FEDERAL RESERVE GUIDELINES ON AUTHENTICATION IN AN INTERNET BANKING ENVIRONMENT
Since 2009 the preferred banking method of U.S. consumers has been internet banking, according to an annual survey by the American Bankers Association.
DID YOU KNOW
Since 2009 the preferred banking method of U.S. consumers has been internet banking, according to an annual survey by the American Bankers Association.
The number of consumers that prefer internet banking grew from 25% in 2009 to 36% in 2010. As more consumers bank online each year the Fed is offering guidance to financial institutions addressing the need for risk-based assessments, consumer awareness and security measures to authenticate consumers accessing Internet-based services.
Each institution's multifactor authentication process may be different, but the underlying concept is the same. You want to know who you are dealing with and you want to assure transactions are legitimate. Above all else, consumers' private information must remain safe and secure. At a time when credit card fraud and identity theft are increasing, institutions must establish safe and secure consumer authentication methodologies.
Single-Factor Authentication - NOT ENOUGH
The Federal Reserve considers single-factor authentication to be inadequate for high-risk transactions involving access to sensitive consumer information or the transfer of funds to other entities.
Account fraud and identity theft are frequently the result of single-factor authentication exploitation.
Most common single-factor authentication method is the use of a password.
Multi-Factor Authentication - REQUIRED
When properly designed and implemented multi-factor authentication can be more difficult to compromise, more reliable and is a stronger fraud deterrent.
For example, an ATM transaction requires multifactor authentication which combines something the user has (i.e. the card) with information the user knows (i.e. PIN).
A multifactor authentication may also include "out-of-band" controls (i.e. callback or voice verification, e-mail approval or cell-phone based challenge/response processes) to help mitigate risk.
ADDITIONAL RESOURCES
INTRODUCTION TO EIDENTITY AUTHENTICATION AND VERIFICATION
Establishes a baseline understanding of the components that make up a consumer identity when transacting or making application from an online or telephone channel.
FUNDAMENTALS FOR UNDERSTANDING GEOLOCATION AND DEVICE IDENTIFICATION.
Covers the use cases and methods for integrating and making use of geolocation data and device indentification in a fraud strategy.
INTRODUCTION TO ECOMMERCE FRAUD FUNDAMENTALS.
Provides participants foundation level knowledge about the theories, best practices and terminology surrounding electronic payment fraud. Presented in a standard format covering the history of eCommerce Fraud, consumer fraud, merchant fraud, fraudster motivation, fraud trends, identity verification and phishing.
KEY NOTES
Alternative Solutions - There are a number of alternative solutions to consumer authentication. Evaluate the cost/benefit of each method to determine your own unique multifactor consumer authentication methodology for ecommerce.
Estimated Costs - Developing these multifactor methodologies can vary dramatically in price. For example, the one-time scratch card is a relatively cheap and easy method to implement while biometric authentication can be extremely costly and time consuming to set-up. After the risk assessment, institutions should thoroughly evaluate which authentication techniques are applicable to their vertical and where they are most effective.
The Federal Reserve has provided guidance to financial institutions offering online boarding or account access in the area of consumer authentication. The guidance is intended to specifically address the need for risk-based assessments, consumer awareness and security measures to authenticate consumers accessing Internet-based services. While the guidance was intended for financial institutions the advice is applicable to both retail and commercial segments.
Key considerations when implementing this multifactor authentication include:
Can the different methodologies be utilized in the region you are conducting business? For example, if you attempt to use smart card technology and the card companies in that region don't support that technology.
Finding the right combination of authentication methods is critical. Depending on your vertical market there may be a limited number of methods that are applicable.
Does the new multifactor methodology complicate and create additional work in your business process?
How does the multifactor methodology integrate with current auditing practices?
Have you educated your consumers on the steps and methods you have taken to ensure their information is kept private and secure?
The Federal Reserve states that institutions should insure their information security programs by identifying and assessing the risks for their full range of Internet products and services. Institutions must reduce risk and include appropriate measures to verify and authenticate consumers. Consumer awareness must also be measured and evaluated by institutions. The Federal Reserve describes the importance for organizations to evolve and adapt their security programs, in light of any important changes in technology sensitivity of their consumers' information and internal or external threats to information.
