FFIEC: Second Thoughts on Second Factors

Last October, a relatively obscure government body called the Federal Financial Institutions Examination Council, or FFIEC, issued what it called guidance but which looks much like a mandate. Starting in January 2007, financial institutions must provide consumers of online financial services with the same security protection enjoyed by customers buying groceries or gas with a debit card: strong authentication.

Strong means two or more types of identity verification in return for access. At the grocery store or gas station, those two factors are usually a piece of plastic and a passcode. Online banking, on the other hand, still primarily works with “weak” single-factor authentication: a password.

The mandate’s prosaic title, “Authentication in an Internet Banking Environment,” belies the spirit of the thing. The guidance is meant to be consequential, to take a McGruffian bite out of online crime. (To learn about online retailers’ anti-fraud efforts, see Choke Point.) And on the surface it appears that forcing banks to add a second factor of authentication could improve the well-documented, rapidly deteriorating state of online security.

But on second thought, maybe not. Scrutinizing the document itself, and the world into which it’s being introduced, creates a more complex and less settled picture. It’s not clear, for example, that a second factor will significantly reduce “modern” risks; we could be preparing for the next war by planning for the last one. It’s also unclear if financial companies can balance the cost of scaling two-factor authentication for the masses versus the benefit of whatever risk reduction it might provide. It’s not even clear what form of second-factor authentication makes sense for banks to use, or if they actually need to adopt a second factor at all under the terms of the mandate.

What’s more, some security experts argue that mandates like this don’t reduce risk, they just move it. The FFIEC guidance is the latest incarnation of a security truism: Threats don’t disappear, they migrate, or else over time they mutate to overcome the defenses deployed against them. Sometimes they do so menacingly, like a bird flu, into another exploitable vulnerabilityappearing rapidly and with dire consequences.

Despite all that, the reaction to the FFIEC guidance so far has been muted, generating little publicity or news coverage and sparking neither praise nor criticism. Few consumer or technology interest groups have commented publicly. Consumers themselvesthe constituency most directly targeted for protection herehardly know that the guidance exists.

Banks, of course, know it existsparticularly security officers and their information security staffs. Most expected something like this; some were planning two-factor authentication initiatives anyway. The only thing that surprised them was the deadline. “It used to be, ‘Banks need to do more, banks need to do more,'” says Eric Bangerter, director of Internet services at the University of Wisconsin Credit Union (UWCU). In this case, however, he says the message was “‘Do it by the end of 2006.’ I thought that kind of firmness [was] new.”

In this article, CSO takes a fresh look at the FFIEC guidance. We examine seven assumptions undergirding it and raise some second thoughts about its origins, what it’s meant to accomplish and how it might fare in the real world, where threats are constantly moving and where as fast as the dike is thumbed it springs new leaks.

Conventional Wisdom

Consumer outrage is driving adoption of two-factor authentication.

On Second Thought

The FFIEC was reacting to market forces, not consumer outrage.

The timing of the FFIEC mandate could lead one to assume that it was in direct response to the recent scads of identity thefts and online financial frauds. But that was only a minor factor, according to Michael Jackson, associate director of the Federal Deposit Insurance Corporation and chairman of the FFIEC IT subcommittee that drafted the two-factor guidance.

Fear that security worries were causing people to abandon Internet banking (or the Internet altogether) did not weigh all that heavily in Jackson’s work. Nor did a prevailing belief that banks had failed to secure their customers. In fact, Jackson believes, banks have done reasonably well securing online transactions, given the available technologythough that is hardly a consensus opinion. But for Jackson, it’s the key. “Mostly this was about changes in technology solutions,” he says. “The industry has matured enough where options are available.” In other words, the FFIEC decided that authentication technology was finally good enough to justify a more forceful approach.

The October 2005 guidance actually updates guidance issued in August 2001a time when online banking was neonatalwhich suggested banks use risk management to gauge what would be needed to make online banking safe. The risk management prescribed in the 2001 guidance is similar to that proposed in the 2005 version.

