|
 |
 |
 |
 |
|
Analysts at Gartner and IDC identify “super user” access as the root of three of the top eight common sources of compliance risks. But what can you do about it? Listen to this podcast addressing the following questions: What is the super user? What security risks do super user accounts create? What steps can organizations take to limit super user account threats? This podcast takes a closer look at super user accounts and discusses what can be done to protect against it. > Listen to the Super User podcast now
In spite of doom-and-gloom predictions following the FFIEC’s guidance announcements, financial institutions are able to balance convenience with security As many U.S. banks and credit unions turn a corner on two-factor authentication deployments precipitated by last year’s Federal Financial Institutions Examination Council (FFIEC) guidance on the matter, they are still finding that they must balance customer satisfaction with customer security. However, online banking consumers are proving to be far more accepting of strong authentication than industry pessimists predicted—in spite of the fact that most of them are unaware of the new regulation.
In what is being described as a “wow” product in the growing line of multi factor authentication products being developed to meet increased regulation for stronger authentication, VeriSign Inc., announced its partnership with Innovative Card Technologies, Inc., the developer of the ICT DisplayCard, to launch credit and debit cards that generate six digit, one-time use passwords as a form of online authentication. The new card was unveiled last week. “What we’re seeing with the growing press coverage and awareness of identity theft, consumers are beginning to ask their financial institutions, or their health care, or any other site or business that holds the consumer’s sensitive data, what is being done to protect that information?” said Fran Rosch, Vice President of authentication solutions at VeriSign, Inc.
Identity theft can strike anyone. Unfortunately, even CUInfoSecurity.com’s staff have been past victims of identity theft. Luckily, the two stories have been resolved. Read on to hear first-hand, the pain of identity theft, and what lengths victims have to take to resolve the crime and restore their identity. Both of the staffer’s names have been withheld to prevent further harm. These stories are good examples of why financial institutions must increase customer education on identity theft and continue their vigilance in verifying customer information. He Was Only Part of Widespread Scam “Some time after I placed an order with an online printing company (VistaPrint), I began receiving the fraudulent charges to my debit card from a company I had never heard of. I did a Google search on the name of the company as it appeared on my statement, which immediately returned many results pointing to the fact that it was part of a widespread scam. As I did more research I was able to verify that many people all across the country were affected by this scam.
The Gramm Leach Bliley Act may not appear to have anything to link it to the Voice Over IP technology being implemented in financial institutions, but IT departments and Information Security officers should look closely at how the new phone systems may be audited under GLBA regulations. GLBA audits would focus more on data privacy, and specifically under Section 501 Subtitle A that requires companies ensure the security and confidentiality of customer records and information. They also need to protect against any anticipated threats or hazards to the security and integrity of these records, and protect t against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.
Banks are attracted to Voice over Internet protocol (VoIP) as an alternative to traditional telephone networks because of the potential cost savings, including elimination of long distance charges and the need for only one network to manage both voice and data. However, VoIP entails increased data security risks, which must be addressed before implementing a solution. According to the FDIC, VoIP is susceptible to the same risks as data networks that use the Internet, such as exposure to viruses, worms, Trojans and man-in-the-middle attacks. Configuration weaknesses in VoIP devices and underlying operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking) and toll fraud (theft of service), all of which can result in the loss of privacy and integrity.
Securing the network against intrusion is more than complying with the Federal Financial Institutions Examination Council’s mandate for strong authentication—although it’s certainly that. It also makes good business sense. Financial institutions that implement information security technology and procedures have a much greater chance of allaying customer fears about identity theft than those that don’t. Among the first steps that should be taken is installation of an active monitoring device that actively probes the network to see what devices are on the network and what services are being run. Whenever a new device is plugged into the network or something else changes, the network monitoring system alerts the IT department to investigate.
Are financial institutions implementing the multifactor authentication laid out in the FFIEC Guidance? That was one of the issues discussed at the RSA panel presentation, "37 Days After the FFIEC Guidance Deadline." The panel of banks, credit unions and industry experts talked about what it took to get this far, and what is expected to happen next. Lee Carter, President of Online Banking at Zions Bank in Centerville, UT, was on the panel and he voiced optimism about the multifactor authentication guidance. He explained the Zions Bank's implementation of its new authentication method, "It was days if not hours after the implementation that we had people [hackers] banging on our front door trying to figure out what we were doing. They were pretty persistent, and put up phishing sites to try to figure it out, we got those taken down, and they since have stopped."
Voice verification is a form of biometrics that involves using voice prints and recognition of the user's phone, a combination known as a voice token. It is regarded as a next-generation authentication technology. The more-advanced voice recognition systems record and store combinations of sounds and notes. For example, a user records his name or a snippet of a song at the time of enrollment. In subsequent transactions, the user replays the recording using a special hardware token to authenticate. In the event that a user's biometric credential is compromised, the system enables re-enrollment using a new voice template.
