We picked this news item up from the SANS Newsbites Newsletter, Volume XIII, Issue: 8, dated January 25, 2011, entitled “U.S. Banks to Get Updated Online Authentication Guidelines.” Basically, this story reports that the Federal Financial Institutions Examination Council (FFIEC, a self-professed “compliance resource” for the financial services industry that develops standards for federal audits of financial institutions by groups such as the Federal Reserve of FDIC) plans to issue new online transaction authentication guidelines for banks.
These new, soon-to-be-published guidelines will clarify existing recommendations. The previous version of these guidelines requires banks to use two-factor authentication, but permitted those institutions to choose their own authentication methods. Unfortunately, this latitude meant that some institutions chose measures that did little if anything to improve security — it’s well-understood, for example, that two sets of account and password pairs is nearly equal in strength and protection to a single such pair, because there’s basically no improvement in security if each of the two factors in a two-factor scheme is of the same type. Many banks, in fact, decided to implement relatively ineffective second authentication factors, such as cookies or simple challenge-response sequences (all of which succumb easily to phishing attacks that involve access to targeted machines, and harvesting of their contents). To attempt to remedy this situation, which has permitted numerous and some costly exploits to occur, the updated guidelines will spell out exactly what kinds of steps banks must take to improve their authentication security and protection, and what kinds of authentication methods must be used.
As we’ve reported here on this site (with lots of pointers to other sources for the same kinds of information), SANS Newsbites also observes that “Cyber theft through online transactions has been on the rise over the last few years; the criminals have been targeting small and medium-sized businesses. Thefts have also drawn attention to the need to implement transaction monitoring controls and fraud alert alarms.” No kidding! We think all of these things represent good ways to improve the currently deplorable controls over account access and activity at many banks that offer online access and services to their customers.
We’d also like to observe that a security token device (such as the RSA SecureID, or even the MyPW device) would make a small, affordable, and easy-to-manage added access control for accounts, and require thieve not only to gain access to account and password information (which has proven all too easy to steal by infecting target machines with keyloggers and Trojans) but also to gain possession of the necessary security token and its PIN so as to be able to provide the second factor’s worth of authentication before accessing accounts, transferring funds, or doing anything else. In the same vein, even an el-cheapo USB-attached fingerprint scanner (like the Eikon To Go USB Fingerprint Reader, $34) would also force thieves to obtain that equipment and a close enough facsimile of the account holder’s fingerprint to fool the reader to access the account.
Anything like this would raise the bar sufficiently to deter all but the most determined thieves, and would make it difficult to impossible for the well-organized phishing operations in countries like Rumania, Bulgaria, Belarus, and so forth, to perpetrate the kinds of digital bank theft they now achieve with impunity. There’s an old hunting joke that resonates nicely with the kinds of protection a proper multi-factor authentication scheme can support. It goes like this: “Two deer hunters are out in the woods tracking their favorite game, when they suddenly stumble across an angry black bear. The bear starts after them, and one hunter throws down his gun, his pack, and strips off his jacket. The other hunter says, ‘Bob! What are you doing? You can’t outrun a bear!’ Bob says, ‘I know, but that’s OK: I only need to outrun YOU!’” The moral of the story is of course that by getting (or staying) away from trouble, trouble is less likely to occur. By raising the bar on transaction security to require banks to use multiple factors of different kinds, the FFIEC won’t get rid of these cyber thieves, but they can (and very likely will) force them to go after other game that’s easier to catch.
For more information on this story, and the FFIEC guidelines, see this 1/25/2011 ComputerWorld story “Banks may soon require new online authentication steps.”
These new, soon-to-be-published guidelines will clarify existing recommendations. The previous version of these guidelines requires banks to use two-factor authentication, but permitted those institutions to choose their own authentication methods. Unfortunately, this latitude meant that some institutions chose measures that did little if anything to improve security — it’s well-understood, for example, that two sets of account and password pairs is nearly equal in strength and protection to a single such pair, because there’s basically no improvement in security if each of the two factors in a two-factor scheme is of the same type. Many banks, in fact, decided to implement relatively ineffective second authentication factors, such as cookies or simple challenge-response sequences (all of which succumb easily to phishing attacks that involve access to targeted machines, and harvesting of their contents). To attempt to remedy this situation, which has permitted numerous and some costly exploits to occur, the updated guidelines will spell out exactly what kinds of steps banks must take to improve their authentication security and protection, and what kinds of authentication methods must be used.
As we’ve reported here on this site (with lots of pointers to other sources for the same kinds of information), SANS Newsbites also observes that “Cyber theft through online transactions has been on the rise over the last few years; the criminals have been targeting small and medium-sized businesses. Thefts have also drawn attention to the need to implement transaction monitoring controls and fraud alert alarms.” No kidding! We think all of these things represent good ways to improve the currently deplorable controls over account access and activity at many banks that offer online access and services to their customers.
We’d also like to observe that a security token device (such as the RSA SecureID, or even the MyPW device) would make a small, affordable, and easy-to-manage added access control for accounts, and require thieve not only to gain access to account and password information (which has proven all too easy to steal by infecting target machines with keyloggers and Trojans) but also to gain possession of the necessary security token and its PIN so as to be able to provide the second factor’s worth of authentication before accessing accounts, transferring funds, or doing anything else. In the same vein, even an el-cheapo USB-attached fingerprint scanner (like the Eikon To Go USB Fingerprint Reader, $34) would also force thieves to obtain that equipment and a close enough facsimile of the account holder’s fingerprint to fool the reader to access the account.
Anything like this would raise the bar sufficiently to deter all but the most determined thieves, and would make it difficult to impossible for the well-organized phishing operations in countries like Rumania, Bulgaria, Belarus, and so forth, to perpetrate the kinds of digital bank theft they now achieve with impunity. There’s an old hunting joke that resonates nicely with the kinds of protection a proper multi-factor authentication scheme can support. It goes like this: “Two deer hunters are out in the woods tracking their favorite game, when they suddenly stumble across an angry black bear. The bear starts after them, and one hunter throws down his gun, his pack, and strips off his jacket. The other hunter says, ‘Bob! What are you doing? You can’t outrun a bear!’ Bob says, ‘I know, but that’s OK: I only need to outrun YOU!’” The moral of the story is of course that by getting (or staying) away from trouble, trouble is less likely to occur. By raising the bar on transaction security to require banks to use multiple factors of different kinds, the FFIEC won’t get rid of these cyber thieves, but they can (and very likely will) force them to go after other game that’s easier to catch.
For more information on this story, and the FFIEC guidelines, see this 1/25/2011 ComputerWorld story “Banks may soon require new online authentication steps.”
