Multi-Factor Authentication Takes Hold

Multi-Factor Authentication Takes Hold
Are financial institutions implementing the multifactor authentication laid out in the FFIEC Guidance? That was one of the issues discussed at the RSA panel presentation, “37 Days After the FFIEC Guidance Deadline.” The panel of banks, credit unions and industry experts talked about what it took to get this far, and what is expected to happen next.

Lee Carter, President of Online Banking at Zions Bank in Centerville, UT, was on the panel and he voiced optimism about the multifactor authentication guidance. He explained the Zions Bank’s implementation of its new authentication method, “It was days if not hours after the implementation that we had people [hackers] banging on our front door trying to figure out what we were doing. They were pretty persistent, and put up phishing sites to try to figure it out, we got those taken down, and they since have stopped.” Carter said Zions Bank customers were well aware of the changes, as the bank had done a lot of advertising up to 45 days before the implementation and information was sent to its customers prior to the cutover, so they would be informed as to what to expect with the new changes. With Zion’s success, Carter expressed concern for smaller institutions “who have not implemented a solution yet, because more structured things may be coming their way, because they [phishers] will move to where they think they have new ground to plow.”

The panel noted that phishing attacks were up an estimated 40 percent in the last year, and thought that this may point to phishers trying to get in as many phishing attacks as possible before institutions implement the stronger authentication for their customers.

"From an industry perspective, I think most of the community financial institutions are ahead of the curve as far as the adoption of multifactor authentication because they don't host/manage their Internet Banking infrastructure. Typically, financial institutions have their Core Provider host their Internet Banking website, and most Core Providers already have adopted some form of multifactor authentication," said audience member Matt Riley, CTO and VP of Security at Gladiator Technology Services, a managed security service provider for financial institutions.

The panel noted that regulatory agencies gave signals two years before this guidance came out. So what might be next? While the authentication guidance deadline was fairly short in comparison to other previously issued guidance, a less dramatic movement toward mutual authentication, and encryption, may be possible next steps, noted panelist Doug Johnson, senior policy analyst for the American Banking Association.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network