agility
made possible
™
authentication
in the internet
banking
environment:
Introduction to FFIEC Compliance
In October of 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance entitled “Authentication in an Internet Banking Environment” in response to increasingly sophisticated electronic attacks that compromise personal identity information and erode customer confidence in online banking security. The goal of the FFIEC guidance was to improve security for online banking transactions, due to the consensus view that simple username/password authentication was not sufficient for today’s online banking environment.
With several years of experience and analysis under their belts, and the continued growth of online fraud, in June of 2011, the FFIEC circulated a Supplement update to this guidance, entitled “Interagency Supplement to Authentication in an Internet Banking Environment”. This paper will review the original guidance and how CA Technologies exceeds the requirements outlined in the new Supplement document.
Key Requirements of FFIEC
The Original Guidance
The FFIEC came to recognize that with the rise in volume of online banking transactions, single-factor authentication techniques were simply not adequate security anymore. With this situation in mind, the original Guidance included three important recommendations.
1. Strong Authentication
A common misperception about the original regulation is that it requires specific 2-factor authentication technologies to be implemented for online banking. In fact, it only requires
authentication methods that are “appropriate and reasonable”, from a business point of view, for the reasonably foreseeable risks associated with a given online banking transaction. Since the minimum standards for effective and appropriate authentication might change over time based on technology advances, this requirement implies that an ongoing process for reviewing authentication strategies needs to be implemented.
2. Risk Assessment
Each bank should perform a detailed risk analysis of their entire online banking environment, including all factors or activities that are involved in all supported customer transactions, including the following factors:
• Types of customers
• Sensitivity of all private customer information
• Typical transaction types and the expected size of the transaction • Expected transaction rates
• The potential for loss for each transaction type
Essence of the
Guidance – the
type and method
of authentication
should be
3. Customer Awareness
The final area of the Guidance relates to education and training programs intended to increase customer awareness of the risks and potential threats associated with online banking transactions. Although the Guidance is unspecific about how this awareness effort should be done, it suggests the importance of tracking security-related information such as the number of unauthorized attempts to obtain authentication information, the size of identity-theft related losses, and other such events. See ffiec.gov/pdf/authentication_guidance.pdf
Requirements in the FFIEC Supplement
The Supplement to the original Guidelines called for improving security for online transactions in several areas:
• Improved risk assessments
• Increased use of multi-factor authentication, especially for high-risk transactions
• Layered security controls to detect and respond to suspicious activity, including increased control over administrative functions
• More effective authentication techniques (for example, device identification) • Improved customer awareness and education
The supplement calls for an overall strengthening of authentication technologies. It notes that out-of-band authentication has taken on a new level of importance given the preponderance of malware running on customer PCs, which can defeat OTP tokens, simple device identification with cookies or basic knowledge-based questions.
These additional mandates are based on the increasing sophistication and organization of financial attacks, as well as the continued increase in the volume and size of financial transactions being conducted online.
The solution for FFIEC compliance
from CA Technologies
CA Technologies has built a flexible set of authentication solutions to support a layered, risk
The CA Technologies solution for Advanced Authentication includes the following: • CA AuthMinder™ – provides flexible and broad capabilities for strong user authentication
• CA RiskMinder™ – provides real-time protection against identity theft and online fraud via risk–based, adaptive authentication.
• CA ArcotID® – a secure software credential that combines strong key protection with the low cost and simplicity of a software solution, providing strong, two-factor authentication. No hardware tokens are necessary. You are able to add strong authentication to any application without changing your user’s login process. The CA ArcotID delivers the strength of PKI with the simplicity of a password, making it ideal for both enterprise and consumer uses.
• CA ArcotID® OTP – a software application that runs on a mobile phone and generates a one-time password that is used to authenticate to online applications and to verify valid credentials for online purchases.
CA AuthMinder and CA RiskMinder, when deployed together, provide the strong, layered security that is the foundation of effective FFIEC compliance.
When planning an FFIEC compliance effort, there are at least three critical areas that need to be considered:
• Strong, two-factor authentication (2FA) capabilities • Risk-based fraud detection and prevention capabilities • Fine-grained control of privileged users
Strong Authentication
FFIEC compliance does not require a specific authentication technology for all cases. Rather, it requires authentication that is appropriate for the risk level of a given transaction profile. Therefore, depending on each organization’s needs, different authentication methodologies might be chosen.
