Skip to content
BOL Conferences
Page 1 of 3 1 2 3
Thread Options
#440124 - 10/13/05 04:22 PM FIL-103-2005 Authentication in an Internet Banking
Oursisnottoreasonwhy Offline
Platinum Poster
Oursisnottoreasonwhy
Joined: Nov 2004
Posts: 503
Central Illinois
In reading this FIL it states that: "The agencies consider single-factor authentication (eg. Login and Password), to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties." I read this to say any internet banking access that provides account information or transaction capabilities needs to have more than a login and password.

What types of other authentication factors are other internet banking providers using? What are the costs involved in adding additional authenticating factors? Are banks passing the additional costs on to the customer? How is customer acceptance of additional login procedures?

Return to Top
eBanking / Technology
#440125 - 10/14/05 12:55 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
In many countries, and here at some institutions, you'll have a key fob or card with an access code that changes every minute or so. It is in sync with the main system and is needed to login. In some cases a scratch-off card may have the daily codes on it and it is mailed to the customer. That code is needed to login.

There are many versions of dual authentication. I can't quantify the costs or acceptance. But there will be costs, especially at start-up, and people resist change. So neither the bank nor the consumer will especially like it unless they really perceive the risk this is intended to mitigate.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440126 - 10/14/05 04:30 PM Re: FIL-103-2005 Authentication in an Internet Banking
Czargazer Offline
Gold Star
Czargazer
Joined: May 2003
Posts: 298
Pacific Northwest
I for one am really interested in what folks think about this. The whole thing seemed rather vague to me and relied too much on the institutions' risk assessments--which generally means the assessment will come out less than high so we then don't have to institute any additional safeguards...

The FIL did mention that the agencies are concerned about "high-risk transactions" but what are they classifying as high risk? What does it mean in this context?

We do a moderate amount of online banking, involving Bill Pay, and other transactions. Is this "high-risk" by default or do certain factors apply that would possibly make it "high-risk"? If so, I'd love to know what the agencies think these factors would be! Anybody got any ideas?
_________________________
Everyone has to make a living, mine just happens to involve thumbscrews.

Return to Top
#440127 - 10/14/05 04:41 PM Re: FIL-103-2005 Authentication in an Internet Banking
SusyG Offline
100 Club
Joined: Oct 2001
Posts: 120
Andy, what are your thoughts on browser-based dual authentication methods? I have done some research on several methods and browser-based seems the most economical for the bank and least intrusive for the customer, but it does have weaknesses as does every method. I just can't see our customers using cards, tokens, etc. The cost of delivering the additional hardware required for other methods would also be costly to the bank. But, I don't want to go with the browser-based method just because it is less costly and easier to implement if I'm not really getting a benefit out of it....

Return to Top
#440128 - 10/17/05 05:32 AM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
I haven't finished reading that document yet. (Just look at when I posted this.) I believe you'll have to find what is effective first, for now and the future, and what your customers will adopt. The latter is secondary. Many will complain because people resist change. Fewer will drop the product because of it.

You'll have to make your case as one of security and "this is for your own good." I think you'll work your way down to serious IB users and predict that you'll have a level if IB that doesn't allow transfer of funds and therefore doesn't require such authentication. This may be a way to take customers up to a higher level. You'll have to decide where, or if, IB can be profitable as well.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440129 - 10/18/05 02:29 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I'm a bit surprised that there has not been more reaction to this since it likely will result in some of us having to pull a valued service from our customers (for their own good). Even if we can find a cost effective way to provide a secondary authentication factor for internet banking, I'm not sure I can see a way to provide the same for the telephone banking product (It will be included in your risk assessment, won't it?).

What we have is here is regulation imposed without hearings, comment or other public input. We are not only told to do a risk assessment but told what the result must be.

More broadly the whole concept of "regulation by guidance" seems to be getting out of hand. A review of FDIC FIL's, indicates that in the year 2000 there was one such guidance. In 2001 - 3; 2002 - 2; 2003 - 5; 2004 - 12; and YTD 2005 - 15. These guidances focus on methodology rather than results. For example, it is not enough to have an adequate loan loss reserve, you must follow a specific methodolgy to determine its adequacy.

Oops, I seem to be slipping into a rant. The point is that maybe we should be concerned about a trend that is unfavorable to us and our customers; and begin raising the issue with our associations and advocates.

Return to Top
#440130 - 10/18/05 05:35 PM Re: FIL-103-2005 Authentication in an Internet Banking
mtcrossranch Offline
New Poster
Joined: Jul 2005
Posts: 10
God's Country, Montana
What is the general opinion out there about what is "high risk." Because BillPay is payment to a third party, it is definately higher risk than just looking at balances, transfering between accounts and viewing images. But, is it high risk enough to warrant a secondary authentication requirement? What will the OCC say about this one?
_________________________
Never insult seven men when all you have is a six shooter -- Col. Potter

Return to Top
#440131 - 10/18/05 08:00 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

Just an observation or two:

Requiring (certain types of) two-factor authentication would almost entirely eliminate "fake online banking websites" from the identify theft arena (once users understand they should be required to have the fob/code/etc.).