With the deadline passed for compliance with the Federal Financial Institutions Examination Council (FFIEC) guidelines, financial institutions are seeking cost-effective strategies that meet or exceed meeting regulatory and customer expectations. According to the FFIEC, any system that permits the movement of funds to other parties or access to customer information is deemed high-risk, necessitating stronger authentication or additional controls. At a minimum, this means two-factor or layered single-factor authentication. In two-factor authentication, the user presents both something he knows, such as a password or PIN, and something he owns, such as a PC, phone, or one-time password. In layered single-factor authentication, the user presents two of the same factors (e.g., two separate passwords). This is as far as most financial institutions go in authenticating customers.
Wish List from Financial Institutions to Our Customers As the weather outside gets colder and the year draws to an end, we're thinking of what would be some of the things we'd like to give and receive as gifts during the holidays. While your personal list may be longer than this, here's the 12 things we wish all of our customers and employees would do - loosely based on "The Twelve Days of Christmas". Hum along if you don't sing.
With the December deadline approaching for implementing better authentication for online banking systems, financial institutions are hard-pressed to come up with technology solutions that will satisfy regulators. It's going to be a race to the finish line to meet the deadline set by the Federal Financial Institutions Examination Council (FFIEC). As of July, only 16% of financial institutions had implemented authentication technology capable of meeting FFIEC requirements, according to a survey by Roth Capital Partners. In the same survey, only 5% said they intended to use hardware tokens to meet the FFIEC requirements; hardware tokens, which are devices that plug into a computer's USB port, are a form of multifactor authentication, which is based on something the user knows, such as a password, and something he has (the token).
The FAQs recently published by the FFIEC on August 15, 2006, is an attempt by the FFIEC to answer questions asked of them about their guidelines on Internet Banking Authentication published October 12, 2005. The 2005 guidelines were an outgrowth of a previous guidance document issued in 2001. As with all federal level guidance publications, as well as federal level legislation, it is not expedient to recommend specific technologies to solve the problem, whatever that problem is. The problem before the Internet banking industry is one of weak authentication. The problem can be solved in a number of ways with a number of technologies - one way is not recognized to be better than another necessarily. Technology changes and morphs; seemingly at the speed of light, leaving the solutions of 2001 pre-empted by the solutions of 2006.
Bank fraud and identity theft are a frightening reality, both for the banker and the consumer. The number of consumers affected by widespread debit card fraud may be a good thing. The impact on people's accounts may have increased acceptance towards "disruptive technologies", i.e., hardware tokens. This may be the perfect storm for financial institutions. You have the customer's permission to tell them what to do. While the pressure mounts to meet the FFIEC deadline, we see significant movement by the major financial institutions. Bank of America, after a several month delay, has rolled out a security solution which is now mandatory for BofA online banking customers. A major security vendor now offers hardware tokens combined with tokenless "risk-based" authentication - good match.
Account fraud is frequently the result of single-factor (e.g.,ID/password) authentication exploitation. As a result, the FFIEC is now urging financial institutions to deploy multi-factor authentication and assess the adequacy of their authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques. The guidelines are definitely a step in the right direction. However, guidelines are just guidelines and a institution's goal should be secure online banking. Consider this: the appendix to the FFIEC guidelines lists one-time password scratch cards as a means of stronger authentication. However, phishers have already successfully attacked a financial institution that uses that system, forcing a 12 hour shutdown of their online bank.
Andrew Miller - CUInfoSecurity.com Editor In October, the Federal Financial Institutions Examination Council (FFIEC) issued guidance for authentication in the Internet banking environment. Financial institutions are expected to achieve compliance by year-end 2006. The guidance states: "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
If we analyze the impact of certain types of security incidents (e.g. system intrusion, fraud, denial of service, leak of confidential information) on several types of industries, we will see that the impact will be higher on financial institutions than any other organization. If you study the security issues surrounding information technology dependency, you will see that this is one b
Omar A. Herrera Reyna – CISA, CISSP Introduction There is a widespread use of credit and debit cards for shopping online. However, there use for e-banking (e.g. payments, money tra
Omar A. Herrera Reyna – CISA, CISSP (If you missed Security solutions for e-banking and e-commerce with credit/debit cards,- Part 1: Analyzing the Security Issues click here) While there are some good solutions available from a security perspective, I believe that we already have the required technology to make financial transactio
To help verify a user's identity in the case of a lost password, many Web applications use secret questions. By answering a pre-selected question, a user can demonstrate some personal knowledge of the account owner. A classic example is asking to provide a mother's maiden name.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication