Stanford CU On Board With Strong Authentication
Andrew Miller - CUInfoSecurity.com Editor
In October, the Federal Financial Institutions Examination Council (FFIEC) issued guidance for authentication in the Internet banking environment.
Financial institutions are expected to achieve compliance by year-end 2006. The guidance states: "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation.
Stanford Federal Credit Union (SFCU), Palo Alto, Calif., has moved ahead of the curve among financial institutions implementing strong authentication. The $650 million asset institution spends $200,000 a yearâ€”one third of its total IT budget--on network security, including firewalls, routers, proxy servers, etc.
Earlier this year, it implemented a dual factor authentication system from PassMark Security, designed to protect its 40,000 customers from online fraud and identity theft.
The credit union concluded that conventional authentication systems relying on passwords were inadequate in a world rife with phishing scams and identity theft. The institution experimented with longer passwords (six to nine characters), and requiring frequent password changes, but got pushback from customers. "Customers don't like having to change passwords," says Sam Tuohey, Stanford CU's chief technology officer.
So SFCU decided to move beyond passwords to ensure the safety of transactions and the privacy of its customers. It chose Passmark's Two-Factor Two-Way Authentication system, largely on the strength of its ease of implementation.
It was also buoyed by research indicating that consumers are demanding that their financial institutions provide strong authentication. According to Forrester Research, 83% of online banking customers would use two-factor authentication and 74% would consider it an important factor in choosing a provider.
Passmark achieves strong two-factor authentication by securely identifying the financial institution customer's computer as the second factor to the customers standard internet banking log-on information. The computer is then marked with a unique global ID. It achieves two-way authentication with a visual "passmark"â€”a small image, such as an animal, and a phrase that's unique to each customer. When customers see the passmark, they know it's the legitimate Stanford Web site and it's safe to enter their password.
The first time a user logs in, a challenge question is presented, such as the maiden name of the user's mother or the user's pet's name. Once the challenge question has been answered, the system records the user's computer identifying information, such as IP address, operating system, and browser.
Thereafter, the user is not asked the challenge question as long as he or she logs in from the same computer. If a different computer is used, however, the challenge question is asked again. Therefore, even if a hacker were to obtain the secret image through a phishing or fraudulent site, the information would be useless because the user's computer would fail to acknowledge the hacker's site as authentic.
The system was tested with 100 employees, and then was turned on for all customers on Jan. 28. Customer acceptance was high: In February, customers performed 34% more sessions than in the year-earlier period. Since then, the average number of online sessions per month has risen by 15% over the previous year. Tuohey attributes the increase to confidence the Passmark system has instilled for performing online transactions, as well as its ease of use: the system is configured to work with multiple operating systems (Windows, Linux, Macintosh, etc.) and browsers (Internet Explorer, Mozilla).
Sure enough, within a week after the system went live, Stanford was hit with a phishing attack; no accounts were compromised as a result of the attack, says Tuohey. A second phishing attack on July 31, in which attackers sought to obtain ATM PINs, was also repulsed. For those reasons, Tuohey declines to put a price tag on the value of the system.
"I don't measure return on investment from security," he says. The system has given Stanford a leg up on its competitors, all of whom are under the gun to have similar technology in place by the end of 2006.
Andrew Miller is a freelance writer specializing in financial services and information technology. He holds an MBA from Columbia University and a Master's in computer science from Rensselaer Polytechnic Institute. He has held jobs at CMP Media, MetLife, and Gartner.