The case for stronger online authentication The Challenge Ahead

Assessing risks and defining control environments by categorizing and prioritizing customer touch-points, high-risk transactions, and associated threat levels.

Balancing security needs against ease of use, customer involvement, education, and cost. This requires alignment across marketing, operations, and compliance organizations.

Deciding between in-house solution development and vendor supplied solutions. Does the institution have appropriate internal technical capabilities or should it rely on external security experts and providers?

Any solution worthy of consideration must help institutions address these challenges.

Strategic Choices: First Defend, Then Differentiate

The FFIEC stated that by the end of 2006 all U.S. financial institutions should have adequate online protection for customer information using strong authentication methods. The guidance states that companies dealing with monetary transactions should implement multi-factor authentication, layered security, or other controls to improve customer protection. iovation believes that financial institutions will likely pursue one the following two strategies:

“Federal Reserve Board of Governors issued its own statement that financial institutions will be expected to achieve conformance with the guidance by year-end 2006, and that examiners should document situations in which financial institutions have not done so by that time.”–Avivah Litan, Gartner Group

Defend: The FFIEC Compliant Strategy

The defend strategy allows an institution to meet basic compliance requirements and defend against online fraud with minimal impact, if any, to customer interactions and existing budget. Institutions choosing this strategy will adopt two-factor online authentication that is easy to implement, offers ease of use and can be invisible to the end-users. Institutions choosing the defend strategy should be able to easily migrate to the next step which iovation believes is best practice for financial institutions.

Differentiate: Beyond Compliance Strategy

Financial institutions selecting this strategy aim to differentiate against their competition and create a high degree of trust in their online channels. This requires the solution to be customizable to support varying degrees of user visibility and control in addition to two-factor and two-way authentication. iovation believes that a long-term strategy should include the most effective authentication solutions that involve end-user visibility and active participation. For this group, the FFIEC guidance serves as a benchmark to exceed, not just meet.

iovation’s Solution for FFIECCompliance and Beyond

Whether addressing internal security assessment findings or responding to FFIEC guidance, iovation offers a family of authentication products built on the company’s widely adopted Device Reputation Authority™ online authentication & fraud management platform. iovation’s AccountLock™ system offers an immediate and long-term defense against unauthorized account access.

“The Javelin ‘A.C.E.’ assessment model for strong authentication solutions, based on affordability, consumer usability, and the effectiveness of the solution, places device recognition solutions among the most highly ranked.” –Bruce Cundiff, Javelin Strategy and Research

iovation’s AccountLock System

With millions of device reputations in its repository, the AccountLock System is the only solution with proven and market tested results in authenticating user devices across the Internet and preventing online fraud. AccountLock is a two-factor and two-way online authentication system that enables financial institutions to grow the use of their online channel by ensuring that users feel safe, protected and can trust the institution’s online brand. With AccountLock, institutions can link user account(s) with user authorized access device(s)/PCs to secure against unauthorized online account access stemming from phishing and other types of identity theft attacks. AccountLock transforms the user’s login device into a convenient yet secure second authentication factor to create a highly effective and easy to use multi-factor authentication solution. AccountLock can be implemented as a visible or behind-the-scenes solution.

AccountLock System Overview

AccountLock is a customizable system that allows each subscribing financial institution to define rule sets for online user authentication. AccountLock follows these rules to return simple ‘proceed’ or ‘stop’ responses to requests from such touch points as user login or during a transaction. The AccountLock system is comprised of three primary elements:

> Device Reputation Authority (DRA)
> User Control Module (UCM)
> Reputation Sharing Module (RSM)

Device Reputation Authority (DRA)

The Device Reputation Authority is AccountLock’s central repository for unique user device identifiers assigned using the system’s DevicePrint device fingerprinting and authentication technology. DRA also contains the relationship(s) between devices and proxy user account(s).

Offered as an application service, each financial association protected by AccountLock receive simple ‘proceed’ or ‘stop’ responses to requests at such touch points as log-in or at the time of a transaction.

AccountLock User Control Module (UCM)

AccountLock UCM provides a secure self-service method for users to regulate access to their accounts and meet their changing device usage needs. UCM enables financial institutions to allow end users to exercise control over which devices/PCs can access their accounts. Users simply register a device(s) and lock it to their online financial accounts for two-factor and/or two-way authentication.

AccountLock Reputation Sharing Module (RSM)

AccountLock’s RSM provides real-time protection by sharing, among participating institutions, the reputation of devices in its repository for the purpose of risk based user authentication.
Once a device is uniquely identified and stored in the repository, the system maintains a fact-based reputation on actual usage of the device, whether appropriate or fraudulent. AccountLock can share this information with other participating financial institutions protected by AccountLock. This conforms to the FDIC’s recommendation on information sharing among financial institutions, and provides an added proactive measure of protection for financial institutions and their clients.

AccountLock Implementation Strategies

The AccountLock system can be implemented in multiple phases so the institutions can effectively balance the need for strong online security and conformance to regulatory guidance with user acceptance.

AccountLock: defend

The defend strategy is ideal for institutions that choose to meet FFIEC’s compliance timeline and may require additional time to assess long term online security needs.

AccountLock: differentiate

By subscribing to the system’s UCM and RSM modules, a financial institution can further strengthen and differentiate its defense against unauthorized online access. This implementation strategy provides users an unprecedented level of control and flexibility in their online banking experience. Additionally, the institution may offer two-way authentication by giving the user the ability to authenticate the financial institution’s online communication channel(s).

Using AccountLock To Address FDIC Recommendations

As reported in FDIC’s study on identity theft released in December 2004, fraudsters are taking advantage of the reliance on single-factor authentication for remote access to online banking and the lack of e-mail and Web site authentication to perpetrate account hijacking. The report to financial institutions and government agencies provided four points of consideration to reduce online fraud. The AccountLock system offers the financial institutions the flexibility to choose among many implementation choices to meet current and future needs as prescribed by FDIC (see table below).
AccountLock™

Summary
The FFIEC guidance, along with the FDIC’s identity theft report, are acknowledgement of the need for continuous assessment and strengthening of online account access security. Although the speed and scale of response to the guidance may vary across institutions, it is clear that online security risks facing the industry require thoughtful and deliberate action. Financial institutions need to balance security needs, usability, customer involvement, education, solution choices, and costs while making sure that they meet FFIEC’s timeline of 2006.
iovation’s device recognition repository offers the financial industry a proven and safe authentication choice. The AccountLock system will enable a financial institution to both meet and exceed the guidelines set forth by the FFIEC and FDIC to stall the growth of online fraud.