MULTIFACTOR AUTHENTICATION October 2009

(1)

A report conducted, researched, and initiated by the Applied Research Institute and presented by the Research and Information Department of the California and Nevada Credit Union Leagues

MULTIFACTOR

AUTHENTICATION

(2)

2

20

00

09

9 AR

A

RI

I

M

em

e

mb

be

er

rs

sh

hi

i

p

Allied CU Altura CU

American First FCU

Arizona State Savings & CU BECU

Boulder Dam CU

Burbank Community FCU California CU

California/Nevada Credit Union Leagues CD FCU Christian Community CU CoastHills FCU CommonWealth Central CU CO-OP Network

Credit Union Direct Corp. CUNA Mutual Group

Fairview EFCU

Financial Service Centers Cooperative, Inc.

First City CU

First Entertainment CU Health Associates FCU Honda FCU Key Point CU Kinecta FCU L.A. Financial CU LBS Financial CU MOCSE FCU

North Island Financial CU NuVision FCU

Orange County's CU Pacific Service CU Paradise Valley FCU

Pasadena FCU Patelco CU Premier America CU Redwood CU San Mateo CU SchoolsFirst FCU Schools Financial CU SELCO Community CU Silver State Schools CU Spectrum FCU

Star One FCU Technology CU Travis CU USA Federal CU USC CU

Wescom CU

Western Corporate FCU

P

r

e

vi

v

i

ou

o

us

s

AR

A

RI

I

St

S

tu

ud

di

ie

es

s

• In Search of High-Performance Boards • The “Why” Behind Gen Y

• Credit Card Profitability • Branching Strategies

• Credit Union Lending Channels

• Supplemental Executive Retirement Plans

• Alternative Financial Services: Options for California Credit Unions

• Navigating the New Payments Landscape—What Credit Unions Need to Know • Increasing Credit Union Market Share

• Meeting the Needs of Small Business

• Effective Collection Practices for Credit Unions (Phase 1)

o Third Party Agency Management (Phase 2) • E-Commerce and the Credit Union Movement

(3)

Ta

T

ab

bl

le

e

o

f

Co

C

on

n

t

en

e

n

t

s

1. Introduction 1

2. Background 3

3. Executive Summary 4

4. What is Multifactor Authentication 6

5. European Adoption 7

6. Multifactor Authentication Methods 8

Shared Secrets 8

Tokens 10

Password-Generating Token 10

Amazon Case Study 11

USB Device 11

Smart Card 12

Biometrics 13

Non-Hardward-Based One-Time-Password Matrix 15

7. VeriSign Case Study: Addison Avenue Federal Credit Union 16 8. Internet Protocol Address Location and Geo-Location 17 9. Limitations of Two-Factor Authentication 18

10. Conclusion 19

(4)

INTRODUCTION

The Applied Research Institute (ARI) is a membership based think-tank coordinated by the California and Nevada Credit Union Leagues. Its focus is to examine current issues in the financial marketplace, especially those directly affecting the credit union industry, and more specifically, those encountered by ARI members. ARI has consistently

produced actionable research for its members’ use. Serving primarily credit unions in the California and Nevada areas, the institute focuses on this niche within the financial sector.

For this study, ARI primarily utilized secondary research, online database research, an interview with Sri Balaji, web solutions security architect with Addison Avenue Federal Credit Union, and industry data from Financial Service Centers Cooperative (FSCC). ARI would like to offer special thanks to FSCC and Addison Avenue FCU for their data and assistance with the project.

In today’s world, the use of technology is pervasive. From online purchases, to social networking, to business transactions, the world is virtually run by computer codes and technology. As innovations have increased productivity, lessened the importance of geography, improved our standard of living and given us technological advances only dreamed of but a few decades ago, they have also done one other significant thing— decreased face-to-face interaction. As more transactions have become “faceless,” fraud has been on the rise, requiring advanced methods of personal verification. Before, a teller or loan officer could see who they were dealing with and know whether or not to

proceed. Now, they are only hearing a voice or seeing numbers on a screen requesting authorization—making fraud detection that much more difficult.

