Thousands of banks in the United States, faced with the multi-faceted challenge of online user authentication, are clamoring for an audience with a limited number of solution providers. No one wants to be left standing in the struggle to provide clients with the most convenient service as well as a secure and user friendly interface. With the Federal Financial Institutions Examination Council (FFIEC) compliance deadline looming, Honeycomb Connect spoke with executive members from the Banking and Information Technology (B.I.T.) Hive as a way of gleaning insight from the top decision makers and bringing together answers to some of the questions they encountered along the road to compliance.
“You have to be paranoid to be involved with security when you work with a financial institution” is the advice offered by Sam Tuohey, Vice President eCommerce & Technology and Chief Technology Officer for Stanford Federal Credit Union (SFCU). “If you aren’t, you don’t have the minimum qualifications to do the job.” SFCU, owned and operated by more than 40,000 members of the Stanford Community, is a forerunner in ecommerce strategies having offered online services of one sort or another since 1993. Tuohey is a strong believer in the online banking process – “It is the most reasonable way to try and do business today in our industry” – and he helped integrate a sweeping security solution as early as January 2005.
“The average reasonable person out there expects the financial institution to be looking out for them...they expect us to be secure, and they expect their privacy to be respected.”
Sam Tuohey, Vice President eCommerce & Technology, Chief Technology Officer, Stanford Federal Credit Union
For Tuohey the advantages of online banking are twofold; it offers his members the best and most efficient way of doing business as well as saving the credit union money in the process. “Ninety-eight percent of our transactions happen electronically, not all through the internet but certainly this is a very large portion, so we don’t have to have a large branch structure, we don’t have to have a lot of people processing mail deposits and we don’t have to have a large call center,” he explains. With the vast majority of his customers conducting their business online the stakes are high for Tuohey.
“We have to provide them the access they want when they want it, otherwise they will go somewhere else, so it is a competitive issue.”
SFCU opted for a shared-secret authentication method, presenting the user with a pre-determined image combined with a traditional log-in password so that the credit union can authenticate to the user and visa-versa. Tuohey explains that as well as “presenting proof that we are who we say we are,” the application has an additional feature, what’s known as the “device-checker,” in other words if a user logs on to the online banking system, information about the users system is stored in a knowledge bank. The Credit Union then allows access based on the level of risk the institution is willing to assume. The program checks the computer’s identity along with that of the user, if the alarm is raised, depending on the decision-matrix access can either be denied or an offline ID check conducted.
Despite legislative pressure, demands from insurance companies and increased public awareness of online scams, Tuohey has yet to see any decline in the pitch of growth of his online banking customers, he sees information theft from third-party processors as the biggest security threat to the financial services industry, he says, “it shows a lack of control.” Since 1996 Stanford has seen double digit growth in the number of online users (13-18 percent between 2001 and 2004, and 25 percent in 2005) this pitch of growth has not been stalled by the stronger authentication system, Tuohey believes this is because “we didn’t make it a long, arduous, complicated or confusing process; we made it as simple as we could. So in the end we got one letter of complaint in one year.”
Tuohey is loath to pay any attention to negative opinions expressed in the media on issues of cyber-security and identity theft. He thinks these are a “disservice to people’s sensibilities” and argues that his members need not be alarmed. “I know of three or four people out of our 44,000 members where it has happened.” But this is no reason to be off-guard; Tuohey says he is continually assessing the risk, citing National Security Officials who he has heard speak of large scale overseas for-profit criminal organizations whose sole purpose is accessing other peoples financial resources. “Someone is trying to get access every minute,” he says, “and we are up against that.”
So how does a financial institution determine the right security solution for its customers? For the answers we spoke with a Chief Information Officer (CIO) and Honeycomb Connect executive member, accompanied by his Information Security Officer (ISO); they both hail from a leading multi-service financial institution in the early planning stage of implementing an online authentication security strategy (both prefer to remain anonymous).
“Integration is huge in this issue, when the risk is you impact your customers if your integration isn’t where it needs to be,”
Information Security Officer, Leading financial institution
Online banking and the accompanying security parameters have been around for some time now and, according to our CIO, in the aftermath of the FFIEC mandate the window of opportunity for differentiating an organization with security strategies alone has more or less closed. The question now is how to ensure that the organization is not left behind by the rest of the financial services industry. Concurrently the basic economic principals of supply and demand apply and “just being the first to market with something isn’t necessarily a good thing,” says our ISO, who argues that a strong demand for online banking services is a relatively new phenomenon. Both executives agree that choosing the right solution and integrating it seamlessly into the users online experience is the real challenge.
“Integration is huge in this issue, when the risk is you impact your customers if your integration isn’t where it needs to be,” says our ISO. The executives explain that innovative security tools are available on the market, although in the crush getting these tools to vendor demos can be problematic. Furthermore, “security is an extremely expensive proposition to be done correctly because even the price of the tool doesn’t get you the security…you have to implement, manage and maintain that tool,” says our ISO.
For our CIO the three key issues when it comes to integrating a solution are; security, ease of use, and cost, and the way to reconcile these is through a risk based model. As we have already seen from the SFCU case the degree of security can be related directly to the level of risk in any given transaction. For planning purposes our CIO follows the same principle; he describes a dividing line between commercial accounts, and their expectations for security, and retail customers who represent a wider range of opinions. “We want to use the less intrusive tools, so the challenge response type tools, for lower risk transactions. A token with a one time password for high risk transactions and a system with the logic and intelligence able to identify risky transactions,” says our ISO. So for these executives a decision on which solution is right for them is made on the basis of a risk assessment drawn from the capabilities of different accounts and the riskiness of different transactions.
When asked where the biggest threat to online security comes from, our ISO responds, “I am confident in saying it is not phishing it is Trojans. It’s the malicious software it’s the automated fashions of stealing the information, screen scrapers, key stroke loggers, those represent a huge risk. People are becoming more and more sophisticated and I think the success rate of phishing is dropping.”
At the same time, the executives underline the effects of media misinformation explaining that the statistics around fraud in the online environment are insignificant when compared with those in a non-online environment “If I brake into your house and steal your cheque book and your credit cards and your driver’s license then go and open up new accounts somewhere I have just committed identity theft and I have never touched a computer,” says our ISO. The problem, as the executives see it, is when a control is deployed not everyone’s concerns are on the same level. If an arduous, time consuming process is put in place to control access some customers may question the need to jump through so many hoops. “You cross that razors edge of scaring your customers but keeping them aware of the real risks. And the real risk is that only a small percentage of fraud occurs online today,” says our ISO.
The crux of the issue as Mr. Tuohey sees it is that “the average reasonable person out there expects the financial institution to be looking out for them. Just like they expect there statements to be accurate, they expect us to be secure, and they expect their privacy to be respected.”
Sam Tuohey will be speaking on “Best Practices in Strong Online Authentication” at a web-conference open to all Honeycomb B.I.T. members on May 31, 2006 at 1 p.m. EDT. To access the archive click here.
Michael L. Jackson, Associate Director, Division of Supervision and Consumer Protection, FDIC, and Dave Cullinane, CISSP, Chief Information Security Officer, Washington Mutual, and Brad Keller, Vice President, eCommerce Business Risk Manager, Wachovia Corp, will give their insights on the issue of online banking security at a web-conference hosted by Xtalks, for more information and to register click here.
To contact the writer click here.