FFIEC Guidelines: Choices and Costs
By Jerry Skidmore
The exponential growth of online banking has introduced a tremendous challenge: how to reliably and efficiently identify customers online. Today’s most common method is the standard username and password or personal identification number (PIN), issued to any customer who registers.
But with the explosion of account hijacking and identity theft, the Federal Financial Institutions Examination Council (FFIEC) has deemed this inadequate, requiring better identity verification and authentication by 2006.
While these items will consume a portion of next year’s IT budget, bank executives can manage finances by understanding how to best balance the costs with user flexibility and the required security.
TYPES OF IDENTITY FRAUD
Identity theft is the fastest growing crime in the country, according to the Federal Trade Commission (FTC). Illegal access to bank account and personal information, such as a mother’s maiden name or driver’s license or Social Security number, is a thriving underground “business” that enables thieves to conduct two kinds of identity theft:
• New account fraud: the thief uses stolen information to pose as the victim and create multiple new accounts in the owner’s name. Fraudsters typically use a different billing address, keeping victims from discovering this fraud for months or even years.
• Account takeover: also called account hijacking, this occurs when a thief acquires account information and makes purchases or transfers disguised as the legitimate account holder.
WHAT THE GUIDELINES SAY
The verification guidelines recommend banks confirm customers’ identities at account origination, “important in reducing the risk of identity theft, fraudulent account applications and unenforceable account agreements or transactions.” Fraud at the account creation level across the financial services industry cost $15.7 billion last year – a sizeable chunk of the $53 billion lost in 2004, according to Javelin Strategy and Research.
The more costly recommendations come with authentication, which is defined by the following “factors,” according to FFIEC:
• “Something the user knows (e.g. password, PIN);
• Something the user has (e.g. ATM card, smart card, phone); and
• Something the user is (e.g. biometric characteristic, such as a fingerprint).”
Next year’s guidelines direct banks to incorporate two-factor authentication, as they “are more difficult to compromise than single-factor methods,” according to the government group. In fact, this approach is why ATMs are so secure; these transactions combine what the user has (an ATM card) with what the user knows (a PIN).
COMPLIANCE: CHOICES AND COSTS
Protecting a customer’s identity requires an end-to-end approach that provides total assurance across the entire life cycle of a trusted relationship. While separate studies – and FFIEC – discuss the technology options, few banks have been told the costs. FFIEC does not mandate a certain solution, leaving banks to determine how to afford the technology that’s best for their customers.
Identity verification has a high return on investment. Validating a customer’s true identity with questions beyond the mother’s maiden name or what can be found on a credit report costs as little as $1.50 per user. This service is only offered by a few vendors; banks should consider ease of implementation, user-friendliness and depth of questions as determining factors.
Identity authentication, on the other hand, has a host of two-factor options, sold by more than a dozen vendors. Price points vary based on many variables (such as the number of users), but still, banks should know the baseline expenses to gain compliance:
• One-time-password (OTP) tokens generate unique random passwords at the push of a button; the device is synced with an authentication server to grant user access. While pricing has been at a premium to date, costs are dropping as vendors sell them at a commodity-based cost. Still, tokens can be expensive for banks to deploy, manage and replace, as the unit cost ranges between $10 and $50 for 100,000 users.
• Smart cards, credit-card sized devices with built-in microprocessors, authenticate users like an ATM card does: with a reader and password or PIN. This method is difficult for hackers to crack, and is expensive to manage, as users must have smart card readers. This approach can range from $8-$20 per 100,000 customers, not including the reader cost and installation.
• Out-of-band authentication involves mobile devices which separate the user name and password to two separate channels. For example, when a customer logs into an account, his cell phone rings; the customer enters the PIN on the phone keypad, circumventing computer-based passwords. This gives the highest level of user flexibility because customers use a device that they already own. The costs range from $3-$5 per user annually at a quantity of 100,000 users.
• Biometric technology is based on a user’s physical trait, such as fingerprint or iris readers. Though it has been around for many years, its application has mostly been limited to government and other high-security environments where security needs supersede cost and convenience. Implementation requires biometric reading devices to be installed on the user’s computer, which cost significantly more than other authentication technologies: $39-$129 per user for quantities of 100,000. Also, biometric devices are more difficult to implement, install and maintain in large deployments.
Other, more passive approaches include image authentication technologies that focus on site authentication. This approach involves “dropping a cookie” on the user’s machine, specifically targeting phishing attacks. The image-based method requires the user to choose a pre-selected picture, which may be vulnerable to keyloggers that also capture images and do not meet FFIEC guidelines. Because of the recent introduction of this method, market-based pricing has not been openly available.
Banks are seeking to balance identity theft risk with practical, cost-effective solutions that stay within the budget. They need to choose solutions that work with their entire base of online customers, can be used anywhere, and are easily manageable – no small feat.
The return on investment of most security projects is hard to determine because of the soft factors, such as member acceptance, increased sense of security and the cost associated with not doing anything. The old saying, “Pay me now or pay me later,” applies here; rather than viewing identity verification and authentication as just another IT project, banks are best served seeing it as an evolving process to protect customers’ identities and trust in financial institutions. After all, the costs of compliance will be far lower over time than the cost of identity theft.
Jerry Skidmore of Strikeforce, an identity assurance provider, has been working with the financial community for more than two decades, in the areas of information security, branch automation, ATM technology, communications and networking technology, and online banking services. He has an economics degree specialized for the banking industry. Jerry can be reached at (732) 661-9641 or firstname.lastname@example.org.