One of the growing problems facing credit unions is how to protect their confidential systems more effectively and increase their safety against possible malicious attacks, while still offering high levels of service. There are a number of different authentication solutions existing in the market, but as attacks are getting more advanced, security must improve ahead of it and not

(5)

Multifactor Authentication | The Applied Research Institute, October 2009 2 ©2009, All Rights Reserved. The Applied Research Institute is a unit of the California and Nevada Credit Union Leagues Identity theft is defined as the process of using someone else’s personal information for your own personal gain. A 2009 identity theft study by the Javelin Strategy & Research Center, a San Francisco-based research firm, reveals that:

• Identity theft is on the rise, affecting almost 10 million victims in 2008 (a 22% increase from 2007).

• Victims are spending less money out of pocket to correct the damage from ID theft. The mean cost per victim is $500, and most victims pay nothing due to zero-liability fraud protection programs offered by their financial institutions. • 71% of fraud happens within a week of stealing a victim’s personal data. • Low-tech methods for stealing personal information are still the most popular

for identity thieves. Stolen wallets and physical documents accounted for 43% of all identity theft, while online methods accounted for only 11%.

With all of these factors pushing against the credit union’s security and its members, using antiquated personal verification methods will leave the organization at risk. Multifactor authentication adds layers of security to each transaction, providing safety and security to both the credit union and the member.

(6)

BACKGROUND

In August of 2001, the Federal Financial Institution Examination Council (FFIEC) issued authentication guidance for the electronic banking environment. The guidance focused on the risk management controls necessary to authenticate the identity of retail and

commercial customers accessing Internet-based financial services. The goal of the guidance was to:

• Specifically address why financial institutions should conduct risk-based assessments.

• Evaluate customer awareness programs.

• Develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services.

The council’s research showed that single-factor authentication, as the sole risk management method, was not sufficient in terms of the risk associated with customer information or the transfer of funds between individuals.

In October 2005, the FFIEC issued a mandate that all financial institutions adopt new, secondary secure-identification technology, also known as two-factor or multi-factor authentication, by the end of 2006. The mandate was an extension of the Gramm-Leach-Bliley Act and established appropriate standards for financial institutions relating to administrative, technical, and physical safeguards:

(1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of

such records; and

(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Financial Institutions Safeguards

…each agency or authority shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards

(1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and

(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

(7)

Executive Summary

Some organizations have the belief that obtaining two pieces of data from the individual (social security number and mother’s maiden name) constitutes multifactor

authentication. But, true multifactor authentication consists of at least two disparate pieces being used to verify the individual member. The most common verification methods are something a member is (fingerprint), something a member has (token), and something a member knows (password).

While Europe has been quick to implement the technology, financial institutions in the United States have not. A larger number of Europeans who bank online are already used to the idea of two-factor security.

Multifactor authentication can be done through numerous means. The following comprises a list of some of the methods currently available:

• Shared Secrets

o Questions that require specific member knowledge (e.g., monthly mortgage payment, name of employer, monthly direct deposit amount).

o Member-selected images that must be identified or selected from a pool of images. • Tokens o Password-Generating Token o USB Device o Smart Card • Biometrics

• Non-Hardware-Based One-Time-Password Matrix Card • Internet Protocol Address (IPA) Location and Geo-Location

While two-factor authentication may handle basic phishing attacks, the nature of the attacks has evolved. As on-line fraud is a rapidly moving target, finding a single source which will defend against all forms of attack or deception is unrealistic. Criminals now have greater resources, technologies and motivation to conduct online fraud.

With millions of online transactions done each day, there has been wave after wave of new online attacks, and the threats are no longer static. They are extremely adaptive and require organizations and IT departments to not only be on top of the newest threat, but have tools at-the-ready to stop it. While multifactor authentication is one tool to aid in the process, it should not be seen as an online silver bullet.

Key Findings from this Study

In preparing, updating or implementing any electronic security measures, it is important to remember the following key points:

1) Understand how the members are going to utilize the technology and be impacted by the change.

(8)

2) Put together a work group comprised of those with diverse backgrounds and/or work assignments (information technology, branches, marketing, lending, etc.) to anticipate any challenges and offer solutions prior to launch.