Two-factor authentication certainly existed in 2001, but it was neither scalable for mass deployment nor acceptable to consumers. Now, Jackson says, both of those criteria can be met. (Part of the technology’s tolerability isn’t a change in technology so much as a change in the consumer mindset to be more willing to trade a little annoyance for better security.)

Bangerter at UWCU says, “We’ve been looking at some form of second-factor authentication since 2002, and it’s taken this long to find the right product.”

That the FFIEC was unmoved by recent spikes in online crime could be viewed as encouraging. Regulation born from the outrage fanned by current events often fails. The architects of the FFIEC guidance, however, divorced themselves from emotion and made sure the change could be absorbed by the marketplace.

Conventional Wisdom

Create an ironclad mandate compelling two-factor authentication.

On Second Thought

There’s wiggle room. Technically, the FFIEC doesn’t explicitly mandate two-factor authentication.

The verbatim FFIEC prescription states, “Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security or other controls reasonably calculated to mitigate those risks.”

That’s enough wiggle room for a conga line.

Here’s why: There are three kinds of authentication factors: something you know (a PIN, a password, your mother’s maiden name, a picture of your dog); something you have (a key fob, a token, a scratch card, a swipe card); and something you are (revealed through a fingerprint, blood vessels in your retina, handwriting, a pattern of behavior).

True two-factor authentication requires the person authenticating to provide two different factors. That is, something you know and something you are, or something you have and something you know, and so forth. Using the same factor twice is not multifactor authentication; it’s layered security. Recently, my cable TV wasn’t working. On the phone I had to provide my name, address, phone number, a PIN and an account number to get support. This is single-factor authenticationsomething I knowfive times over, required to get HBO working.

Though layered security is more robust than single-factor (just a password), it is less secure than multifactor authentication. But layered security would require less investment by banks, possibly lower deployment and maintenance costs, and less consumer training than true two-factor authentication. Many consumers already use layered security without even realizing it. For example, starting a car requires the dongle that unlocks it and the ignition keysomething you have times two.

By adding layered security (and the even more equivocal “or other controls”) as an option, the FFIEC is inviting enterprising security and risk managers to come up with something other than two-factor authentication that is demonstrably good enough. Some observers suggest that added security measures wouldn’t necessarily have to be authentication-based to pass muster with the FFIEC, so long as risks are shown to be reduced.

Still, two-factor authentication might prevail. Why? Because the effort to parse transactions into those whose risk levels do and do not call for two-factor authentication may be more work than it’s worth if even a small number are risky enough to require it anyway.

Furthermore, two-factor authentication is an obvious marketing opportunity. Says Tom Robertson, senior vice president and manager of IT at Charter Bank in Bellevue, Wash., “Surveys say people trust banks most with their information. Any smart bank won’t skimp on that reputation.”

As long as it’s not too inconvenient for the consumer, or too expensive for the bank, two-factor authentication will wineven if one-factor would demonstrably reduce the risk just fine.

Conventional Wisdom

Force online banking to adopt an unfamiliar new technology.

On Second Thought

Banks already know how to do two-factor authentication, they just don’t know how to scale it for the masses.

When a bank customer wants to move, say, a million dollars, banks already use two or more factors to execute the transaction. In such cases, two-factor’s expense is easily justified, and customers are hardly annoyed at having to do a little more to keep all that money safe.

One way to look at the FFIEC guidance is as something that simply pushes down the definition of what’s risky so that it applies to many more transactions. Or, put more optimistically, it helps a market grow by creating consumer confidence where too little existed before.

For example, allowing customers to change their own addresses online is ill-advised under single-factor authentication. With stronger authentication, UWCU’s Bangerter says he can offer real-time change-of-address types of services online. “There have been some things we’ve wanted to do online but weren’t comfortable with. Now we can start doing some damage”meaning marketing damage, by attracting new customers”with new applications online because we feel it’s safer.”

