How to Avoid Swimming With the ‘Phishes’
By Dean Schumann
Clearly Internet-based banking is the way more and more people are choosing to bank. Although making transactions electronically is convenient and easy, it can put banks and their customers in jeopardy. Last fall the Federal Financial Institutions Examination Council (FFIEC) issued “Authentication in an Internet Banking Environment,” a 14-page document that provides an overview of risk-management controls needed to authenticate the identity of customers who use Internet-based banking services. And before year’s end, the FDIC expects banks to comply with this guidance.
Public Enemy No. 1: Identity Theft
Obviously, identity theft is high on the list of vulnerabilities, and although it can result in negative publicity for a bank and damaged customer relationships, the bank – not the customer – is usually more at risk for actual financial loss. Customer authentication is the primary method used to protect customer accounts; however, the FFIEC doesn’t believe single-factor authentication is adequate for high-risk transactions involving access to customer information or the movement of funds to other parties. In other words, simply entering a username and password may not be adequate protection.
There are several ways to obtain customer information, but the commonly used method is “phishing.” A customer is sent an official-looking e-mail that asks for personal information or directs them to an authentic-looking but phony Web site. When the individual logs in on the fake site, the username and password are captured.
Means of Authentication
According to the FFIEC, authentication involves one or more of the following factors:
• Something a person knows – usually a password or personal identification number (PIN),
• Something a person has – often a token or smart card, and
• Something a person is – usually involving a physical characteristic like a fingerprint, voice pattern or eye scan.
Passwords or PINs can be supplemented by additional information. Address or other personal data that may not be widely known is often used to further validate user identity.
Tokens – offered by a few financial service providers – typically generate constantly changing codes based on pre-programmed algorithms. When the token is connected to the computer, a central authenticating server confirms the pass code. However, tokens are expensive for providers and often viewed as an unnecessary hassle by consumers.
Using physical characteristics to verify identity presents its own set of problems. The user needs to have an additional piece of hardware connected to his or her computer. So, price and convenience, especially when accounts are accessed from multiple computers, are significant factors.
Software approaches to security appear to be the most cost-effective and user-friendly solutions. Encrypted electronic “certificates” – stored in a small file in the user’s computer – can be used to authenticate a user. When the bank’s Web site is contacted, not only would the certificate let the bank know the user is legitimate, it would also prevent and protect the user from responding to a phony Web site. Unfortunately, certificates would not be effective against a fraud committed by an individual with access to the username, password and the user’s computer.
Scrambled PIN pads are another software approach used by a few providers. For instance, a computer-generated PIN would appear on the screen, often shown as a picture with “artistically shaped” letters and numbers, that the user must read and manually enter in order to complete a transaction or enter a Web site.
If your bank wishes to establish or maintain your services via the Internet, safeguard it and your customers from potential online threats by completing a risk assessment. It can pinpoint the types and levels of risk associated with your online banking activities and keep you compliant. When performing an assessment, make sure to identify all services offered via the Internet and the potential threat associated with each service, and to detect risk mitigation techniques used and review their effectiveness. In addition, monitor the ongoing efficiency of risk mitigation techniques and adapt to, as well as take into consideration, changing potential threats.
Dean Schumann is a managing director with RSM McGladrey Technology Risk Management Services. For more information, contact him at firstname.lastname@example.org. This article was reprinted with permission from Bank Notes, an RSM McGladrey publication.