Peering into the Future of Online Banking Security

With the deadline for meeting new requirements for strengthened online banking security less than half a year away, two words have become pertinent: risk assessment.

The Federal Financial Institutions Examination Council (FFIEC) issued guidelines last October that encouraged banks to go beyond

user names and passwords to validate online users, setting off a flurry of confusion over exactly what should replace current authentication schemes. Interpretations of the guidelines continue to vary. But on one point, there seems to be universal agreement: by now, institutions should have formally analyzed the risks in their online banking programs and examined how to mitigate them.

Yet risk assessment is only the beginning. Next comes the process of selecting a solution, implementing and testing it, educating customers, and rolling it out to them - tasks that could easily take months. The risk assessment is the essential first step since it lays the groundwork for all these other activities.

"Our biggest concern is for banks that have not yet conducted the risk assessment," said Steve Kenneally, director of payments and technology policy at America's Community Bankers.

An assessment needn't take a long time, but should be a thoughtful review. Michael Jackson, associate director of the Federal Deposit Insurance Corp., advised institutions to take a broad perspective. "Coverage is a big thing," he said. "We're always on the lookout for an assessment that doesn't identify an area of high risk." Institutions using off-the-shelf online banking products that are not tailored to them could miss high-risk areas, he added. Regulators have not put a lot of restrictions on how the assessments are conducted, Jackson said, and banks are free to hire outside consultants or tap their service providers for help.

Accordingly, many vendors have stepped up with products aimed at helping banks get the assessments done. Digital Insight of Calabasas, Calif., worked with the accounting firm KPMG to create a document explaining how to conduct an assessment. It also provides customers with an overview of the core functionality of its own online banking software, where the risks lie, and how to lessen them. "It's our risk assessment of our technology, which they [customers] have very little visibility to," said Scott Mackelprang, vice president of security and compliance at Digital Insight.

Fiserv of Milwaukee, Wis., is offering to perform assessments on an institution's behalf for $795, a fee that just covers its costs, said Jamie Deterding, senior vice president at Information Technology Inc. (a Fiserv division), and general manager of esolutions. Community banks may not have the depth of personnel to get the assessments done, he said. Or they may not be aware of their importance. This appeared to be the case at a recent conference Deterding attended, where only one bank out of five appearing on a panel - each with more than $1 billion of assets - had so far performed an assessment.

Selecting the Right Technology

Banks are relying on their vendors for more than just help with the assessments. In many cases, vendors will suggest the authentication technologies its customers will adopt. But regulators advise banks not to get too cozy with their vendors. The way the regulators see it, banks that fear their vendor will not be ready with a two-factor authentication solution "can contract with another vendor," Jackson said. Authentication factors include something you know, something you are or something you have. Requiring two of those three factors during a log-in or transaction constitutes two-factor authentication.

The FFIEC was careful not to specify which authentication technologies banks should use, and as a result, the solutions being brought to market by vendors and adopted by banks run the gamut. Some of the most talked about include consumer device identification, transaction anomaly detection, hardware tokens, and challenge questions (see box for descriptions). Given the range of offerings, it's not surprising that debates are beginning to flare about the advantages of certain technologies over others.

Cookies, often used in consumer device identification and transaction anomaly detection, are a case in point. Cookies are small pieces of text data that an institution can download to a users hard drive to store information such as the browser used, the computers software configuration, and its geographic location. The institution can later retrieve this information to ensure a computer being used to log in is the same as the one normally used. A cookie, in effect, lets the computer act as a second form of authentication for the customer.

Cookies are essential elements of some vendors' offerings. RSA security, through its acquisition of PassMark security, which provides two-factor authentication to Bank of America, uses cookies. So does TriCipher, the Internet security vendor with which Digital Insights has aligned.

Despite their widespread use, some observers argue that the effectiveness of cookies is limited. "Consumers delete cookies all the time," said Avivah Litan, a research director at Gartner. A common fix for a slow-performing computer, for example, is to delete the cookies stored on it. In addition, because they are software-based, cookies are susceptible to being intercepted and viewed by hackers. "Anything crooks can see, they can copy," she said.

But cookie-based solutions can still work, even if consumers delete the cookies on their PCs, said Baron Unbehagen, vice president of products and marketing at S1, an Internet banking software provider that is making RSA's PassMark solution available to its customers. That's because flash-shared objects can be used in lieu of cookies, he said. These objects are similar to cookies, and enable dynamic content to be downloaded to particular machines. In extensive testing that S1 conducted, Unbehagen said, the RSA system was still able to do the appropriate amount of forensics, even when cookies were deleted.

Digital Insights appears to be straddling both sides of the cookie debate. Mackelprang said its cookie-based solution is good for now because it's easy to roll out. But the company is prepared for the day when cookies might lose their effectiveness. Its TriCipher solution also incorporates two authentication measures that rely on digital certificate technology, rather than cookies. "We have the ability to ratchet up as threats evolve," Mackelprang said.

A clear advantage of cookie-based solutions is that they operate mostly behind the scenes, a feature that appeals to banks that do not want to burden their users with new routines or accoutrements just to log into online banking. Hardware tokens, such as fobs that dispense one-time passwords, are widely regarded as among the strongest security methods. But besides being expensive, they can be difficult for consumers to keep track of.

"For the public, you need to give them convenience," said Gary Lewis Evans, president of San Diego-based Bank of Internet USA. "We like to keep it easy for customers."

For that reason, he said, Bank of Internet, like many banks, is going with a solution that is mostly invisible to end-users. It is working with its Internet banking service provider, Jack Henry Inc. of Monett, Mo., to install softwarebased authentication from Cyota, which was acquired by RSA Security late last year.

