FFIEC: Second Thoughts on Second Factors

Seven ways in which the new FFIEC strong-authentication standard isn't quite what it appears to be

1 2 Page 2
Page 2 of 2

But how many banks can Corillian, or any other vendor, work with at once? Will the small banks get squeezed, as Rome fears, because vendors cater to their larger customers? What about process changes needed to support technology changes? Help desk training, token distribution systems and whatever else will be required?

Even the FFIEC anticipates granting extensions to the deadline, especially to financial institutions on the Gulf Coast hit by Hurricanes Katrina and Rita.

Conventional Wisdom

It should be easy to pick a two-factor solution.

On Second Thought

There's no consensus on the best authentication approach. So good luck with that.

There's no sweeter lead for a salesperson than a government regulation that requires someone to use something that you happen to sell. So CSOs and CISOs should prepare for an onslaught of vendors touting their respective authentication methods as superior.

The FFIEC, while outlining several possible second factors of authentication, has deliberately steered clear of endorsing a particular method. This creates an unnerving situation for security executives. They've been thrown into a high-stakes gameto choose technology that adds security without spooking customers. Anything too intrusive or complicated will annoy users. Anything too expensive and hard to maintain will annoy the CEO. So It's a delicate balance.

Some vendors (Corillian is one) are betting on "passive" methods to satisfy all constituents. Passive authentication captures information about your PC and network connection (your location and IP address) already flowing across the wire. This may appeal to banks because the process remains mostly invisible to customers. But Jon Martin Karl, founder of Iovation, says customers may want more visibility. "We think consumers want banks to show them that they're taking care of them, and they want some level of control over that security."

Still others believe that customers will embrace even more complex second factors, as Europeans have embraced smart cards and tokens. RSA, for example, believes that its decades-old token will gain new life from online banking (it commissioned a survey to prove it). Axalto believes we'll all happily carry smart cards if it means more security.

CSOs and CISOs will be inundated with these and other messages.

Conventional Wisdom

Stronger authentication controls will benefit user privacy.

On Second Thought

Some second-factor approaches could undermine privacy.

To whatever extent two-factor authentication reduces identity theft, it protects consumers' privacy better than password-based banking has.

However, some types of authenticationpassive, for instanceactually capture information about banking customers in order to authenticate them. Passive methods collect data such as geolocation, IP address, machine ID, time of day, user agent string, browser and operating system version, among other bits.

This data is unique to each consumerit has to be, since that's how the authenticating gets doneand, more important, it's stored. Each log-in, in fact, becomes part of a behavior map constructed from previous log-ins. If the "behavior" of the current log-in is aberrant, then the customer may be challenged and the access denied.

From storing log-in behavior for authentication purposes, it's a short hop to analyzing it for direct marketing purposes. Bangerter says UWCU has no plans for sharing the data with marketing, but the company's privacy policy doesn't forbid it.

Conventional Wisdom

Stronger authentication will lead to a net reduction in risk.

On Second Thought

Not exactly. Consider the glorious history of spam.

As security guru Bruce Schneier likes to say, if you start policing a troublesome street corner, crime doesn't really go down, it just moves to another street corner.

A good example of this rule of threat adaptation is spam. Spam started as a simple text-based e-mail; its subject field said exactly what the spam was about: pornography, pills, free money, whatever. Early spam filters got wise to this and filtered mail based on the subject lines of e-mails for keywords (Viagra, mortgage and so on).

Spam decreased, but only for a moment. Then spammers started using prosaic subject lines ("Hey, check this out") to avoid the filters and people's common sense. Users then started ignoring e-mails that seemed too general, so spammers customized subject lines ("Hey, Scott, check this out"). Then new filters were developed to search the body of the e-mail, not just the subject line, for keywords. This slowed the flow again, briefly. Then spammers started misspelling keywords and substituting numbers, spaces and symbols for letters (for example, "v1ag*ra" or "m0rt gage").

Filters now had to look for an exponential number of keywords. Eventually, spammers started using HTML for body copy, thwarting text filters. Filters adapted. Bad guys improved distribution. Good guys legislation. Bad guys moved offshore. Good guys started blacklisting IP addresses. Bad guys deployed bots to send spam from legitimate IP addresses.

And so forth. Security professionals should expect nothing different from the deployment of stronger authentication at banks. In the short term it might reduce authentication-based crimes, but that's an attenuating effect.

"The real threat is fraud due to impersonation, and the tactics of impersonation will change in response to the defenses," Schneier wrote last spring. "Two-factor authentication will force criminals to modify their tactics, that's all. In the long term, all it does is move the bad guys to a new tactic."

Therefore, CSOs and CISOs must anticipate where the guidance will force risks to migrate. In the online banking world, the scariest developments have to do with keylogging, rootkits (made famous by the notorious Sony antipiracy scheme), bots and the remarkable sophistication in all of these technical tools.

Looking over the past year's cases of identity theft, one can see another migration taking place. Few of the newsworthy identity thefts, in fact, were authentication exploits. ChoicePoint, for example, was defrauded for lack of background checks on customers. Bank of America physically lost backup tapes of customer data while it was in transit.

In fact, many experts believe the convergence of physical controls with information controls will be the next vulnerability to be widely exploited. Since few organizations have converged their security operations, it's a weakness worth exploiting, and one that will remain exploitable even after the FFIEC guidance on two-factor authentication takes effect.

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)