3) Set specific determinants of what the channel needs—don’t wait for the members to bring the problems to you, fix the problems ahead of the member complaints; and develop a strategy to get support in the right places.

(9)

WHAT IS MULTIFACTOR AUTHENTICATION

Some credit unions have fallen into the trap of believing that getting two pieces of data from the individual constitutes multifactor authentication since the member is required to know two things instead of one (e.g., social security number and mother’s maiden name, home telephone number and password, etc.). But, this is actually single-factor

authentication—something the member knows—offered twice.

True multifactor authentication consists of at least two disparate pieces being used to verify the individual member. The most common verification technologies are:

— Something a member is—In the form of identifying information, or biometric identification, such as an iris scan or a fingerprint.

— Something a member has—An access card: a driver's license or a security token. — Something a member knows—Such as a password or personal identification

number (PIN).

— Somewhere a member is—Location specifics such as being in a secured facility or accessing the portal from a specific Internet Protocol (IP) address.

While some members may see this as a new or different methodology to accessing their funds, most have actually been using this for decades and never even realized it. ATM access is one of the most prevalent and common uses of multifactor authentication. It takes something a member has (an ATM card) and couples it with something a member knows (the PIN) before access is granted. Either one is useless without the other.

Currently, some financial institutions, domestic and foreign, that use fingerprint recognition and other biometric technologies to authenticate ATM users, are eliminating the need for an ATM card and the expense of replacing lost or stolen cards.

(10)

EUROPEAN ADOPTION

—

England

In terms of multifactor authentication adoption, Europe has been ahead of the curve when compared with financial institutions in the United States, having implemented it much earlier this decade. A larger number of Europeans who bank online are used to the idea of two-factor security. In addition to their login ID and password, many European banks require the customer to have a secret code that only he or she and the bank know at any given moment in time.

Identity and Access Management

The 2008 Information Security Breaches Survey (ISBS) conducted by England’s Department for Business, Innovation and Skills (formerly the Department for Business Enterprise & Regulatory Reform) found that the use of strong (i.e., multifactor) authentication has nearly doubled since 2006, but is still low at 14%. It is most common in the telecoms, technology and professional services sectors, but is least common in

not-for-profit organizations. Professional services firms tend to use software tokens, while financial services favor smart cards or hardware tokens, and biometrics appear most in the telecoms sector.

The growth in remote access is one of the drivers for greater adoption, but does not explain the whole picture. Only two-fifths of companies that use strong authentication apply it to remote access. Instead, companies appear to implement strong authentication in response to incidents involving unauthorized access, confidentiality breaches or impersonation of customers.

Companies that had at least one such incident in the year are between two and three times as likely to have implemented strong authentication.

A company in the Midlands implemented tokens to make user authentication more secure. Unfortunately, a number of users simply attached a post-it with their user ID and PIN number on the back of their tokens. This somewhat defeated the purpose.

Strong (i.e. multifactor) authentication on some systems

User ID and

password only No authentication

Techniques are Used to Authenticate Users

8% 14% 53% 86% 76% 46% 6% 10% 1% 0% 20% 40% 60% 80% 100% ISBS 2006 -Ove rall ISBS 2008 -Ove rall ISBS 2008 - Large Bus ine s s

(11)

MULTIFACTOR AUTHENTICATION METHODS

Shared Secrets

Shared secrets (something a person knows) are information elements that are known or shared by both the individual and the authenticating entity. Passwords and PINs are the best known shared secret techniques, but some new and different types are now being used as well.

Some additional examples are:

• Questions that require specific member knowledge (e.g. monthly mortgage payment, name of employer, monthly direct deposit amount).

• Member-selected images that must be identified or selected from a pool of images.

Shared secrets are typically set at the time the member enrolls, but can also be set up at a later date. At that time, PINs can be chosen, passwords identified and individual-specific questions selected. In addition, the member can also choose their selected or uploaded images for added security.

As is the case with access to other sensitive information, requiring frequent or periodic changes within each of these methods can provide even greater levels of security. Using the same password(s) repeatedly or having a static answer or design runs the risk of being compromised with each usage and simply with the passage of time. Using combinations or rotating methods may help add yet another layer of security on to the system.

