Two-factor authentication for online banking: here are some key things to consider when trying to satisfy new federal banking guidelines to protect online account access.

During the last quarter of 2006, financial institutions nationwide found themselves scrambling to meet the Federal Financial Institutions Examination Council's (FFIEC's) year-end deadline for employing two-factor authentication, or better, for any Internet-facing sites where there is either the ability to transfer funds or to gain access to non-public consumer information. [??] In response to pervasive criminal attempts to gain access to and enact fraudulent transactions via customer accounts, the FFIEC looked into the level of industry security with regard to account access, and found it lacking. It determined that most financial services firms were employing single-factor authentication to protect account access.

[ILLUSTRATION OMITTED]

The agencies comprising the FFIEC--including the Federal Reserve Board (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC) and Office of Thrift Supervision (OTS)--according to their guidelines, "consider single-factor authentication as the only control mechanism to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."

Single-factor authentication--such as user identification (ID)/password combinations--leaves financial accounts exposed to relatively simple attacks. If criminals somehow gain access to that information, they also gain access to the consumer's account.

This is most commonly accomplished by way of e-mail "phishing" schemes used in conjunction with dummy Web sites. These sites appear indistinguishable to the consumer from the bank's own legitimate online presence. The criminals thereby not only commit banking fraud, but also play upon the good name of the targeted organization in order to do so.

The FFIEC determined that in order to curb the rash of phishing schemes and other attacks, providers of online financial services, after an internal risk assessment to determine their level of exposure, should at the very least employ some degree of two-factor authentication.

The severity of the problem

In its monthly Phishing Activity Trends report for April 2007, the Anti-Phishing Working Group (APWG), a multinational industry coalition, recorded nearly 24,000 reports of phishing incidents, and some 56,000 unique phishing sites in April alone. The financial services industry is still by far the most targeted industry sector, to the tune of nearly 90 percent of all phishing attacks.

To underscore the severity of the situation, consider the following: According to its 2007 Identity Fraud Survey Report, Pleasanton, California-based Javelin Strategy & Research reports that U.S. consumers lost more than $49 billion to identity-theft schemes in 2006. Though a decrease from nearly $56 billion in 2005, that number is still substantial.

This is to say nothing of the potential costs in the long run, should continued success by phishing scams and other schemes begin to undermine the public's sense of trust and security in using the Internet for online banking and eCommerce. In fact, this is the main reason the Department of Justice (DOJ) believes many financial services companies are often hesitant to report the crime to law-enforcement authorities.

Unlike overt hacking, which is more often executed with a great degree of stealth, phishing, by its very nature, involves the public misuse of legitimate companies' branding. The DOJ surmises that companies' reluctance to report phishing successes may be due to concern that, should the true volume of such attacks be made known to the public, customers or account holders might grow to mistrust the companies themselves.

In requiring the use of two-factor authentication, the new FFIEC guidelines are taking square aim at the preponderance of phishing scams, online fraud, hacking and identify theft that prey on the trust or naivete of customers and exist on the periphery of legitimate online banking initiatives. The raw guidelines are also written broadly enough, and are likewise non-technology-specific, so as to account for the many different variables and risk assessments of individual organizations and institutions.

According to the FFIEC, approved solutions run the gamut of the various authentication technologies available, including advanced biometrics techniques, smart cards and universal serial bus (USB) tokens, software, cookies, certificates and challenge questions. Because of their transparency and ease of use for the customer, behavior and Internet protocol-based (IP-based) solutions are most prevalent. Such a "soft approach" is often the most attractive option for organizations looking to comply with the new guidelines without incurring huge new expenditures or customer re-education.

In order to make an educated decision when choosing any two-factor authentication solution, it is first important to understand exactly what it constitutes.

Two-factor authentication in a nutshell

When discussing authentication in general, any one of three identifying factors is generally called into play. Two-factor authentication, then, is defined as the use of at least two of the following authentication factors:

* Something you know. Authentication is determined by information only the user should possess. Generally, this will take the form of a user ID and password, or challenge questions. These can be user-generated--favorite color, a pet's name or mother's maiden name--or drawn from increasingly robust consumer credit records databases, the response to which would theoretically only be known by the user--type of car owned, last address in a particular city, old phone numbers and so forth.

