: Nov 2004
Posts: 107
What is everyone doing for the customer awareness program?
How are you going about educating the customers?

Return to Top
#440181 - 06/28/06 09:32 PM Re: FIL-103-2005 Authentication in an Internet Banking
RebekahL CRCM Offline
Platinum Poster
RebekahL CRCM
Joined: Feb 2003
Posts: 749
Big Sky Country
What about e-statements?

Currently, our customer uses a password to open an e-statement we've e-mailed to them. Would this be considered an "Internet-based product or service" subject to the multi-factor authentication requirements?

Obviously, no transactions are being initiated, but a sizeable amount of customer information resides in the statement info and imaged checks.
_________________________
Me, Type A? Maybe - I'm not done analyzing it yet.

Return to Top
#440182 - 08/30/06 04:56 PM Re: FIL-103-2005 Authentication in an Internet Banking
inbtfa Offline
New Poster
Joined: Jun 2006
Posts: 7
Is account number considered sensitive customer information

Return to Top
#440183 - 08/30/06 07:13 PM Re: FIL-103-2005 Authentication in an Internet Banking
Neytiri Offline
Platinum Poster
Neytiri
Joined: Jul 2002
Posts: 645
Pandora
One quick place to look is in the 8/15/2006 FAQ FFIEC Guidance on Authentication in an Internet Banking Environment. Q-2 states that it applies to all forms of e-banking, including telephone banking systems.

Return to Top
Page 1 of 3 1 2 3

Moderated by:  Andy_Z