Skip to content
BOL Conferences
Page 2 of 3 1 2 3
Thread Options
#440149 - 11/10/05 10:05 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I just recently attended a seminar that discussed this topic. According to the speaker, this particular guidance indicates that only when the financial institution conducts its risk assessment on e-banking activities and it is determined that single factor authentication is not sufficient, then implement multi-factor authentication, layered security, and other controls.

I read this guidance a couple of times prior to the seminar, then re-read it again afterwards. It mentions the above statement several times throughout the document and it does appear that as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable.

However, based on this line of thinking, we may think one thing is sufficient and the regulators may not see it the same way.

Of course, it is always better to be pro-active in these instances.

Return to Top
eBanking / Technology
#440150 - 11/10/05 10:20 PM Re: FIL-103-2005 Authentication in an Internet Banking
1 Peter 5:7 Offline
Diamond Poster
1 Peter 5:7
Joined: Jun 2001
Posts: 1,339
TX
Quote:

as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable.





I believe the Guidance also says that the capability of your customer to conduct transactions on your site almost dictates dual authentication. Don't treat the risk assessment exercise too lightly.
_________________________
Opinions are mine not my employer's, and should not be taken as legal advice.

Return to Top
#440151 - 11/16/05 05:16 AM Re: FIL-103-2005 Authentication in an Internet Ban
Anonymous
Unregistered

"it does appear that as long as you can determine through your risk assessment methodology that single factor authentication is sufficient, then that should be acceptable."

I don't think this is correct. The Guidance clearly says that it considers single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.

Return to Top
#440152 - 11/16/05 04:59 PM Re: FIL-103-2005 Authentication in an Internet Ban
complygirl Offline
Platinum Poster
Joined: Oct 2004
Posts: 822
midwest
So will there be additional guidance regarding the internet banking risk assessment? Has anyone already completed their risk assessment, if so what did it amount to? Thanks.

Return to Top
#440153 - 11/16/05 05:50 PM Re: FIL-103-2005 Authentication in an Internet Ban
1 Peter 5:7 Offline
Diamond Poster
1 Peter 5:7
Joined: Jun 2001
Posts: 1,339
TX
As I read the Guidance regarding the risk assessment, if you have a transactional website, that is "high risk" and high risk means two-factor authentication.
_________________________
Opinions are mine not my employer's, and should not be taken as legal advice.

Return to Top
#440154 - 11/16/05 09:54 PM Re: FIL-103-2005 Authentication in an Internet Ban
Anonymous
Unregistered


Return to Top
#440155 - 11/18/05 04:04 PM Re: FIL-103-2005 Authentication in an Internet Ban
Anonymous
Unregistered

Information Technology's Sizemore said that tokens will cost banks at least $10 to $15 apiece. Some estimates peg the cost of purchasing a token at $50 each.

Return to Top
#440156 - 11/18/05 08:01 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

Our bank is taking a different route entirely, due to reports that will be made available by our website host provider. Customer bill pay and transfer transactions will be monitored and any outside the norm will generate a real-time high-risk report that we will have to review, and possibly contact the customer. We can also e-mail a randomly-generated one-time pin or have additional security (additional security questions) at bill pay/transfer login.

We don't allow wires or ACH originations from our website, and require business customers to enroll in person to limit risk. So hopefully this will be sufficient; we live in an area at low risk for terrorist activity and money laundering.

Return to Top
#440157 - 11/19/05 03:33 PM Re: FIL-103-2005 Authentication in an Internet Banking
Anonymous
Unregistered

I don't beleive being in an area considered low risk for terrorist activity and money laundering would negate the requirement of using dual authentification methods for online banking per the FIL. Your risk level has already been identified by the regulatory agencies and if you don't use dual authentifaction methods you are not complying.

Return to Top
#440158 - 11/26/05 10:04 PM Re: FIL-103-2005 Authentication in an Internet Banking
Click Here Offline
Junior Member
Joined: Nov 2005
Posts: 32
Has anyone thought about using electronic software tokens? They are much less expensive and can be delivered using a secure email system. And, if you feel portability is necessary to allow access to on-line banking from different computers, the end-user can store the token on a USB drive that can be further secured through encryption and/or password protection.