Jack Henry is offering the software in two versions: basic and premium, said Tom Walsh, the company's general manager of marketing and industry research. The basic service, available free to banking customers, scrutinizes log-in transactions, such as the computers location and its software configuration. The premium service, available for a per-account fee that Walsh declined to disclose, takes the extra step of analyzing transactions beyond log-ins to identify unusual behavior. For example, a large money transfer to a foreign bank is the type of transaction that might be flagged. Walsh said most banks with $300 million or more in assets are opting for the premium service.

Hardware tokens, meanwhile, are finding a place in online banking as an effective tool for corporate customers. Fiserv's ITI unit partnered with Vasco Data Security International to offer tokens that deliver a one-time password. At a distribution cost of $10 to $15 per token per user, plus maintenance, hardware tokens clearly are not costeffective for mass use. The company expects banks will offer them to business customers that execute riskier transactions such as wire transfers and automated clearinghouse transactions, Deterding said. For consumer Internet banking, ITI has aligned with RSAs PassMark to offer softwarebased authentication. The cost of that solution is much more palatable for a large consumer customer base, at about $1 per user per year, Deterding said.

Chip Register, chief technology officer at $4.4 billion-asset Atlanta-based Netbank, said his company explored the token route in detail before deciding it would not be the best solution. The challenge, Register said, was to find a technology that offered effective security without being overly intrusive or expensive. "Consumers can sometimes be difficult to please," he said. "They want to feel secure, but they also say, 'Please make it as fast and as easy as possible.'"

Netbank opted for a solution from its Internet banking software provider, Corillian, which analyzes a computer's attributes, such as its location and the version of Windows used, as well as end-user behaviors, such as the time a user normally logs on to Internet banking. Together, the data points create an "access signature" or a library of acceptable behaviors that Netbank maintains and compares against future log-ins. The solution fulfilled a big requirement, Register said, which was not to introduce change into the log-in process.

Solutions that analyze PC attributes and transaction behavior must be able to distinguish between a fraudulent log-in and, for example, when a legitimate user is simply using a different computer. This is accomplished by asking questions to which only legitimate account holders would know the answers.

Banks can also choose to work with consultants when it comes to multi-factor authentication. Crowe Chizek, a provider of assurance, consulting, risk management, tax and technology services, offers a complete suite of services designed to walk a bank through the entire authentication process. To start things off, Crowe will help a bank conduct a risk assessment of all applications, and will then work with bank management to select the appropriate technologies and monitoring techniques.

From Idea to Implementation

Institutions that have gotten as far as performing a risk assessment, identifying the appropriate solutions, and rolling them out are discovering the many difficulties in implementing these so-called challenge questions. Questions that used to be routine, such as mother's maiden name and city of birth, no longer cut it because they can easily be gleaned from publicly available information. Banks have to be much more creative, coming up with questions that are unique to a customer, but not so obscure that they can't be easily recalled. Not everyone, for example, knows off the top of their head the amount of their monthly mortgage payment.

Some examples of the questions Netbank is considering are the first name of a childhood friend, a first pet, or middle school attended, Register said. Netbank probably will have a library of 20 questions and require customers to answer 10 of them, which it will keep on record.

From testing the process Netbank has learned that it has to be careful to guide customers to answers that won't trip them up later, Register said. Answers have to be an exact match, so case-sensitive responses, for example, could potentially cause trouble. There are other sensitivities. Asking for a fathers middle name could be a sore point if someone's father is deceased, Register pointed out.

"We're learning that the questions at the heart of the challenges will create calls to customer service," he said.

Netbank has yet to determine the number of questions to ask and how frequently to ask them. Should it do challenges randomly? Every five log-ins? Or only when initial login behaviors or attributes cast suspicion on the user? Netbank does not want to create too many barriers to banking online, yet it wants to enforce the idea that customer information is secure, Register said.

Though most banks plan to use challenge questions as a back-up when other indicators signal a fraudulent attempt, Dollar Bank, a $5.4 billion-asset institution in Pittsburgh, uses them every time a customer logs in. Jeff Morrow, executive vice president at Dollar, said he believes his bank already is in compliance with the FFIEC guidelines, even though it does not technically offer two-factor authentication. Instead, it asks for a single authentication factor (something you know) twice - first in the form of the password, then as a rotating challenge question. Morrow calls the technique multiple single-factor authentication.

Combined with other measures the bank takes, such as masking names, addresses and account numbers online, Dollar's approach constitutes layered security, which Morrow says is supported in the FFIEC guidance. Dollar already conducted its risk assessment and continues to be comfortable with this approach, he said. "I think what the regulators want people to do is make serious efforts to consider security," he said.

Another consideration is the effect all this extra security will have on customers. "This is every bit as much an education process as a technology process," said Walsh of Jack Henry.

Netbank has planned a three-stage rollout process to ease the transition to higher security. Its first roll-out, scheduled for July and expected to last about two months, will be to 50 to 100 Netbank employees. Once any problems have been vetted, Netbank will introduce the authentication process to the rest of its more than 1,000 employees. Finally, in coordination with marketing and customer service initiatives, it will implement it in stages to its customer base. "The rough goal is to roll it out to the general customer base by the fourth quarter," Register said.

Banks hoping for some leniency from regulators on meeting the Dec. 31 deadline may want to think again. The regulators are aware that community banks in large part are dependent upon their vendors to provide enhanced security measures. Even so, "regardless of what happens with the vendors, the banks are ultimately responsible," Jackson of the FDIC said.

Banks were put on notice that two-factor authentication would become a requirement through an FDIC study published in December 2004, Jackson said. "It's not like they've been given a very short period of time. We've tried to make it clear to the industry that this process has flexibility at the examiner level, but we fully expect the industry to be there at year end."