It won’t be free for the banks, though. It was easy to cost-justify two-factor authentication for large transactions because banks do relatively few of them. Now, tens of millions of transactions will require those same, more complicated controls, and no one is sure how to scale up to a mass-market level.

For example, say a bank decides on a smart card as a second factor of authentication. How much do the cardsand the devices to read themcost? How much to train consumers to use them? What about replacing lost, stolen or damaged cards? The question for banks is can they find a second authentication method whose costsfinancial and otherwisecan be justified against the risk reduction achieved?

Conventional Wisdom

The end of 2006 is a reasonable compliance deadline.

On Second Thought

Actually, December 2006 is cutting it a little close.

Bangerter thinks UWCU will meet the FFIEC deadline, but that’s partly because he started planning for two-factor authentication three years ago. On the other hand, Gerald Rome, director of IT at First American Bank & Trust in Vacherie, La., started planning a few months ago. He believes meeting the deadline will be a challenge, especially for community banks.

Since the FFIEC endorses no single approach to two-factor authentication, a bank that hadn’t planned for it must evaluate several kinds of technology, choose the one it thinks is best (or the one it thinks consumers will accept), test it, deploy it, market it, train consumers on it and then maintain it. All in a year.

“This [effort] is really burdensome to community banks,” says Rome. “To compete we have to give away Internet banking for free, and online bill-paying for free. You can’t add this and keep doing everything for free.”

Add to this the fact that vendors of two-factor authentication technology are relatively small with a relatively huge market to serve. Two of the larger vendors are Axalto, a smart-card company with about a billion dollars in revenuemost of it from Europe, where smart cards are more accepted than in this country (Axalto’s revenue in the Americas is growing rapidly and expected to surpass $200 million this year); and RSA, a well-established $300 million company that reported shipping 500,000 consumer-related tokens in Q4 of last year. Two others are Corillian and PassMark. PassMark is privately held, funded by VCs and private investors. Corillian is a $50 million company with about 270 employees. Another vendor, FundsXpress, is growing fast but only achieved positive cash flow in 2004.

Can these kinds of companies support the thousands of banks that must comply with the FFIEC guidance by December? Even PassMark’s director of sales isn’t sure. “With regard to the deadline, it will be a challenge, but not insurmountable,” says Steve Klebe, director of sales and business development. Klebe puts the odds at “about 50/50.” On the other hand, Jim Maloney, security chief at Corillian, thinks the deadline can be met. He says that using Corillian’s methods of authentication, which don’t involve tokens or consumer PC upgrades, should take a small bank two to three months to upgrade infrastructure and a large bank four to six months.

But how many banks can Corillian, or any other vendor, work with at once? Will the small banks get squeezed, as Rome fears, because vendors cater to their larger customers? What about process changes needed to support technology changes? Help desk training, token distribution systems and whatever else will be required?

Even the FFIEC anticipates granting extensions to the deadline, especially to financial institutions on the Gulf Coast hit by Hurricanes Katrina and Rita.

Conventional Wisdom

It should be easy to pick a two-factor solution.

On Second Thought

There’s no consensus on the best authentication approach. So good luck with that.

There’s no sweeter lead for a salesperson than a government regulation that requires someone to use something that you happen to sell. So CSOs and CISOs should prepare for an onslaught of vendors touting their respective authentication methods as superior.

The FFIEC, while outlining several possible second factors of authentication, has deliberately steered clear of endorsing a particular method. This creates an unnerving situation for security executives. They’ve been thrown into a high-stakes gameto choose technology that adds security without spooking customers. Anything too intrusive or complicated will annoy users. Anything too expensive and hard to maintain will annoy the CEO. So It’s a delicate balance.

Some vendors (Corillian is one) are betting on “passive” methods to satisfy all constituents. Passive authentication captures information about your PC and network connection (your location and IP address) already flowing across the wire. This may appeal to banks because the process remains mostly invisible to customers. But Jon Martin Karl, founder of Iovation, says customers may want more visibility. “We think consumers want banks to show them that they’re taking care of them, and they want some level of control over that security.”

