Hidden Costs of FFIEC ConformanceInvesting in New Authentication Layers Proves Taxing
From banks and credit unions to industry analysts and vendors, I've gathered a range of perspectives about risk assessments, layered security and authentication. Lately, I've been trying to delve more deeply, to find out exactly what types of technologies and solutions institutions are exploring, and how they're working with vendors to ensure they invest in solutions that ensure conformance and security now and into the future.
I recently caught up with thought-leaders at Symantec and Hitachi, two vendors that provide online security solutions. I asked both about where they saw financial institutions making the greatest investments for FFIEC conformance. Are institutions reviewing biometrics, for instance, and what types of out-of-band methods are they considering?
Investments in enhanced detection and authentication are costing institutions more than they expected.
I took away two interesting points from both conversations: 1) institutions are focusing more on device identification than anything else, and 2) investments in enhanced detection and authentication are costing institutions more than they expected.
Brendon Wilson, senior product marketing manager at Symantec, says banks and credit unions want to invest in solutions that allow them to make more specific identifications for devices used to access online accounts. "Banks are using more IP addresses and starting to understand where these users normally log in from," he says.
And Idan Shoham, chief technology officer for Hitachi, agrees. Geo location and device fingerprinting, or device ID, are the areas that will take off over the next 12 to 18 months.
"Checking the IP address, checking the cookie on your device - collectively, all of this stuff is like a device fingerprint," Shoham says. "It's a pretty decent authentication practice, too."
Even for mobile transactions, banks can verify the device by confirming the mobile carrier, the IP address and a recognized cell-tower signal.
When it comes to verifying users, that's where dollars are being spent. Enhanced features and technologies that we hear vendors talk about, such as out-of-band authentication that relies on biometrics, aren't a huge focus.
"The focus on biometrics is a bit misplaced," Shoham says. "We see our customers trying to ensure ongoing compliance." And biometric solutions pose challenges.
Cost and accessibility barriers are the primary reasons. "Not all people will be able to use it," he says. "Think about fingerprint biometrics for people with small fingers; they can't use it. And what if you're blind or don't have eyes, then iris doesn't work. What about voice if you're mute? With every biometric, there will be users who are physically unable to enroll, so then you have to figure out how to enroll them in another way."
Rather than deal with multiple options and enrollments for different users, bankers are honing in on device ID. But device ID poses its own issues.
The problem: In order to implement a layered device ID strategy, financial institutions need access to quite a bit of data about their users' behavior. What device do they regularly use? From what IP address? How long do their sessions typically last? Historic data about times when transactions are most often initiated and to whom transactions are most often sent also play critical roles.
But who really has that information at their disposal? Once you get below the top tier of largest institutions, most banks and credit unions simply don't have that kind of deep information readily available.
So, in order to make investments in and implement stronger device ID, many institutions first have to invest in data-mining and warehousing - and that's an expense few anticipated.
"I think some [institutions] are caught off-guard," Wilson says. "When you have to look at the scale of their user base and at all the channels their users are using, like the PC, mobile or a tablet, it gets overwhelming. When you think of the breadth of the places authentication might be required and the number of users, the banks may not, in all cases, have the information they need to drive some of these solutions."
Before institutions jump on the authentication and identification bandwagons, they first have to think how they're going to procure that intelligence. If they can't produce that intelligence, then maybe they should scale back their investment, at least for the short-term.
After all, not all institutions need the same levels of identification.
"That would have to be part of their risk-assessment strategy," Wilson says. And I agree.
Banking/security leaders need to identify which solutions and technologies make the most sense, and this is where their vendors must lend helping hands. Rather than merely touting solutions, they need to work with their financial institution clients to come up with investment strategies that make sense.
Shoham says it best: "Vendors will hype the market. ... Any kind of analysis in this space has to look at the transaction cost. If you look at the vendors, they carry on as if transaction cost is not a factor, but it is."