Pros: Personal or individualized information is a good way to keep data or access safe from outsiders or criminals. It puts an added layer between anyone trying to enter or gain admission to private files or financial data. Adding a randomized feature or rotating the questions helps add security as a criminal may have one piece of the information needed, but may be asked for other pieces they do not have. These safeguards require intimate knowledge into the member before fraud can be perpetrated.

Cons: While shared secrets can help keep data or access safe from strangers or other types of thieves, it does not provide protection from fraud by family members or other

(12)

Multifactor Authentication | The Applied Research Institute, October 2009 9 ©2009, All Rights Reserved. The Applied Research Institute is a unit of the California and Nevada Credit Union Leagues close relatives. Favorite sports team, first pet, where one was born or their first nickname may be information readily available to those who have basic knowledge of the member– not to mention that many times this data may be available on an individual’s social networking site.

(13)

Tokens

Tokens (something a person has) are devices provided by the financial institution and are used in conjunction with other methods as part of a multifactor authentication system. While there are many security companies devising various types of tokens, this paper will focus on three of the most prevalent forms: the password-generating, the universal serial bus (USB), and the smart card.

Password-Generating Token

These tokens produce a one-time password (OTP) that is unique and generated through an algorithm which is currently virtually impossible to duplicate. For example, in a simple numeric token which uses five numbers to generate the password, there are 30,240 possible permutations (or unique sets) possible. If the password utilizes ten numbers, the possibilities jump to more than 3.6 million.

The token ensures that the same OTP is not used consecutively. To use this type of authentication, the member first enters his or her user name and regular password (first factor), followed by the OTP generated by the token (second factor). The customer is authenticated if (1) the regular password matches and (2) the OTP generated by the token matches the password on the authentication server. A new OTP is typically generated every 60 seconds—in some systems, every 30 seconds. Password tokens generally last 4 to 5 years before they need to be replaced.

Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs substantially increase the difficulty of a cyber thief capturing and using OTPs gained from keyboard logging.

Pros: This added layer of security means that even if a member accidentally gives up their information in a phishing, smishing, or vishing scheme, without the token’s password also, the information is less functional. The lifespan of the password is very short and can only be used immediately.

Cons: Tokens are more expensive than cards to replace at this juncture. Members may or may not feel the added line of security has benefits which outweigh the inconvenience of inputing more information or carrying the device. Loss of the token may prohibit the member from being able to access their own information or account.

(14)

USB Device

By now, most members are familiar with portable USB devices, which are generally used to store files or data. Now, these devices can also be used as a security feature to allow access to sensitive information or data locations. Just like the USB drives used in data storage, a USB token is a simple component which members would be familiar with. Because the device plugs into the USB port, it would not require any special hardware and could be used on virtually any current computer.

As a security piece, once the token is plugged in and recognized (first authentication), the member would then be able to type in their PIN, password or other identification feature (second authentication) to gain access to their account(s). Encrypted digital certificates inside the device would make it very difficult to duplicate and/or modify.

Amazon Turns to Multifactor Authentication for Web Servicing Amazon has increased the security of their web servicing products by administering a multifactor authentication option for their customers. Amazon Web Servicing Multifactor Authentication (AWS MFA) is an additional layer of security that offers enhanced control over its member’s AWS account settings. It is an opt-in account feature that requires a valid six-digit, single-use code from an authentication device in addition to the standard AWS account credentials before access is granted.

AWS MFA uses an authentication device that continually generates random, six-digit authentication codes solely for the individual’s use. Once AWS MFA is enabled, secure pages on the AWS Portal or AWS Management Console will only allow access after the correct Amazon email-id and password and the precise code from the authentication device are provided. This multifactor authentication offers even greater protection for any AWS account, including another layer of protection for sensitive information such as AWS access identifiers and critical actions such as changing AWS infrastructure services. This

additional security is also available on other AWS resources, such as Amazon Elastic Compute Cloud instances or Amazon CloudFront distributions.