* Something you have. This type of authentication requires physical (or in some cases, virtual) possession of an item or device (smart cards, USB tokens or keys, software tokens, etc.) that contains the holder's authenticating credentials. These can be dedicated items focused on authenticating the user for a particular session (e.g., accessing a single online banking service) or, as is becoming more common, certain devices may be designed to authenticate an individual user for a variety of situations.

* Something you are. This type of authentication is intensely personal, and the biometric technology required to implement it on a wide scale is expensive and intrusive. Potential authenticating factors can include retinal scans, fingerprint scanners or facial recognition routines. Given the expense, effort and complexity involved, this type of authentication is usually reserved only for situations requiring an extraordinary level of security, or where risk is extremely high but the user pool is small. As of yet, this level of authentication is neither realistically feasible nor necessary for widespread financial services industry use.

Two-factor authentication requires a combination of at least two of these three possible factors. The most common example of two-factor authentication in practice is probably the combination of an automated teller machine (ATM) card (something you have) and a personal identification number (PIN) (something you know). Others may include a USB token combined with a user ID and password, or perhaps a fingerprint reader doubly validated by challenge questions.

There are various possible combinations of factors for authentication, but perhaps what's most germane to the issue is an understanding of what the FFIEC is requiring from financial services organizations in this regard.

Meeting the guidelines

In its guidelines, the FFIEC clearly states that any move to two-factor authentication should be risk-based, with its implementation determined by the level of protection a given organization's operations require. The greater the value of transactions, or the more flexible the ability to transfer funds, the more robust the authentication protections should be.

Meeting an organization's particular level of risk can, as mentioned, take many forms. However, while laying out the standard definitions of potential authenticating factors and stressing the need for at least two-factor authentication, the FFIEC also left implementation requirements intentionally non-technology-specific. By not requiring any particular technological solution to two-factor authentication, the FFIEC allows enough room for appropriate responses to meet a variety of situational risk assessments.

In addressing this wide range of possibilities, the FFIEC doesn't go so far as to redefine the traditional understanding of two-factor authentication, but it does expand the possibilities for its implementation. Under FFIEC guidelines, in addition to the traditional authenticating factors discussed earlier, fraud-detection systems and digital watermarks will also meet the new requirements.

Other two-factor authentication routines the FFIEC accepts as valid include:

* Mutual authentication, in which the user authenticates himself or herself to a server via a digital certificate or token, and at the same time that server authenticates itself to the user. This allows both parties to be assured of the other's identity. Such mutual authentication makes it harder for criminals to impersonate a bank to the consumer, or a consumer to the bank.

* Out-of-band authentication provides a pathway separate from the Internet, usually using a cell phone, personal digital assistant (PDA) text message, home phone or voice-authentication system as a second factor by which to verify customer credentials. Some of the USB tokens noted earlier can also provide an out-of-band authentication component, usually by way of randomly generated numbers that change every 60 seconds or so, and must be used in conjunction with a login/password combination to gain access.

* IP addresses provide a way for servers to identify the geographic location and Internet connection characteristics of the customer's computer. That computer must match attributes associated with the user's IP address--country of origin, Internet service provider (ISP), Internet connection and routing type--in order to gain access to an account. If not, the user will also need to answer one or more challenge questions.

Some technology purists may argue that these approaches don't meet the traditional, textbook definition of two-factor authentication, in that they are not specifically authenticating a user's identity. While each of these approaches does verify the user's computer rather than the individual customer's identity, for many banking situations they provide a more-than-sufficient response to establishing an acceptable second authenticating factor.

By widening the range of acceptable factors, the FFIEC has strived to increase the adoption of multi-layered authentication without overly burdening financial organizations with strict requirements. Aside from requiring great cost and effort to implement, any such requirements might well be beyond an individual organization's assessed level of risk.

The best route

Once banks and other financial services firms have thoroughly assessed their online banking offerings and determined any risks or vulnerabilities, a secure and sufficient two-factor authentication system can be decided upon to meet the associated level of risk.

Some of the larger online financial sites and institutions have taken the step of distributing memory cards and USB keys to all of their customers. This may make sense for an organization large enough to absorb the costs of such an investment in technology and customer re-education, but it's far from a universal solution. Aside from the obvious money and effort involved in taking this route to employing two-factor authentication, there is also another, similarly less palatable aspect to this strategy.