I currently use this method to remotely access our corporate intranet and it is easy to distribute, install and execute. And, I use an encryption tool that was downloaded for free to securely store the token and other confidential files on my laptop when I'm traveling or it's not in my presence. (Just in case)

Is it obvious?..after I made the transition from an extended career in the banking industry to information security consulting, I am becoming paranoid! But trust me, it's not without good reason.. My personal home system is now protected by Anti-virus, Anti-spam, Anti-spyware and a firewall (with very few open ports ). I also store some files in encrypted folders and when at all feasible, I have very few microsoft products installed. I don't however, use IE!

I have also wondered how my own bank would react if I were to ask if they have an effective patch management program, periodic vulnerability scans and pen tests. But, I'm relatively certain that once their dazed and confused look subsides, my account would be flagged and I would forever be cast under a cloud of suspicion. If my account were not immediately closed that is!

Return to Top
#440159 - 11/27/05 08:58 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
The tokens are not a viable means to prevent phishing, according to the bulletin. But I am not very familiar with this via email. How does it work and what are the strengths and weaknesses?
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440160 - 11/28/05 05:39 AM Re: FIL-103-2005 Authentication in an Internet Banking
Click Here Offline
Junior Member
Joined: Nov 2005
Posts: 32
Andy -

Obviously the biggest benefit of Soft vs. Hard tokens will be the cost and deployment. But, other than that, in my opinion it will depend on the product itself because there are so many variables. Several vendors are now providing soft tokens and the dynamics differ. However, based on the small amount of research I have done to date, most are based on the same challenge/response authentication method as hard tokens but they can be directly installed on your PC or laptop. Here is a very general summary that I found:

Quote:

Soft tokens are software-based token generating devices. The software token is installed on PCs, laptops, and hand-held computers. Once the PIN is activated, the token creates and sends the users's one-time password. The system's memory stores the secrets and the system's CPU is used to generate the password. Although there is some risk associated with storing the secrets on the system's memory, this risk is reduced by having the secrets encrypted. Also, because the token is installed on the system, anyone with physical access to the system can use it to authenticate, but they must know or guess the PIN to use it.




I'm not sure why this method would not be as effective as hard tokens to prevent phishing, as you can see, even if a user were to unknowingly give up passwords and/or PINs, the soft token has to be executed each time the user requests access to the protected site. And IMO, unlike a smartcard or key fob, when installed on a desktop, it is not likely that you will misplace the device. Your risk of this obviously does increase when stored on a USB drive and possibly a laptop.

The installation file can be received via email, and just as I have done, it can be further secured by storing it in an encrypted file. I'm not sure how feasible or easy to communicate to all end-users/customers this would be. I personally use True Crypt and it was not that difficult to install or to use.

Google "Software or Soft Tokens" and review the various vendor products.

Return to Top
#440161 - 11/28/05 07:52 PM Re: FIL-103-2005 Authentication in an Internet Banking
mtcrossranch Offline
New Poster
Joined: Jul 2005
Posts: 10
God's Country, Montana
So, is the conclusion that tokens are not effective and we should be looking into "mutual authentication?"
_________________________
Never insult seven men when all you have is a six shooter -- Col. Potter

Return to Top
#440162 - 11/28/05 10:21 PM Re: FIL-103-2005 Authentication in an Internet Banking
02bonne Offline
Platinum Poster
Joined: Nov 2005
Posts: 620
Superior mortgage got sued by the FTC for not encrypting emails. Although they claimed they were securing transmissions to their customers. I don't remember how much they got sued for though.