(15)

Multifactor Authentication | The Applied Research Institute, October 2009 12 ©2009, All Rights Reserved. The Applied Research Institute is a unit of the California and Nevada Credit Union Leagues Pros: USB devices are very durable are very cost effective to replace compared to plastic cards. They are a widely known and adopted device with which members are already familiar. The USB keys are simple to operate and can be used on almost any computer. Cons: They are one more thing a person must carry with them to gain remote access to their account. If the member wants to do mobile banking on their phone or personal digital assistant (PDA), they would be unable to without having a connection allowing USB access.

Smart Card

Smart cards are gaining more and more acceptance as companies are turning to these tools for things such as entrance into secure facilities, payment vehicles and other identification purposes. The smart card is basically a plastic card (the size of an ATM or credit card) with a chip inside containing data pertinent to the individual owner (e.g., a serial number, the carrier’s personal information, an employee ID, etc.). Once the chip is recognized by a reader (one factor of authentication), the member would then be asked for a second form of identification (e.g., PIN, biometric read, etc.) to gain access. Since most members are already comfortable carrying various cards in their wallet or purse, this technology is something they are already familiar with and utilizing. Similar to the USB device, these cards allow for a high level of security as they are highly

encrypted and difficult to duplicate.

Pros: Smart cards are very difficult to modify, duplicate or tamper with. Having similar dimensions to a credit card, member acceptance would most likely be higher as they are fairly familiar with the technology already. In addition, smart cards are very easy to use as they simply require the member to wave them by or place them close to the reader. Cons: A primary disadvantage is that they do require additional hardware (such as a reader) and software (drivers, etc.) to be installed on the member’s personal computer. Also, if a member is using a computer outside of their home computer, they would likely be unable to use this authentication method. Replacement costs for the cards are currently

(16)

Multifactor Authentication | The Applied Research Institute, October 2009 13 ©2009, All Rights Reserved. The Applied Research Institute is a unit of the California and Nevada Credit Union Leagues higher as well, given the Radio Frequency Identification (RFID) chip embedded in the molding.

Biometrics

Once primarily utilized in science fiction movies and literature, biometric technologies are now fairly widespread in their use and acceptance. They function by authenticating one’s identity based on physical or physiological characteristics. Physiological

characteristics such as fingerprints, retinal patterns, facial structure or voiceprint patterns are the most common, with fingerprint recognition the most frequently used. Physical characteristics include handwriting patterns or keystroke rate and flow. Each of these are unique with each individual and offer a very high level of security.

Biometric authentication systems require the user be “enrolled” in the program, meaning, a sample of the characteristic must be obtained prior to the usage. Once enrolled, the member would then simply address the biometric reader and their results are compared with those previously recorded. If the results match, then the member has passed that authentication feature and the second form would then be administered (unless the biometric form is the second method, then the member would be granted access). If the results do not match, access would be denied.

While fingerprint recognition is currently the most commonly used form of biometric recognition, there is an ever growing list of methods to choose from. These include facial recognition, voice-print recognition, keystroke recognition (the pace and way a person types information into a keyboard is as unique as a fingerprint), handwriting recognition, finger and hand geometry, retinal scan, and iris scan.

Pros: Biometric analysis is very difficult to duplicate or fool. It also requires that the individual be present in order to complete the scan. Biometrics are extremely difficult to steal, unlike cards or other devices

(17)

Multifactor Authentication | The Applied Research Institute, October 2009 14 ©2009, All Rights Reserved. The Applied Research Institute is a unit of the California and Nevada Credit Union Leagues Cons: Unless all institutions had similar authentication methods, and access to each other’s databases, users would be limited to only performing transactions within their own institution’s channels (i.e. if a member who’s credit union uses biometric

authentication approaches a machine from another institution which does not, the member may not have the proper tools—ATM card, PIN, etc.—to access their account). Credit unions would have a significant initial financial outlay to change from their

current technology (ATM cards, etc.) to biometric machines. Members may be hesitant to allow the credit union to record biometric data.

(18)

Non-Hardware-Based One-Time-Password Matrix Card

Scratch cards are considered to be less-expensive, very low-tech versions of the OTP generating tokens mentioned previously. The card, which is similar to a bingo card or lotto card, contains numbers and letters arranged in a grid format (the size of the card will determine how many cells are in each grid).