Distributing a physical item to a financial customer can be a problem because of the way today's consumers use online financial services. Consumers are no longer tied to a single financial institution. Most have, in fact, more than one online account that they access regularly

Often, a single consumer will have multiple bank accounts in addition to a mortgage, home-equity line, various credit products, stock-trading accounts, alternative payment services and much more. Each of these many accounts, according to the FFIEC guidelines, now requires some form of two--factor authentication. Physically possessing--and carrying around for access--a separate key linked to each of these accounts is a cumbersome and unrealistic responsibility to impose on the consumer.

Concern for a positive customer experience has led most organizations to adopt a soft approach, usually employing some degree of mutual authentication and IP criteria combined. In essence, rather than distributing a physical token, the banking site places an electronic version of that key on the user's computer, which in turn becomes the second factor--aside from the user ID/password combination--needed to log on. Essentially, the user's computer itself becomes the "something you have."

The process is seamlessly transparent to the customer. During the initial online account setup, the computer being used is identified by way of IP address or some other identifying factor. The online banking site then sets a unique software token on that particular machine. Subsequent visits by the same computer are verified, in conjunction with the user ID/password, by the existence of that token. This is by far the most unobtrusive way to integrate two-factor authentication. As long as the same computer is used to access the account, the consumer will continue to log on unchallenged.

If the consumer uses multiple computers to access his or her account, subsequent machines must be individually verified. Generally, upon attempting to access the account from a new computer, the user will receive an e-mail from the bank at his or her address of record. The message alerts the consumer to the fact that a new machine is seeking authentication and access to the account. Once the consumer responds to that e-mail and answers a user-defined security question, the new computer is sent its own unique electronic token, similarly linked to the user's account.

Nothing is perfect

When trying to derail the most common phishing and fraud schemes, employing two-factor authentication is a significant step in the right direction. But it should be noted that while exponentially more effective than single-factor authentication, even multi-factor authentication is not an entirely foolproof method of stopping all attacks.

For example, on its own, two-factor authentication cannot provide sufficient defense against what are known as "man in the middle" (MITM) attacks. MITM attacks essentially establish a proxy server between the customer and the actual banking site (usually by way of some combination of e-mail phishing and site spoofing) that then becomes an invisible conduit between the two authenticated parties.

Trojans and other forms of malicious software can be hidden on the customer's computer, many times installing backdoors to control the machine, key loggers to capture and transmit privileged information, or "piggybacking" the user's secure connection to an institution to enact fraudulent transactions. Such sophisticated attacks can often bypass, or even subversively engage, two-factor authentication.

But while two-factor authentication may not alone be capable of warding off all possible attacks and intrusions, it does go a long way toward eliminating--or at very least substantially mitigating--the pervasive threats posed by phishing scams and other attempts at gaining access to a customer's account. The FFIEC recognized this in crafting its guidelines, understanding that losses could be greatly curtailed by eliminating what has become one of the most wide-reaching risks to online banking security.

Factoring for success

The FFIEC guidelines have been in effect since the end of 2006. Most organizations bound by the guidelines are already employing some form of two-factor authentication on their Internet-facing sites. Which form these implementations take is largely decided by internal risk assessments, organizational size and, to some degree, market factors.

For those in the process of establishing new online components or overhauling current online banking sites, the easiest route might be to employ or partner with a vendor that utilizes a soft approach to two-factor authentication.

Electronic tokens are unobtrusive, and their distribution and use are a seamless affair for the end customer. When combined with challenge questions, e-mail confirmations and traditional ID/password combinations, electronic tokens deliver a high degree of security, but with significantly less cost and effort than, for example, distributing thousands of USB keys and teaching customers how to use them.

Whatever route a company takes in meeting the FFIEC guidelines, it should be done knowing that the entire industry benefits when individual firms incorporate two-factor authentication. Reducing the effectiveness of phishing schemes and protecting access to funds and privileged information only serves to increase the overall level of trust between financial services providers and their customers.

Randy Schmidt is president of Data-Vision Inc., Mishawaka, Indiana. He can be reached at rschmidt@d-vision.com.