When selecting authentication methods for a particular transaction, these factors are important: • Ease of use for the customer
• Ease of IT administration
• Relative level of security offered by each authentication method • Total cost to purchase
• Total cost to deploy
CA AuthMinder can provide the following business benefits to an organization:
• Deploy multi-factor authentication invisibly: Your users never have to know that you upgraded
them to multi-factor authentication, unless you want them to. They can keep the same username/ password sign-on experience with which they have become so accustomed. The solution invisibly protects and verifies their identity without burdensome additional login steps.
• Lower cost of ownership: CA AuthMinder’s authentication server allows you to authenticate users
with a wide range of authentication methods. It can help you manage your authentication environment more efficiently by creating a central point for authentication policy creation and enforcement. If you use CA ArcotID or CA ArcotID OTP software-only approach, there is no hardware to lose, fail, or break. It provides a low cost, easy to distribute second factor authentication method that hardware-based alternatives cannot match. The simplicity and transparency of this approach helps reduce both management and support costs.
• Reduce risk: CA AuthMinder centralizes the management and execution of strong authentication.
It authenticates users via a wide range of methods, giving you the flexibility to choose the authentication methods that best suit your user groups. It also helps you manage competing compliance demands by creating a central point for authentication enforcement. When CA ArcotID is used as the second factor it helps protect the digital identities of your users behind proven, patented cryptographic technology.
• Block Man-in-the-Middle (MITM): CA AuthMinder when used with CA ArcotID, helps prevent MITM
attacks. CA ArcotID authenticates only with the domain that issued it, helping protect your users from Phishers and Pharmers where OTP tokens and Grid Pads cannot.
• Achieve high-performance: To meet the rigorous security, availability, and data integrity demands
of the financial services industry, CA AuthMinder was designed from the start to provide industry leading security and performance. To provide authentication services to millions of users, it was designed with virtually unlimited horizontal scalability, with a goal of unparalleled ease-of-use and extremely low latency.
• Enjoy virtually unlimited scalability: CA AuthMinder provides excellent vertical scalability through
increasing memory/disk/processors. It achieves full-featured horizontal scalability with additional local or remote servers. Horizontal scalability provides performance gains as well as high-availability features for critical deployments.
Risk Assessment: Fraud Detection and Prevention
suspicious activity for consumer and enterprise online services without burdening intended users. It is a robust, multi-channel risk assessment and fraud detection solution that transparently helps you detect and prevent fraud before losses occur. You can create an adaptive risk analysis process that assesses the fraud potential of every online login and transaction based on level of risk, user and device profiles, and organizational policies. As a result of the real-time, calculated risk score, users can be allowed to continue, be required to provide additional authentication credentials, or be denied access.
CA RiskMinder can provide the following business benefits:
• Reduce losses due to fraud: CA RiskMinder helps prevent fraud losses by blocking high-risk
transactions before they complete, or requiring additional authentication for unusual or suspicious transactions. It can also be combined with CA AuthMinder to implement step-up authentication when encountering a suspicious transaction as part of a comprehensive multi-factor authentication
solution. It can also be deployed alone to assess risk of individual login attempts to a portal based on a variety of input factors.
• Address regulatory requirements: CA RiskMinder helps you to meet a number of government
and industry regulations including FFIEC, HIPAA, and SOX as well as your own internal security requirements.
• Protect existing infrastructure investment: You can integrate CA RiskMinder with any
Internet-facing application via API’s or web services in order to add real time fraud detection. It integrates with your existing access management, VPN, online banking, and e-commerce software and other security products, avoiding the need for you to upgrade other parts of your network to add Web fraud detection.
• Match rules to your environment: The customizable rules engine enables you to configure
CA RiskMinder to match your business practices and risk tolerance, rather than forcing you to change your operations to fit your security tool. This allows you to reach the appropriate balance between the strength of your security and the impact on the end user.
• Deploy and use multi-factor authentication invisibly: Your Web users can keep the same
username/password sign-on experience with which they are familiar. CA RiskMinder affects only those users whose behavior does not match their personal profile, historical data and your policies. There is no change to the user experience and therefore no new calls to the help desk or additional support costs.
Control of privileged users
CA ControlMinder™ is a leading solution for privileged user management that controls access to host systems and critical data and files residing on these systems. Policies can be defined that help ensure that only properly authorized users can gain access to each such system or resource. In this way, CA ControlMinder extends the basic security capabilities supported by each native operating system and provides an expanded, consistent, and more granular set of security capabilities across the systems in your environment.
The solution also supports extensive privileged user password management (PUPM), which helps provide the accountability of privileged access through the issuance of passwords on a temporary, one-time-use basis, or as necessary while providing accountability of users’ actions through secure auditing. It also includes CA User Activity Reporting (CA UAR) which provides user activity and compliance reporting usage across physical, virtual, and cloud environments. It verifies security controls and streamlines reporting and investigation of user and resource access activities to accelerate and simplify compliance and improve efficiencies.