To utilize the card, the member would first enter in their user name and password on the website as they currently do. Then, the second authentication factor would be entering the randomly chosen characters in the grid requested. The member would simply input the data contained in the cell which corresponds with the requested information.

Pros: Cards are more durable than hardware-style tokens and can easily be stored in a wallet or purse. The randomization makes it very difficult to duplicate as each member would have a unique card. Little if any training is required for use. Replacement costs are low and a new card can be issued onsite in the branch.

Cons: A lost card could delay access into the online account—in a late-night setting or on a weekend or holiday when the branch or telephone center is closed. Requires members to input more information into the system (more steps can be cumbersome). Members with reading disorders (dyslexia, etc.) would be at a disadvantage.

(19)

VeriSign Case Study: Addison Avenue Federal Credit Union

A case study conducted by VeriSign, Inc., a provider of Internet infrastructure

services, based in Mountainview, CA, provides a look at an alternative authentication methodology utilized by Addison Avenue Federal Credit Union, in Palo Alto, CA, with assets of $2.3 billion (the full case study is available here):

Addison Avenue’s mantra is: Security, convenience and simplicity. Addison Avenue wanted to implement a non-intrusive, enhanced user-authentication mechanism with at least one layer of coverage to be provided to all Online Banking users by December 31, 2006. “We decided the implementation of this authentication methodology should be passive. That is, it should not require members to enroll before deploying the solution,” noted Blanca Guerrero, Addison Avenue’s director, web solutions group, “In addition, members should not need to obtain any sort of physical device, or download anything to their computers. We wanted them to gain the advantage of enhanced security in their online transactions without a reduction in convenience.” “We liked the lack of disruption to the users; they didn’t have to register up-front,” reflected Sri Balaji, Addison Avenue’s web solutions security architect. “We found the self-learning engine very impressive because we were able to load historical data from our members’ interactions with their accounts and it was able to immediately start tracking patterns of behavior. This was a huge benefit when we later went live because we weren’t starting from scratch: The system already knew the ways in which users would typically access their accounts.”

Since the initial rollout, Addison Avenue has continued to enhance their online

security while still allowing their members to select the type of security which is most convenient for them. This is done by allowing the members to choose from three authentication methods: a token (which carries a small, one-time fee (OTF)), a card (with an OTF), or a downloadable application (free for the iPhone or blackberry). The phone application has seen the largest adoption rate as “phones are now as ubiquitous as wallets,” said Balaji.

In addition to the token or application, Addison Avenue’s authentication system has allowed them to add rules to transactions, such as a second authentication method required for wires above a dollar threshold, thereby adding layers of security to the credit union’s electronic transactions. This scalability has not only helped the credit union deploy the new security measures on an as-need basis, it has also allowed its members to get accustomed to it at their own rate and comfort level, increasing its acceptance.

While there is no one-size-fits-all security feature, having the added layers helps Addison Avenue make themselves a much harder target for online fraud. Balaji summed it up by saying, “When you are running from the lion (online attacks), you don’t want to be the slowest in the herd.”

(20)

Internet Protocol Address (IPA) Location and Geo-Location

IPA

An Internet Protocol Address (IPA) is one way to identify a user or member as it is a marker given to each computer which accesses the internet. It allows a system to know not only which computer is being used, but the general location of it as well. While this sounds like an ideal way of identifying a member, it comes with two large caveats:

1) Even though some IPAs are assigned and do not change, not all are. Some are randomly generated and therefore change with each use.

2) IPAs can be “spoofed”, meaning that someone with computer knowledge could make the system think it was speaking to the member when it was actually someone else in a different location.

3) There is no single source for associating an IPA with its current owner, so pairing the two could be extremely difficult if not impossible.

Geo-Location

Geo-location technology is another way of attempting to verify a user based on where they are and, in some cases, where they are not. This is done through geo-location software which analyzes the time it takes for the packets of data to move through the network in going to or from the source. Since the speed of electrons is constant, the time it takes for the data to go to and from the source or the user can be calculated into an approximate distance. For example, a California credit union member logging in at their local residence would send and receive data much faster than if they were logged in on the East Coast or from another country. If the system dictates that the information being sent or received is not within the reasonable range for their member, access could be denied or other identification information could be required before account data would be shown or transactions processed.