Return to Top
#440163 - 01/06/06 08:19 PM Re: FIL-103-2005 Authentication in an Internet Ban
btfitz0 Offline
New Poster
Joined: May 2005
Posts: 14
How can a hard token not be a viable means of security? For instance the RSA token changes its PIN every 60 seconds or so. So even if I did give it and my password and username to someone they would have to use it in 60 seconds or less. This seems highly unlikenly and very unreasonable to assume. If for some reason I lost my token it is my responisbilty to notify the bank, if someone was to find it and my username and password, how can I the customer have anyone to blame but myself?

Return to Top
#440164 - 01/13/06 07:05 PM Re: FIL-103-2005 Authentication in an Internet Banking
VT Banker Offline
Member
Joined: Sep 2001
Posts: 70
VT, USA
Attended a NYCE webinar and a rep from FDIC said that this is NOT optional and will need to be in place by the end of 2006. Saw a demo of Bof A and that is the ideal solution. We're not sure our core bank processor is going to offer something along these lines. We know our customers will balk at a token and know the calls about lost tokens, etc would be a call center nightmare. Hopefully, the ideal solution will arrive- yes, I am a pollyanna.

Return to Top
#440165 - 03/03/06 12:05 AM Re: FIL-103-2005 Authentication in an Internet Banking
Risk Manager in Training Offline
New Poster
Joined: Nov 2005
Posts: 5
Does anyone recall hearing that the risk assessment must be complete by March 31 (then with implementation by December 31)? Some of our group recalls this but none of us can find it in any documentation. Thanks!

Return to Top
#440166 - 03/04/06 09:31 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
Implementation has a deadline, but not the testing. That may have been a recommendation so that you have time to review and implement what is needed.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440167 - 03/19/06 09:02 PM Re: FIL-103-2005 Authentication in an Internet Banking
gsunshine Offline
New Poster
Joined: Mar 2006
Posts: 2
Hi Andy,

I'm not sure what you mean by "testing"? Is there a working theory that a bank can have a multi-factor authentication solution in place in 2006 but does not need to have it tested and rolled out to all of it's customers until some time in 2007?

Return to Top
#440168 - 03/21/06 02:33 PM Re: FIL-103-2005 Authentication in an Internet Banking
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
By "test" I am referring to your risk assessments as you test/review your systems. And no, you don't really have into 2007. Examiners expect this to be done in 2006. They'll look at problems on a case by case basis but we have no idea how forgiving they'll be.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440169 - 06/08/06 05:13 PM Re: FIL-103-2005 Authentication in an Internet Ban
inbtfa Offline
New Poster
Joined: Jun 2006
Posts: 7
This is all so confusing. There are varied views on what is high risk. Is transfer of money to pre authorised accounts in other country a High Risk.

Return to Top
#440170 - 06/08/06 05:19 PM Re: FIL-103-2005 Authentication in an Internet Banking
inbtfa Offline
New Poster
Joined: Jun 2006
Posts: 7
Instead a better option we are thinking of is to send a one time password to the e-mail ID of the customer. This OTP should be valid for that particular transaction only & will expire in say 3 minutes. Everybody who is accessing Internet Banking would be able to view his / her e-mail account.

Is this solution acceptable to FDIC/FFIEC?

Return to Top
#440171 - 06/08/06 09:17 PM Re: FIL-103-2005 Authentication in an Internet Ban
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
I have had email server issues that slowed my email up more than that. And if you had a customer at an Internet cafe, would they be inhibited? (This situation may be far fetched, or it may not be.)
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#440172 - 06/09/06 04:30 PM Re: FIL-103-2005 Authentication in an Internet Ban
inbtfa Offline
New Poster
Joined: Jun 2006
Posts: 7
Is Internet Cafe a safe place to do online transactions ?

Return to Top
#440173 - 06/09/06 04:35 PM Re: FIL-103-2005 Authentication in an Internet Ban
inbtfa Offline
New Poster
Joined: Jun 2006
Posts: 7
Such instances may be very rare? However is it not better than opting for costly tokens which also generate OTPs at regular intervals. Besides it definitively seems better option than the solutions which work on IP address recognition? What do others think?

Return to Top
Page 2 of 3 1 2 3

Moderator:  Andy_Z