Two-factor authentication for online banking: here are some key things to consider when trying to satisfy new federal banking guidelines to protect online account access.

During the last quarter of 2006, financial institutions nationwide found themselves scrambling to meet the Federal Financial Institutions Examination Council's (FFIEC's) year-end deadline for employing two-factor authentication, or better, for any Internet-facing sites where there is either the ability to transfer funds or to gain access to non-public consumer information. [??] In response to pervasive criminal attempts to gain access to and enact fraudulent transactions via customer accounts, the FFIEC looked into the level of industry security with regard to account access, and found it lacking. It determined that most financial services firms were employing single-factor authentication to protect account access.

[ILLUSTRATION OMITTED]

The agencies comprising the FFIEC--including the Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC) and Office of Thrift Supervision (OTS)--according to their guidelines, "consider single-factor authentication as the only control mechanism to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."

Single-factor authentication--such as user identification (ID)/password combinations--leaves financial accounts exposed to relatively simple attacks. If criminals somehow gain access to that information, they also gain access to the consumer's account.

This is most commonly accomplished by way of e-mail "phishing" schemes used in conjunction with dummy Web sites. These sites appear indistinguishable to the consumer from the bank's own legitimate online presence. The criminals thereby not only commit banking fraud, but also play upon the good name of the targeted organization in order to do so.

The FFIEC determined that in order to curb the rash of phishing schemes and other attacks, providers of online financial services, after an internal risk assessment to determine their level of exposure, should at the very least employ some degree of two-factor authentication.

The severity of the problem

In its monthly Phishing Activity Trends report for April 2007, the Anti-Phishing Working Group (APWG), a multinational industry coalition, recorded nearly 24,000 reports of phishing incidents, and some 56,000 unique phishing sites in April alone. The financial services industry is still by far the most targeted industry sector, to the tune of nearly 90 percent of all phishing attacks.

To underscore the severity of the situation, consider the following: According to its 2007 Identity Fraud Survey Report, Pleasanton, California-based Javelin Strategy & Research reports that U.S. consumers lost more than $49 billion to identity-theft schemes in 2006. Though a decrease from nearly $56 billion in 2005, that number is still substantial.

This is to say nothing of the potential costs in the long run, should continued success by phishing scams and other schemes begin to undermine the public's sense of trust and security in using the Internet for online banking and eCommerce. In fact, this is the main reason the Department of Justice (DOJ) believes many financial services companies are often hesitant to report the crime to law-enforcement authorities.

Unlike overt hacking, which is more often executed with a great degree of stealth, phishing, by its very nature, involves the public misuse of legitimate companies' branding. The DOJ surmises that companies' reluctance to report phishing successes may be due to concern that, should the true volume of such attacks be made known to the public, customers or account holders might grow to mistrust the companies themselves.

In requiring the use of two-factor authentication, the new FFIEC guidelines are taking square aim at the preponderance of phishing scams, online fraud, hacking and identify theft that prey on the trust or naivete of customers and exist on the periphery of legitimate online banking initiatives. The raw guidelines are also written broadly enough, and are likewise non-technology-specific, so as to account for the many different variables and risk assessments of individual organizations and institutions.

According to the FFIEC, approved solutions run the gamut of the various authentication technologies available, including advanced biometrics techniques, smart cards and universal serial bus (USB) tokens, software, cookies, certificates and challenge questions. Because of their transparency and ease of use for the customer, behavior and Internet protocol-based (IP-based) solutions are most prevalent. Such a "soft approach" is often the most attractive option for organizations looking to comply with the new guidelines without incurring huge new expenditures or customer re-education.

In order to make an educated decision when choosing any two-factor authentication solution, it is first important to understand exactly what it constitutes.

Two-factor authentication in a nutshell

When discussing authentication in general, any one of three identifying factors is generally called into play. Two-factor authentication, then, is defined as the use of at least two of the following authentication factors:

* Something you know. Authentication is determined by information only the user should possess. Generally, this will take the form of a user ID and password, or challenge questions. These can be user-generated--favorite color, a pet's name or mother's maiden name--or drawn from increasingly robust consumer credit records databases, the response to which would theoretically only be known by the user--type of car owned, last address in a particular city, old phone numbers and so forth.

* Something you have. This type of authentication requires physical (or in some cases, virtual) possession of an item or device (smart cards, USB tokens or keys, software tokens, etc.) that contains the holder's authenticating credentials. These can be dedicated items focused on authenticating the user for a particular session (e.g., accessing a single online banking service) or, as is becoming more common, certain devices may be designed to authenticate an individual user for a variety of situations.

* Something you are. This type of authentication is intensely personal, and the biometric technology required to implement it on a wide scale is expensive and intrusive. Potential authenticating factors can include retinal scans, fingerprint scanners or facial recognition routines. Given the expense, effort and complexity involved, this type of authentication is usually reserved only for situations requiring an extraordinary level of security, or where risk is extremely high but the user pool is small. As of yet, this level of authentication is neither realistically feasible nor necessary for widespread financial services industry use.

Two-factor authentication requires a combination of at least two of these three possible factors. The most common example of two-factor authentication in practice is probably the combination of an automated teller machine (ATM) card (something you have) and a personal identification number (PIN) (something you know). Others may include a USB token combined with a user ID and password, or perhaps a fingerprint reader doubly validated by challenge questions.

There are various possible combinations of factors for authentication, but perhaps what's most germane to the issue is an understanding of what the FFIEC is requiring from financial services organizations in this regard.

Meeting the guidelines

In its guidelines, the FFIEC clearly states that any move to two-factor authentication should be risk-based, with its implementation determined by the level of protection a given organization's operations require. The greater the value of transactions, or the more flexible the ability to transfer funds, the more robust the authentication protections should be.

Meeting an organization's particular level of risk can, as mentioned, take many forms. However, while laying out the standard definitions of potential authenticating factors and stressing the need for at least two-factor authentication, the FFIEC also left implementation requirements intentionally non-technology-specific. By not requiring any particular technological solution to two-factor authentication, the FFIEC allows enough room for appropriate responses to meet a variety of situational risk assessments.

In addressing this wide range of possibilities, the FFIEC doesn't go so far as to redefine the traditional understanding of two-factor authentication, but it does expand the possibilities for its implementation. Under FFIEC guidelines, in addition to the traditional authenticating factors discussed earlier, fraud-detection systems and digital watermarks will also meet the new requirements.

Other two-factor authentication routines the FFIEC accepts as valid include:

* Mutual authentication, in which the user authenticates himself or herself to a server via a digital certificate or token, and at the same time that server authenticates itself to the user. This allows both parties to be assured of the other's identity. Such mutual authentication makes it harder for criminals to impersonate a bank to the consumer, or a consumer to the bank.