(21)

Limitations of Two-Factor Authentication

While two-factor authentication may handle basic phishing attacks, the nature of the attacks has evolved. In an article on the subject, security expert Bruce Schneier says two-factor authentication simply won't defend against phishing.

Schneier describes the criminals' new toolbox—featuring Trojan attacks and Man-in-the-Middle attacks. He concludes:

"I predict that banks and other financial institutions will spend millions outfitting their users with two-factor authentication tokens. Early adopters of this

technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft."

As on-line fraud is a rapidly moving target, finding a single source which will defend against all forms of attack or deception is unrealistic. Criminals now have greater resources, technologies and motivation to conduct online fraud. With millions and millions of online transactions done each day, there has been a resulting wave after wave of new online attacks. The threats are no longer static. They are extremely adaptive and require organizations and IT departments to not only be on top of the newest threat, but have tools at-the-ready to stop it. While multifactor authentication is one tool to aid in the process, it is not an online silver bullet.

Symantec, a global provider of security, storage and systems management solutions based in Cupertino, California, questions whether hardware tokens are an effective tool in fighting phishing. Someone could set up a site which impersonates the customer’s bank, inducing the person to give their password and token value to the fake site. That

information could then be used immediately by the phisher. Since most portals do not limit the number of concurrent users, a person could actually be logged into their site simultaneously with the phisher and have their money disappear before their eyes.

(22)

CONCLUSION

Adoption of stronger multifactor authentication methods and techniques is on the rise with credit unions, but has yet to be implemented on a wide-scale basis. Multifactor authentication is a significant step in addressing one of the biggest security weaknesses in the corporate environment—password safety. In addition to it being an FFIEC

requirement, multifactor authentication is becoming more and more of a necessity as fraud and identity theft continue to increase.

With individual credit union membership reaching tens-of-thousands, living in disparate states and countries, accurately identifying members prior to offering sensitive data or allowing account access is becoming more difficult. While the Internet has allowed credit unions to move their services well beyond their geographic locations, it has allowed fraud and identity theft the same opportunity.

As credit unions move towards more secure online interactions, it is important not to forget to extend this risk assessment to all electronic channels, and prepare pertinent solutions for each. While one universal security measure would be ideal, and most cost-effective, the reality is that variations in the channel may require different levels and methods of security.

In preparing, updating or implementing any electronic security measures, it is important to remember the following key points:

1) Understand how the members are going to utilize the technology and be impacted by the change;

2) Have a group comprised of those with diverse backgrounds and/or work

assignments (information technology, branches, marketing, lending, etc.) brought together to anticipate any challenges and offer solutions prior to launch;

3) Set specific determinants of what the channel needs—don’t wait for the members to bring the problems to you, fix the problems ahead of the member complaints; and develop a strategy to get support in the right places.

(23)

RESOURCES

2008 Information Security Breaches Survey, Department for Business Enterprise & Regulatory Reform (BERR), April 2008.

“Addison Avenue Federal Credit Union,” Verisign Case Study 00026130, August 7, 2008.

“Alpha Bank,” Verisign Case Study 00026095, May 9, 2008.

Authentication in an Electronic Banking Environment, Federal Financial Institutions

Examination Council (FFIEC), August 8, 2001.

FFIEC Information Technology Examination Handbook, Federal Financial Institutions

Examination Council (FFIEC), December 2002.

Fuller, Jing, “Multi-Factor Authentication: An Authentication System based on Jury Framework,” Technical University of Denmark, 2009

“Logical Access Security: The Role of Smart Cards in Strong Authentication Security,” Smart Card Alliance, October 2004.

“Proximity Mobile Payments: Leveraging NFC and the Contactless Financial Payments Infrastructure,” Smart Card Alliance Contactless Payments Council White Paper, September 2007.

“Security of Proximity Mobile Payments,” Smart Card Alliance Contactless and Mobile Payments Council White Paper, May 2009.

“Supporting Multi-Factor Authentication Using Speaker Verification and Speech Recognition,” Nuance Communications, 2007.

Updated: Authentication in an Electronic Banking Environment, Federal Financial

Institutions Examination Council (FFIEC), 2005.