• United States



by CSO Contributor

Using Cell Phones to Optimize FFIEC Compliance

Apr 24, 20076 mins
CSO and CISOData and Information Security

By Joseph Salesky, CEO, ClairMail

Late last year, the Federal Financial Institutions Examination Council (FFIEC), an interagency governmental body empowered

to prescribe standards for the federal examination of financial institutions, announced stricter rules for verifying customers’

identities during online banking transactions. The new guidelines, outlined in the document “Authentication in an Internet

Banking Environment,” mandated that by Jan. 1, 2007, U.S. banks must have a plan to implement two or more factors

of identity authentication in Internet banking and all forms of electronic banking activities.

Yet, according to recent research from Gartner, only two-thirds of banks hit the deadline, and many that did comply are still

looking for ways to fine-tune their solutions.

The overall objective of the regulations is straightforward: to keep customer transactions secure and to restore consumer

confidence in the online banking channel. As many banks scrambled to meet the compliance guidelines in time and others missed

the deadline completely, today very few have determined and implemented optimum solutions that comprehensively address security,

implementation cost and customer convenience issues.

Two-Factor Authentication: What Does It Really Mean?

Simply defined, two-factor authentication requires two independent factors to establish identity

and privileges. A factor can be something you have (an ATM card, a token or a smart card), something you know (a password, a

security question or a PIN), or something to verify who you are (identified through a fingerprint or a handwriting sample).

Every time customers use their ATM cards to withdraw cash, they are using a form of two-factor authentication.

Smart Cards and Tokens: Quick Fixes Come With a Price

Some organizations considered smart cards (microprocessor cards of credit card dimensions capable of providing security

services when used in conjunction with a reader attached to a customer’s computer) or traditional authentication tokens (small

hardware devices that allow users to authenticate themselves to the server using one-time passwords, or OTPs) as potential

solutions for the two-factor requirement. While these alternatives meet the requirements set forth by the FFIEC, they also

have severe drawbacks. They are all costly both to implement and maintain. For example, the average token costs approximately

$41, not including back-end software and server expenses. Factoring in the costs for issuance, replacement and support, the

total price tag for token implementations can typically range from $110 to $150 per seat per year for a period of five years.

Moreover, these solutions are often extremely cumbersome for customers, who are required to carry additional cards or tokens.

Another serious security issue is that tokens, smart cards and other traditional authentication methods are vulnerable to

“man-in-the-middle” attacks, in which phishers hijack online sessions by getting between the customer and the bank

by transparently passing through OTPs and other validation information and then retaining the session after the customer has

logged out. Additionally, even when tokens or cards are combined with other measures to reduce the potential for fraudulent

online use of customer accounts, they still do nothing to address credit card or check fraud. In essence, they add locks to

the doors but don’t prevent crooks from entering through the window.

Ounce of Prevention Versus a Pound of Cure

The bigger issue is that traditional authentication methods are focused on preventing unauthorized access to an online

banking application, rather than eliminating fraud.

Security expert Bruce Schneier has long argued that “identity theft solutions focus much too much on authenticating

the person. Whether it’s two-factor authentication, ID cards, biometrics or whatever, there’s a widespread myth that

authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent

transactions, you quickly realize that authenticating the person isn’t the way to proceed.”

So what’s a bank to do? It’s a fine line, as the solution to preventing fraud must not be so inconvenient as to drive

customers away from online or offline banking, nor be so expensive as to make it impractical.

Enter the Cell Phone: Is the Solution Just a Text Message Away?

With more than 233 million mobile U.S. subscribers—an astounding 78 percent penetration rate—mobile phones

are more pervasive than the Internet and readily available at any time. Moreover, according to CTIA, a wireless industry

association, Americans sent 64.8 billion text messages in the first half of 2006, nearly double the number sent in the

same period in 2005.

Mobile phones are not only ideal for authenticating online banking sessions—thereby solving the two-factor

authentication quandary faced by financial institutions—but they can also validate all other at-risk transactions.

How? By using the mobile phone’s text-messaging functionality that customers are already familiar with and frequently using.

For instance, mobile phones can be used for online banking session verification. A customer logs on as usual with her

user name and password (the first factor); at log-on, a time-expiring, one-time password is automatically sent to the

customer’s mobile phone (the second factor), and the customer enters the OTP while online to validate the session. This

approach is far more cost-effective than investing in tokens or smart cards, and when combined with other online security

approaches, it can preserve convenience while providing enhanced session security.

Furthermore, mobile phones’ out-of-band confirmation and multiple factors of authentication—even down to the

individual transaction level—make this solution impenetrable to man-in-the-middle attacks. Mobile phones can enable

online and offline transactions to be completed with the highest level of security, making them a critical component of

any fraud-elimination strategy.

For example, the creation of a new bill-pay payee or an unusual transfer, payment, credit card or check transaction

would cause an “actionable” alert to be sent to the customer’s mobile phone. The customer would then send a

text reply to approve or deny the transaction, or to request additional information. This allows customers to actively

participate with decisioning systems to frictionlessly validate transactions, dispute illegitimate transactions, deny

subsequent transactions and hold selected transactions until receipt of the customer’s approval.

Today, banks are forced to call the customer or stop a credit card when transactions are in question. By utilizing

the mobile phone, the cost and inconvenience of this customer interaction is dramatically reduced.

The mobile phone can also be utilized to provide bank customers with secure, on-demand mobile access to account

information, facilitate a variety of transactions and deliver no-hold access to customer service. These features

greatly benefit customers and facilitate fraud prevention by enabling customers to easily review their transactions

and actively participate in the fraud-prevention process whenever necessary.

According to research firm IDC, “the mobile phone—as the identifier and authenticator—is a channel

that customers can trust is delivering personal information in a private and secure manner and one that could be a

strong case for fob replacements. [It] has greater promise for delivering the necessary functionality combined with

ease of use and is a better and more cost-effective solution than tokens or other authentication devices.”

Financial institutions seeking a long-term, cost-effective solution that provides strong authentication and transaction

verification without compromising the convenience of online banking should pick up the phone. The answer to the cost,

convenience and security trifecta might be just a text message away.