CA ControlMinder can provide the following business benefits to an organization:
• Fine-grained access control policies: helps ensure that only authorized privileged users can access
your critical data and applications. It provides improved and more granular security than is available through native operating systems.
• Improved compliance: allows you to proactively and more easily display fine-grained control over
privileged users. This helps to simplify and reduce the cost of compliance audits since you have evidence of compliance.
• Improved password security: supports one-time use administrative passwords so that privileged
users cannot share passwords, thereby improving security and helping to reduce the occurrence of over-privileged users. In addition, it helps eliminate shared accounts so that each action can be associated with a specific individual, further helping simplify compliance audits.
• Improved security for virtual environments: helps enforce segregation of duties rules on the
hypervisor, so that the hypervisor administrator cannot access virtual machine configurations via the hypervisor.
• Hardening of the entire operating environment: helps to harden the operating system as well as
the hypervisor, reducing both external and internal security risks and improving operating reliability.
CA ControlMinder
Better Risk Assessment CA RiskMinder provides a comprehensive risk and fraud detection system that uses device, location and historical user information to assess the risk of any specific transaction.
• Uses standard rules, customized rules, and external data sources to arrive at a risk score.
• Uses fraud modeling to help identify and prevent fraud in real time.
• Makes a suspect transaction appear to complete correctly to the user, while moving it to a special queue for further analysis prior to actual transaction completion.
Adopt Stronger Authentication Standards for High Risk Transactions
CA AuthMinder:
• Provides two-factor authentication with our patented CA ArcotID solution. • Provides two factor authentication with
our CA ArcotID OTP solution.
• Can generate One Time Passwords (OTP) and use Out of Band (OOB) channels including SMS, IVR and email to send an OTP to the user. Users can then enter the correct code back into the portal to identify themselves.
• Provides a solution to protect against MITM attacks.
• CA ArcotID appears to the user as a username and password so it’s easy to use. With PKI “under the covers” it brings the strength of PKI to the solution without the related complexity for the institution or the user. Automatically helps protect users from phishing and MITM attacks.
• CA ArcotID OTP appears just like an OTP generated from a single purpose token except it uses the customer’s own mobile device. It can support multiple accounts on the same device and protect the seed value with patented technology. • Delivers second factor information through any number
of out of band channels.
• Provides flexibility in using additional information in the authentication process as required.
Layered Security
Programs CA RiskMinder and CA AuthMinder • Provide a comprehensive layered security solution that provides: − Fraud monitoring
− Authorization from multiple devices − OOB verification
− Step up at certain levels − IP blocking
The layers can include: • Strong 2FA authentication.
• Device, location, transaction information collection. • Built in rules and custom rules for determining risk based
on collected factors as well as custom models.
• Ability to incorporate additional external data into the risk evaluation process.
Effectiveness of Certain Authentication Techniques
CA Technologies provides: • Complex device identification • Challenge questions
− Shared secret − OOW
Increased effectiveness of device identification due to: − the use of over 50 different parameters
− the ability to work without a cookie
Increased effectiveness of challenge questions due to: − the ability to customize the number and type of questions
required (including “out of wallet”)
− the ability to use additional 3rd party, identity proofing questions
Control over
privileged users CA ControlMinder Password Vault
CA RiskMinder and CA AuthMinder
• Increased granularity of control over what resources Admins can access.
• Ability to control use of critical system services.
• Reduced risk of inadvertent or malicious improper actions by privileged users.
• One-time use passwords improve security and eliminate the use of shared accounts.
Summary
FFIEC is an important driver of compliance activities for a large number of major financial and banking institutions. This standard was initiated in order to ensure that adequate security, in the form of strengthened authentication, was being used for high-value online banking applications. FFIEC compliance requires risk-based authentication policies, strong two-factor authentication capabilities, as well as improved control over the actions of privileged users. Some companies adopt a minimalist approach to FFIEC compliance, and do only the minimum required to satisfy auditors. But, this approach is short-sighted because it fails to incorporate the business benefits of increased confidence (and therefore loyalty) on the part of a financial institution’s customers, which often results from a comprehensive approach to strong user authentication, coupled with a simple and effective user interface.
The CA Technologies solutions for Advanced Authentication and Privileged User Management can provide an effective and layered platform for reducing authentication risk and simplifying compliance with FFIEC.
Copyright © 2012 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document “as is” without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or nonin-fringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages.
CA does not provide legal advice. No software product referenced herein serves as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, standard, policy, administrative order, executive order, and