I believe they (regulators) have really already done a "risk assesment" for the entire industry and decided the risk of using transactional websites is too great without the two-factor authentication. Without the "big picture" from all the reports they get, we'll never know the how much fraud and identity theft is actually occuring.

Return to Top
#440132 - 10/18/05 09:57 PM Re: FIL-103-2005 Authentication in an Internet Banking
Czargazer Offline
Gold Star
Czargazer
Joined: May 2003
Posts: 298
Pacific Northwest
Quote:

Requiring (certain types of) two-factor authentication would almost entirely eliminate "fake online banking websites" from the identify theft arena (once users understand they should be required to have the fob/code/etc.).




Emphasis on the "certain types". There was recently a case of a phishing scam in which the perpetrators were aware of the second authorization factor (a scratch-off card with codes), and included it in their fake web-site enabling them to acquire codes to use in conjunction with the passwords they gleaned. Article
_________________________
Everyone has to make a living, mine just happens to involve thumbscrews.

Return to Top
#440133 - 10/18/05 11:42 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

A client with multiple banking relationships would carry multiple authentication devices, be they tokens, scratch cards, etc. So (rhetorically) do you think that there would be confusion about which device belongs to which bank, account, etc? If the devices are then labeled, does it not compromise the security? Will their not be client backlash as a result?

No solutions, just problematic questions.

Return to Top
#440134 - 10/19/05 05:07 AM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I heard someone in law enforcement give an opinion on the best way to stop crime on the Internet: Stop using the Internet.

Now for my opinion: There is no way to stop Internet fraud (short of stopping Internet use). Dual factor authentication will be significantly more effective than single factor authentication. It will not prevent certain customers from compromising their own security, falling for fraud schemes, etc., but it will reduce it significantly. Dual factor authentication is going to happen for all transactions. It is happening. The agencies are going to force the banks to implement it and educate the population. The decision to be made is to get on board now or try to delay it until later. Identity theft is a huge problem and it's getting bigger every day. Organized crime in the US and abroad are getting into the act. As stated above, the regulators are in a better position to see the "big picture."

Return to Top
#440135 - 10/19/05 04:10 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

If you look at the statistics on identity theft from the FTC, the vast majority of information that is compromised is still from a paper document either stolen out of a mail box, from dumpster diving or company employees with access to sensitive customer information. Once the thieves have this information, they turn around and use it on the internet for fraudulent activity because of the anonymity of the internet. The stolen information is very seldom actually stolen from an electronic source to begin with, but the media and others confuse consumers by focusing on how the information was used electronically and not the fact that the information was gained from a paper document to start with.

So, why don't the regulating agencies make me have a smart card or token for the mailbox or trash can that sits outside my house that anyone driving by has access to?

Return to Top
#440136 - 10/20/05 05:20 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

The REAL problem is that consumers willingly (and unknowingly) provide theives with the information that they need. What's to say that a thief (using a phishing site) doesn't setup fake "dual authentication" input fields or creates the email and just says , "make sure you put in your token"? The phisher will still get debit or credit info which is the #1 problem.

Return to Top
#440137 - 10/21/05 05:41 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
It isn't "sexy" news so it has hit the press, but with little fanfare. El Paso Yahoo

If you want activity, tell your customers the price is now $5.95 a month for scratch-offs mailed to them or $7.95 for a fancy key fob.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440138 - 10/26/05 09:56 PM Re: FIL-103-2005 Authentication in an Internet Banking
Still Developing Offline
100 Club
Joined: Mar 2002
Posts: 199
What is the general opinion out there about what is "high risk."

mtcrossranch,

Our FDIC examiners have told us on more than one occasion if you have an internet site for the bank that allows customers access to their information - these accounts and method of access is automatically considered high risk.

Return to Top
#440139 - 11/02/05 09:52 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

The whole area of two factor authentication is not deeply understood from a total risk perspective. fob tokens are deemed to prevent being attacked by a fraudsters when using internet banking. However, the truth of the matter is that traditional solutions are deemed obselete when it comes to preventing emerging threats such as DNS poisoning and Man in the Middle attacks. These piggyback off an authenticated session. ValidSoft have a solution that have got Gartner really excited because it achieves mutual authentication (ie. host to user, user to host), it has the flexibility to apply 2FA to certain 'high risk' transactions and it can combat Man in the Middle. When a users session is compromised having been under the impression that their fob token has protected them, there's going to be a lot of unhappy customers of Banks and their confidence will diminish out of sight.

