Implementing Stronger AuthenticationWhat Other Sectors Can Learn from Banks
Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
When it comes to beefing up user authentication, banking institutions are leading the way. And other industries can learn important lessons from the experiences of the financial sector.
Heavy regulatory scrutiny has pushed banks and credit unions to implement advanced authentication technologies for online- and mobile-banking transactions. And federal examiners are continually gauging the effectiveness of institutions' authentication steps.
As a result, banking institutions are leading the charge in authentication, and other industries can learn from the technology and conformance routes they've invested in and pursued.
"It's not just banks being put on high alert," says Mark Kay, a former managing director for JPMorgan Chase who now serves as chairman and CEO of out-of-band authentication vendor StrikeForce Technologies. "It's any entity that has information that thieves want."
In its updated authentication guidance, the Federal Financial Institutions Examination Council recommended technologies for stronger authentication (see FFIEC Authentication Guidance: First Analysis). The guidance also stressed the need for ongoing and regular risk assessments, enhanced authentication for high-risk transactions as well as end-users, layered security controls and well-defined customer and member education programs.
Lessons for Other Industries
Although the FFIEC guidance is designed for banking institutions, all organizations have to protect credentials input over the Internet, Kay says. "At this point, all businesses should be enhancing authentication and investing in layers of security. Unfortunately, many aren't."
Compromised online banking credentials can be used to commit fraud. But the compromise of credentials in any business sector poses serious risks, including the potential for fraud as well as the theft of intellectual property.
Old-school username and password authentication is ineffective; that's why the FFIEC guidance calls for reliance on multifactor authentication to reduce risks.
And while the advent of mobile devices used to access online accounts and e-mail poses new user-verification concerns, it also offers opportunity for out-of-band authentication, which is becoming increasingly attractive, says Peter Tapling, a financial fraud expert and president of Authentify, an online authentication company.
Like banks, any organization should require additional authentication for employees with administrative functions or access to sensitive customer and corporate accounts, Tapling says. But what will be required will vary, based on organizational needs.
One key challenge in the healthcare sector involves firming up how to authenticate the identity of patients seeking to access records online through newly created portals. The authentication methods used in the online banking arena could provide useful examples for hospitals, clinics and others.
Government agencies also are looking for authentication enhancements.
"The combination of heightened fraud alerts, the increased regulations, like we've seen from the FFIEC, and identity thefts have pushed all industries to move toward stronger authentication," Kay says.
A Look at Three Banks
To illustrate how banking institutions are using the latest technologies, here's a closer look at the activities of three U.S. financial institutions.
Spencer Savings Bank
Northern New Jersey
$2 billion in assets
Jonathan Shachov, who oversees information technologies at the bank, says stronger employee authentication for access to customer accounts and bank databases became a priority as the bank expanded its commercial business. The enhanced authentication measures, in place for about a year, reduce risks associated with compromised employee credentials.
The system, provided by StrikeForce, relies on a virtual private network, which employees can only access from approved devices. Once an employee attempts logging in, the VPN authenticates the credentials and alerts an out-of-band server maintained by StrikeForce. The server automatically calls the employee's mobile or landline phone and provides a one-time code.
With the code, the employee can access the VPN. Once on the VPN, the employee is authenticated again before access to the corporate network is granted.
"Computer-generated codes can be intercepted, so we wanted to look at something that goes beyond that," Shachov says. "I think we will be looking at any enhancements we can, such as voice biometrics. But we want to stick with the out-of-band phone calls. That's higher security, to tell someone something, rather than having it written down or texted or something like that."
Healthcare organizations, governmental units and businesses interested in preventing breaches of sensitive information also could benefit from phone-based employee authentication.
$8 billion in assets
Don Westermann, the bank's chief technology officer, says an uptick in phishing attacks aimed at retail and corporate customers and employees spurred the bank to seek new ways to fight malware that can compromise credentials.
Intrusion-protection systems, behavioral analytics and transactional anomaly detection are more effective at detecting malware than conventional desktop tools, such as anti-virus software, he says. But even those advanced tools only detect malware after it's already infiltrated the network.
Using malware detection software from Trusteer, Westermann says the bank has added another layer of defense and can identify and block malware sooner.
And security professionals in other industries are also considering layered security measures to help safeguard credentials.
The biggest threat the bank is attempting to mitigate is a Trojan attack that targets bank personnel in an attempt to steal their credentials. "They're targeting employees and using that entry as a stepping stone to attack another part of the environment," Westermann says.
If an employee's credentials are compromised, then authenticating that employee poses challenges, Westermann says. So Eastern Bank uses the Trusteer software to help protect internal-user authentication.
"We use Trusteer for enhanced malware detection on our internal workstations," he explains. "The solution looks for suspicious behaviors to block, such as keystroke logging."
Trusteer analyzes an attack's behavior and establishes a pattern for detecting malware. If malware can't get in, it can't compromise credentials.
$200 billion in assets
Michael Rushinsky, director of corporate information security for federally funded Sallie Mae, the nation's leading student-loan financial services company, says enhancing authentication for Sallie Mae's diverse customer base, which includes students from numerous schools, is always a major focus.
Sallie Mae is evaluating out-of-band authentication that relies on verification calls placed to customers' mobile or landline phones.
Many other industries are continuing to rely on hardware and software tokens for user authentication. But more financial institutions, which were pioneers in the use of tokens, are questioning the technology's reliability and user-friendliness.
"Tokens are more likely to be forgotten than a phone," Rushinsky says. "They can get lost. And typically these other forms of two-factor solutions have a replacement cycle. We want more flexibility."
Out-of-band phone calls offer scalability as well, Rushinsky notes.
Sallie Mae also is still considering whether to use SMS/text messaging for authentication because it has concerns that some customers lack devices that can handle texting, he says.