The fight is on

Implementing stronger authentication of customers banking online will be key for banks to effectively combat cyber-crime. This is a problem that is increasing dramatically in tandem with the huge popularity of electronic banking and e-commerce, which now represent a significant share of the global economy and an attractive target.

Stronger client authentication makes it harder for a fraudster to steal and use a customer’s credentials and to gain access to online banking activities such as funds transfer, bill payment, and stock and bond purchases; as well as e-commerce activities, principally the sale and purchase of goods online. However, without strong mutual authentication (where not only the financial institution is confident they are connected to a real customer, but the customer is also similarly assured they are connected to the real financial institution), cyber crime and identity theft will continue. For example, spoof websites and fraudulent e-mails, if not checked, can still coax a consumer to provide their credentials and other sensitive personal information. Even if those credentials are rendered unusable when accessed from a different PC and/or IP address, other sensitive personal information from the unwitting consumer can be used by fraudsters. This may be used to take over that consumer’s identity and open accounts, get loans and perform other such fraudulent activity. So better mutual authentication is necessary in the fight against cyber crime. Without it, the form of the fraud may change, but fraud itself will continue.

Simply stated, better mutual authentication occurs when the consumer is confident they are dealing with a legitimate website or e-mail, and the financial institution is certain they are dealing with the real customer before there is an exchange of sensitive information, including authentication credentials, and before any access privileges and authorization is granted. There are various factors that need to be addressed by any successful better mutual authentication solution.

Consumers are slow to change and won’t alter their behavior unless there is real perceived value and/or increased convenience to doing so. Most consumers are still not concerned about security to the point that they are willing to accept increased cost and inconvenience. While cyber crime is on the rise, it has still only impacted relatively few people (and even fewer actually suffer financial loss due to protection by financial institutions and government). Most consumers, therefore, are not yet sufficiently motivated to change their behavior or to accept inconveniences for the sake of greater security.

It is also difficult for financial institutions to justify the increased cost of new authentication technology solutions, and they are faced with a growing diversity of authentication technology solutions, of varying strength. Any solution must be able to accommodate end-user choice and should be designed to be future-proof in order that the solution can counter new threats and take advantage of and accommodate new and better authentication solutions as they are introduced. For example, many new authentication solutions may suddenly take hold (e.g. National Identity cards, Trusted Computing Modules, Microsoft’s InfoCard and Advanced Password Management products), and we want the opportunity to take advantage of and incorporate these solutions as they enter the mainstream.

It is important to remember that there is no one silver bullet authentication technology. A good mutual authentication solution needs to employ several authentication technologies across the four dimensions of:
•Shared secrets (e.g. passwords)
•Electronic credentials (e.g. smart cards, tokens)
•Alternate channels (e.g. telephone call back)
•Contextual analysis (e.g. behavioral analysis)

In addition, one needs to fix software vulnerabilities in the operating systems and applications (e.g. browsers).

When customers are required to use hardware devices for authentication, the solution should support sharing across financial institutions for greater user acceptance, so that the user doesn’t have to carry around a ‘necklace’ of hardware tokens.

Better mutual authentication cannot be achieved by financial service firms alone; the solution must work on the computers, end user devices, and communications services that are independently bought by the consumer. Therefore, the solution has to be developed in partnership with these vendors and service providers.

The better mutual solution also needs to address the needs of customer agents for authentication, and must have the ability to grant these agents limited authorization authority. Accordingly, the financial institution should be able to distinguish between customers and their agents. Furthermore, when there are multiple customers on the same account (e.g. husband and wife, parent and child), the organization should be able to distinguish between the primary account holder and another valid account member.

Among other things, the FSTC Better Mutual Authentication project has issued reports that describe these requirements in more detail, along with an architectural framework into which authentication solutions can be fit. These reports are available from the FSTC website, www.fstc.org.

 

Much work remains to be done

• Continuing to refine the requirements for better mutual authentication, including addressing the shortcomings in the current technology, and communicate these shortcomings and requirements to the vendor community.

• Develop industry standards, based on existing technology products, aimed at simplifying the cost of operation and maintenance of the current solutions, and improving user acceptance. For example, standards that make it easier for financial institutions to share and support a single customer token.

• Improve the existing financial institution infrastructure to better address the needs and requirements of better mutual authentication, including, where it makes sense, industry utilities. For example, decoupling key processes and functions to allow for the insertion of enterprise-wide infrastructure services, and third party service provider solutions.

• Partner with other communities (e.g. healthcare and government) to further reduce the deployment and support costs, and increase the perceived customer value for stronger mutual authentication.

• Develop the tools for better evaluating authentication technology solutions, both their standalone value, and their value as an incremental addition to other authentication technologies. The evaluation should include measures of its impact on:
Strength of authentication – false accepts, false alarms and resistance to spoofing
User acceptance
Maturity – risk of deployment
Cost of implementation and ongoing support
Support for mutual, rather than one-way authentication
Impact on risk exposure – the degree of resulting risk reduction