Who You Are Is Your Business
By Thomas J. Townsend
We’ve all seen those high-tech, futuristic security features, such as fingerprint, retina and voice pattern scans in movies such as the “James Bond” and “Star Trek” franchises. But they are no longer just a Hollywood movie trick.
Although not everyone is using such a high level of technology, banks across the country were required to up-the-ante in security for Internet and electronic banking customers by the end of 2006.
The sole purpose is to decrease the opportunities for identity theft through electronic banking outlets. In 2001, the Federal Financial Institutions Examination Council (FFIEC) distributed guidance entitled “Authentication in an Internet Banking Environment” and expanded that in 2005 to include not just Internet, but all electronic banking outlets. The document outlined the changing face of Internet and electronic banking, security concerns and the measures required by banks to ensure public safety. It addressed the need for banks and financial institutions to determine the risks involved with offering electronic-based banking products, create customer awareness and enhance security measures to authenticate users.
Risk Assessments: Multi-factor authentication really stemmed from a need to further protect customer information and manage high-risk transactions, which are most often the transfer of dollars from one account to another and online bill payments. The risk assessments surrounding multi-factor authentication were designed to consider things like phishing, pharming and malware, all of which focus on obtaining customers’ private information to illegally gain access to their accounts. Other risk factors considered for the assessment included potential damage to a bank’s reputation, harm to a customer, transaction risk and other foreseeable threats to customers’ privacy.
Banks nationwide started quantifying the risks associated with their Internet and electronic-based banking products and services, focusing on any electronic system that allowed retail, business or commercial users to move money out of the bank, such as telephone and Internet banking, wire transfers, letters of credit and so on. Each electronic process was reviewed and assessed for risk levels and whether each needed to utilize the multi-factor authentication solution.
Consumer Awareness: The second piece outlined by the FFIEC is an important tool in the arsenal to fight identity theft – consumer awareness. Customers need to know their bank’s policies on Internet and electronic banking. They need to know their bank will never ask for personal information online or over the phone. They should know to never give out personal identification numbers, passwords, Social Security numbers or other personal information. It’s critical for banks to educate their customers. Sun National Bank features a permanent link on its Web site to a “Facts About Fraud” brochure and has included that same brochure with statements on several occasions. Sun also utilizes alerts on its Internet banking login pages.
Enhanced Security Solutions: Today, at most financial institutions, customers are asked to enter a username and password to access their accounts. With multi-factor authentication, customers will have a username, password and at least one other layer of security.
The three most common categories of additional security are:
1) Something customers know – like answers to specific questions;
2) Something they have, including a common physical device called a token that gives users a rotating code to enter at the time of login; and
3) Something they are – enter the fingerprint, retina or voice pattern scans.
Sun National Bank, like many other banks, is working closely with its electronic banking vendors to ensure compliance with the FFIEC guidelines by year-end. Digital Insight and BankLink are two of Sun’s service providers and each have a unique multi-factor authentication solution.
Digital Insight, which manages Sun’s personal and small business online banking services, uses technology that identifies users by their computer’s Internet Protocol (IP) address. After customers enter their username and password, the Digital Insight system validates their IP address. If the IP address does not match, access is denied. This system also allows users to log in from a different computer (and a different IP address). At setup, Digital Insight asks users to answer a series of questions, to which only they would know the answers. If a user attempts to log in to a banking session from a different computer, they will be asked this series of questions and only gain access to accounts if they answer each question correctly.
BankLink offers something a little different. BankLink is responsible for Sun’s commercial online banking system and has opted to use images as a third layer of security. In addition to a commercial customer’s username and password, they will be required to select a photo to gain access to their accounts. Additionally, both Digital Insight and BankLink reset users’ passwords every 45 days.
These are just two vendors and a few ways banks and financial institutions are increasing security in order to decrease the risk of identity theft from electronic banking. Different vendors and banks use different solutions, but the end results are the same for customers – an additional step to access accounts, which keeps them safer from fraud and identity theft.
Multi-factor authentication is another step in the ongoing process to protect customer information. Because of emerging technology and the ever-changing Internet, banks and financial institutions face a constant threat against protecting customers’ data. As more and more businesses and consumers become more comfortable using Internet and electronic banking outlets, the risk continues to rise.
With federal and state laws, as well as mandates like the FFIEC’s multi-factor authentication, banks are making it harder and harder for criminals to get access to data – and easier for consumers to protect themselves. The key to a truly successful consumer information protection campaign is education for everyone involved. Banks must educate their customers about what banks are doing to protect them – and what customers can do to protect themselves.
Banks should also rely on groups such as NJBankers and other organizations and advisors to stay informed and up-to-date on new threats and even newer solutions. Finally, banks and financial institutions can share information and best practices with each other to create a “best of breed” in security measures that can become a standard in what companies offer their client base.
So, who knows? Maybe before long things will be different and fingerprint, retina and voice pattern scans will be the norm. But one thing won’t change – banks have a responsibility to protect customers and their private information, no matter the technology.
Thomas J. Townsend is executive vice president for Sun National Bank. He oversees the company’s bank operations, information technology and risk management departments. He can be reached at (856) 691-7700.