An effective authentication system is required to safeguard customer information, prevent money laundering and terrorist financing, reduce fraud, inhibit identity theft and to promote transaction legality. The Fed has determined that single-factor authentication is not enough and merchants must use multi-layered authentication methodologies. To perform multifactor or layered authentications merchants can utilize a variety of technologies and methodologies such as personal identification numbers (PINs), digital certificates using public key infrastructure (PKI), smart cards, one-time passwords (OTPs), USB plug-ins or other types of "tokens", transaction profile scripts, biometric identification, and others.
The Risk-Based Assessment process:
Institutions should identify all transaction and access levels associated with consumer's Internet-based products and services.
Institutions must identify and assess risk mitigation techniques used in authentication methodologies employed for each transaction type and level of access.
Institutions should gauge the effectiveness of current risk mitigation strategies and the changing risk factors for each type of transaction and access level.
Consumer Awareness:
Consumer awareness is an important defense against fraud and identity theft.
If the Institution hasn't already, they must evaluate consumer education efforts to determine if additional steps are necessary.
The Institution can evaluate the effectiveness of an educational program by tracking the number of customers who report fraudulent attempts to obtain their ID/password, number of clicks on a security web site links, or the dollar amount of losses related to identity theft.
Existing Authentication Methodologies involve three basic "factors":
Something the user knows (e.g. password, PIN)
Something the user has (e.g. ATM card, smart card)
Something the user is (e.g. biometric characteristic such as a fingerprint or voice recognition)
AUTHENTICATION TECHNIQUES, PROCESSES AND METHODOLOGIES
Shared Secrets - Information elements that are known or shared by both the institution and the consumer.
Shared secrets should periodically change and multiple secrets may also provide increased security.
Passwords and PINS are best known.
Questions or queries that require specific customer knowledge (i.e. amount of consumer's monthly mortgage payment)
Customer-selected images that must be identified or selected from a variety of images.
Tokens: Physical devices (something the person has), may be part of a multifactor authentication scheme
The USB token device - Once recognized the consumer enters their password to gain access to the system.
The smart card - The size of a credit card and contains a microprocessor. Main disadvantage requires a compatible reader to be attached to the customer's computer.
The password generating token - Produces a unique pass-code or one-time password to be used in conjunction with a password.
Biometrics: Technologies that identify or authenticate the identity of the individual on the basis of physical or physiological characteristics (something the person is).
Biometric identifiers are most commonly used as part of a multifactor authentication system combined with a password or a token.
Various biometric techniques and identifiers include: fingerprint recognition, face recognition, voice recognition, keystroke recognition, finger and hand geometry, retinal scan and iris scan.
The most popular biometric techniques are fingerprint and face recognition.
Non-Hardware Based One-Time-Password Scratch Card
Scratch cards are a less-expensive version of the one-time password generating tokens.
The card will contain numbers and letters arranged in a grid format and upon the authentication process the user will provide their name and password that is contained in one cell of the grid.
Main advantage is that it is durable, easy to carry and replacement is easy and inexpensive.
Out-of-Band Authentication
A technique that verifies the identity of the individual through a different channel than the one the consumer is using to initiate the transaction.
This type of layered technique has been used extensively for years in the finance industry.
Internet Protocol Address (IPA) Location and Geo-Location
IPA software has the ability to analyze information (location, anonymous proxies, domain name, and other identifying attributes) in a real-time environment and check it against multiple data sources and profile the information to prevent unauthorized access.
Geolocation software is another technique to verify Internet users by determining where they are or where they are not.
IPA verification or geo-location may deliver value as one factor in a multifactor authentication strategy.
Mutual Authentication
A process where the customer's identity is authenticated and
the Institution's web site is authenticated to the consumer.
Some financial institutions have begun to use this technique to reduce phishing attacks that have captured consumer information through the design of phony but legitimate looking Web sites.
Web sites hoping to use this technique can use digital certificates coupled with encrypted communications (i.e. SSL) or shared secrets such as digital images.
Consumer Verification Techniques
Customer verification is separate from consumer authentication but is meant to complement the authentication process at account origination. Verification can be achieved in three ways:
1) Positive verification: Ensures that consumer information matches information provided by a trusted third party source.
2) Logical verification: Ensures that consumer information is logically consistent (i.e. the area code, zip code and street address match).
3) Negative verification: Ensures that consumer information does not have a previous history associated with fraudulent activity.