Return to Top
#440140 - 11/03/05 01:36 AM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I also am surprised that there has been so little reaction to this guidance. Most compliance officers I've polled are not concerned. As I read the guidance, any transaction involving NPPI or movement of funds requires two factor authentication. If that is so, kiss internet account origination channels goodbye. Call me Chicken Little, and please tell me I'm wrong on this...

Return to Top
#440141 - 11/03/05 04:45 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
A) I don't think it has sunk in yet.
B) Some may still be studying it and trying to determine is it IT, security, compliance, all of the above.
C) Too many things to worry about today, mush less tomorrow, and,
D) Vendors will come out of the woodwork to sell these systems.

Nothing will stop it all, but the more layers of protection we have, the more secure we can be. Using the right layers, the right way is what is important.

This brings back some reasons many laws addressing e-commerce do not have specific requirements on technology practices. The older systems where a customer has to dial up their "internet banking" application, which is not housed on the web as we know it, can be safer. The customer may have a special banking program on their PC. It works with the bank. Browsers do not. And the bank can accept the connection from only certain phone numbers, as examples. These can be better security than what is offered today. Obviously they have less appeal to the average user as they are less convenient. Such is the evolutionary process.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440142 - 11/04/05 07:02 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

Just learned this morning that management conducted a risk "assessment" and has determined that there is "no-to-low risk" in our transactional online accounts! So they want to make the dual authentication optional at the customer's request and sell a solution only to interested customers.
I'm heading for the closet now looking for my 20 lb sledge hammer to pay a visit to the IT manager. Where is it written in my job description I have to save management from themselves?

Return to Top
#440143 - 11/06/05 06:20 PM Re: FIL-103-2005 Authentication in an Internet Ban
Princess Leia Offline
Diamond Poster
Joined: Jun 2004
Posts: 1,975
Alderaan
Quote:

Our FDIC examiners have told us on more than one occasion if you have an internet site for the bank that allows customers access to their information - these accounts and method of access is automatically considered high risk.




That's exactly what we were told also. Doesn't matter if the customer can do anything other than view their account information. The mere fact that there is customer information makes it high risk.

It's definitely receiving more and more publicitity. Here's an article from last week's USA Today about it and what BofA is doing.

I hope other non-bank type of financial institutions follow suit soon. Schwab makes you put in your SSN to access your account!
Last edited by Princess Leia; 11/06/05 06:26 PM.
_________________________
Duct tape is like the force: It has a light side and a dark side and it holds the universe together.

Return to Top
#440144 - 11/08/05 02:38 AM Re: FIL-103-2005 Authentication in an Internet Ban
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
Everyone will be on board soon, like it or not. I wonder if some banks will eliminate internet banking? While it wouldn't be competitive, I can see it happening in Smallville USA.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440145 - 11/09/05 10:16 AM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

This comment it so true. I have seen solutions that use the mobile phone as the device for token delivery via speech (not SMS), such as VALid from ValidSoft. The solution is practically unbreakable and achieves mutual authentication for the user simply from the architectural design and implementation method. Customers don't have to carry multiple devices, just the single device they never leave the house without ... the mobile phone. There's no software required to be installed so there is zero footprint required.

Return to Top
#440146 - 11/09/05 11:07 AM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

A zero footprint, shareable device will be essential for wide scale deployments. Fobs were designed for enterprise access, not Internet banking protection and certainly not for mass retail deployment. As it is already known they cannot protect against even simple phishing scams (e.g. link to fake web site that collects username, password and OTP), what happens when a customer (who's had to pay the bank for the privilege) finds they've been ripped off despite using their fob in accordance with instructions???

Return to Top
#440147 - 11/09/05 03:05 PM Re: FIL-103-2005 Authentication in an Internet Ban
JacF Offline

Power Poster
Joined: Nov 2001
Posts: 6,719
PA
Quote:

Everyone will be on board soon, like it or not. I wonder if some banks will eliminate internet banking? While it wouldn't be competitive, I can see it happening in Smallville USA.



Greetings from Smallville! As we tend to use vendor provided systems, I would think that the Smallville contingent will not have trouble finding a solution, it would be suicide for online banking platform providers to not offer something. That said, the downside is that Smallville will undoubtedly have fewer choices, as compatability will be out of the banks' control, so we will pretty much have to go with the options offered by the vendor.

Return to Top
#440148 - 11/09/05 05:02 PM Re: FIL-103-2005 Authentication in an Internet Banking
Czargazer Offline
Gold Star
Czargazer
Joined: May 2003
Posts: 298
Pacific Northwest
Quote:

Customers don't have to carry multiple devices, just the single device they never leave the house without ... the mobile phone.




And what would be offered to those who do not use a cell phone? An alternative, or a waiver indicating that any breaches are the customer's fault for not having a cell phone to enhance security? It may be a good option to those it's available to, but believe it or not there is still a good number of people who don't own cell phones.
_________________________
Everyone has to make a living, mine just happens to involve thumbscrews.

Return to Top
Page 1 of 3 1 2 3

Moderator:  Andy_Z