Digital Transactions Authoritative, insightful and timely information for payments professionals
A new guidance from federal banking regulators calling traditional user names and passwords “inadequate” for online banking could lead to a major push for strong authentication next year. The guidance, released last month by the Federal Financial Institutions Examination Council, recommends what it calls multi-factor authentication, or identification systems involving more than one piece of information or characteristic about online customers, for Web-based banking transactions involving customer data or transfers of funds. The document also comes in the wake of mounting attacks on consumers by con artists tricking online-banking users and shoppers into giving up passwords, PINs, and other such information (Digital Transactions News, Oct. 13). Contrary to recent news reports, however, the guidance doesn't mandate multi-factor authentication by year-end 2006. Nor does it recommend any one technology over another. Rather, the Federal Deposit Insurance Corp. and the other four regulatory agencies, including the Fed, that rely on the FFIEC are requiring that banks complete information-technology risk assessments by the end of next year. If, as a result of these assessments, banks find they are trafficking in sensitive customer information that requires further protection, they will be expected to upgrade that protection, says an FDIC spokesman. “Two-step [strong] authentication may be what they need to adopt,” he says. “We are leaving that up to the organizations.” Moreover, he says, when the agency conducts an examination, it may tell a bank to adopt two-factor authentication if it feels the bank's risk assessment calls for it. The FFIEC standardizes bank-examination methods for the five regulatory agencies, which include the National Credit Union Administration, Office of the Comptroller of the Currency, and the Office of Thrift Supervision, in addition to the FDIC and the Fed. In two-factor authentication, other information beyond a password is necessary to access sensitive sections of a Web site. This information could be something a customer has in his possession, such as a token, or some characteristic about him, such as a fingerprint. Although the FFIEC's guidance does not recommend one approach over another, it reviews several, including shared secrets, smart cards, tokens, biometrics, mutual-authentication software, and geo-location. It also leaves no doubt that conventional password systems in isolation will be hard to justify for transactional sites. Such authentication, it says, is “inadequate…for high-risk transactions involving access to customer information or the movement of funds to other parties.” The FDIC spokesman estimates that, though 80% of the 5,100 banks the office regulates have Web sites, only about 40% of these, around 1,600, have transactional sites. More such sites, however, are expected to come on line, magnifying the threat of phishing and other online scams. “The key here is to make sure the Web is secure for customers,” says the spokesman. “If customers are reluctant to use the Internet, that will cut down on a growing way for banks to reach out to their customers.” Added online security could also pay for itself, the spokesman suggests. “There is a cost to not implementing [strong authentication],” he says. “Banks have been stepping up to the plate and making customers whole [in cases of online thefts]. That is costing the industry money, and may exceed the cost of implementing these security measures.” A copy of the guidance can be found on the FFIEC Web site at: www.ffiec.gov/pdf/authentication_guidance.pdf