Still others believe that customers will embrace even more complex second factors, as Europeans have embraced smart cards and tokens. RSA, for example, believes that its decades-old token will gain new life from online banking (it commissioned a survey to prove it). Axalto believes we’ll all happily carry smart cards if it means more security.

CSOs and CISOs will be inundated with these and other messages.

Conventional Wisdom

Stronger authentication controls will benefit user privacy.

On Second Thought

Some second-factor approaches could undermine privacy.

To whatever extent two-factor authentication reduces identity theft, it protects consumers’ privacy better than password-based banking has.

However, some types of authenticationpassive, for instanceactually capture information about banking customers in order to authenticate them. Passive methods collect data such as geolocation, IP address, machine ID, time of day, user agent string, browser and operating system version, among other bits.

This data is unique to each consumerit has to be, since that’s how the authenticating gets doneand, more important, it’s stored. Each log-in, in fact, becomes part of a behavior map constructed from previous log-ins. If the “behavior” of the current log-in is aberrant, then the customer may be challenged and the access denied.

From storing log-in behavior for authentication purposes, it’s a short hop to analyzing it for direct marketing purposes. Bangerter says UWCU has no plans for sharing the data with marketing, but the company’s privacy policy doesn’t forbid it.

Conventional Wisdom

Stronger authentication will lead to a net reduction in risk.

On Second Thought

Not exactly. Consider the glorious history of spam.

As security guru Bruce Schneier likes to say, if you start policing a troublesome street corner, crime doesn’t really go down, it just moves to another street corner.

A good example of this rule of threat adaptation is spam. Spam started as a simple text-based e-mail; its subject field said exactly what the spam was about: pornography, pills, free money, whatever. Early spam filters got wise to this and filtered mail based on the subject lines of e-mails for keywords (Viagra, mortgage and so on).

Spam decreased, but only for a moment. Then spammers started using prosaic subject lines (“Hey, check this out”) to avoid the filters and people’s common sense. Users then started ignoring e-mails that seemed too general, so spammers customized subject lines (“Hey, Scott, check this out”). Then new filters were developed to search the body of the e-mail, not just the subject line, for keywords. This slowed the flow again, briefly. Then spammers started misspelling keywords and substituting numbers, spaces and symbols for letters (for example, “v1ag*ra” or “m0rt gage”).

Filters now had to look for an exponential number of keywords. Eventually, spammers started using HTML for body copy, thwarting text filters. Filters adapted. Bad guys improved distribution. Good guys legislation. Bad guys moved offshore. Good guys started blacklisting IP addresses. Bad guys deployed bots to send spam from legitimate IP addresses.

And so forth. Security professionals should expect nothing different from the deployment of stronger authentication at banks. In the short term it might reduce authentication-based crimes, but that’s an attenuating effect.

“The real threat is fraud due to impersonation, and the tactics of impersonation will change in response to the defenses,” Schneier wrote last spring. “Two-factor authentication will force criminals to modify their tactics, that’s all. In the long term, all it does is move the bad guys to a new tactic.”

Therefore, CSOs and CISOs must anticipate where the guidance will force risks to migrate. In the online banking world, the scariest developments have to do with keylogging, rootkits (made famous by the notorious Sony antipiracy scheme), bots and the remarkable sophistication in all of these technical tools.

Looking over the past year’s cases of identity theft, one can see another migration taking place. Few of the newsworthy identity thefts, in fact, were authentication exploits. ChoicePoint, for example, was defrauded for lack of background checks on customers. Bank of America physically lost backup tapes of customer data while it was in transit.

In fact, many experts believe the convergence of physical controls with information controls will be the next vulnerability to be widely exploited. Since few organizations have converged their security operations, it’s a weakness worth exploiting, and one that will remain exploitable even after the FFIEC guidance on two-factor authentication takes effect.