Security Assessment of briidge.net TM 2-Step verification for banking customers in a multichannel delivery environment that is FFIEC compliant
|
|
- Cornelius Hart
- 8 years ago
- Views:
Transcription
1 Security Assessment of briidge.net TM 2-Step verification for banking customers in a multichannel delivery environment that is FFIEC compliant Prepared for: By: Wesly Delva, SSCP, Information Security Consultant Adam Sarote, CISA, CGEIT, CRISC, AES, PCI-QSA, PCIP, Managing Director Date: March 20, 2015 Coalfire Systems, Inc 361 Centennial Parkway Louisville, CO Seattle San Francisco Los Angeles Boulder Dallas Atlanta Washington DC New York Boston Manchester UK
2 Overview: The loss of customer data as a result of compromised security controls is a serious threat to financial institutions. The lack of effective identity and authentication security controls can expose all lines of business to data breaches. Recent breaches affecting financial institutions have increased security awareness throughout the industry. Consequently, financial institutions are relying on regulatory guidance, such as those provided by the Federal Financial Institutions Examination Council ( FFIEC ) and PCI-DSS, to help prevent risks that are associated with identity theft and fraudulent transactions. SecureKey (or "the Company ) contracted with Coalfire Systems, Inc. ( Coalfire ), an independent leading industry provider of IT Security, governance and regulatory compliance services, to provide a security review of the Company s "briidge.net Connect application. For more than eleven (11) years and four thousand (4000) projects later, Coalfire has provided IT assessment and risk management services for a variety of financial institutions. Coalfire has hundreds of financial service clients, to include banks, credit unions, trust companies and brokerage located throughout the United States. Our clients range from small specialty membership credit unions to large national banks. Our experience and flexibility allow us to provide guidance on controls appropriate for the size and complexity of each financial institution. Key aspects of Coalfire s financial institutions practice include: Experience our team completed more than two hundred (200) assessments for financial institutions last year; Training Coalfire trains more than two hundred (200) federal examiners annually from the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), and several state examination authorities on Federal Financial Institutions Examination Council (FFIEC) examination guidelines and security best practices; and Specialization Coalfire offers highly-specialized assessment services unique to financial organizations, such as e-banking, FedLine assessment, Risk Assessments, Business Continuity Planning, Social Engineering, employee awareness training, and more. Our assessment of the briidge.net Connect application focused on the FFIEC s requirements for authentication. The objectives of our security review included: 1. The overall design and architecture of briidge.net Connect; 2. Authentication capabilities across mobile and web channels; and 3. Active network monitoring to confirm that the briidge.net Connect applications encryption fields are not transmitting clear text data. Overall, our procedures included interviews with the Company s key personnel, technical assessments and review of supported documentation.
3 The purpose of this white paper is to provide an overview of Coalfire s security assessment results, and to identify how the development of the briidge.net Connect application aligns with FFIEC authentication standards and guidelines. Target Audience: The primary audience for this white paper are financial institutions seeking clarity regarding Internet Banking solutions that address multi-channel authentication security needs of low-tohigh risk IT control environments. Introduction: The 2014 Data Breach Investigations Report by Verizon noted that 33% of web application attacks are financially motivated. According to Verizon s study, the underlying vulnerability behind these attacks is the lack of effective identity and authentication controls. Exposures of this nature enable an intruder to penetrate sensitive networks, and allow them to carry out attacks that could manipulate the user interface of an application. These attacks grant unauthorized access to customer accounts, transaction funds and other sensitive information. Figure 1 - Web Application Attacks Malware such as Crimeware," which obtains financial returns by stealing Personally Identifiable Information ( PII ) and account credentials and poses a significant threat to financial institutions. The latest Crimeware, Zeus (or "Zbot") steals banking information by conducting a man-in-the-browser keystroke logging attack. This attack steals the device input of the customer, such as PINs and passwords, during the authentication process. The stolen credentials provide a hacker with the opportunity to modify the customer s banking sessions. Attacks of this kind thwart two-factor authentication solutions that rely on one-time passcodes, known as OTP. Specifically, a large number of European banks suffered losses in $47 Million USD range, as a result of Crimeware called Eurograbber, a Zeus variant, which bypassed customer authentication systems. Symantec s Internet Security Threat Report 2014," revealed that the development of Banking Trojans has tripled during the first three quarters in More than half of these attacks were aimed at the top fifteen (15) worldwide financial institutions.
4 Figure 2 Crimeware What is the FFIEC? The FFIEC Council is an interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions. To provide guidance for financial institutions, the US government formed the Federal Financial Institutions Examination Council ( FFIEC ). The body governs the Federal Reserve System ( FRS ), the Federal Deposit Insurance Corporation ( FDIC ), the National Credit Union Administration ( NCUA ), the Office of the Comptroller of the Currency ( OCC ), and the Consumer Financial Protection Bureau ( CFPB ). The oversight provided by the FFIEC promotes uniformity in the supervision of financial institutions. This uniformity establishes guidelines for minimizing security risk and preventing loss of data. The FFIEC s Authentication Guidance continues to expand in response to technology trends. In 2006, the State Liaison Committee ( SLC ) was added to the Council as a voting member. The SLC includes representatives from the Conference of State Bank Supervisors ( CSBS ), the American Council of State Savings Supervisors ( ACSSS ), and the National Association of State Credit Union Supervisors ( NASCUS ).
5 FFIEC Guidance: The two main aspects of the FFIEC s latest authentication guidance Supplement to Authentication in an Internet Banking Environment are to ensure that institutions are: (1) executing a periodic risk assessment and (2) implementing a layered security approach to establish a commercially reasonable control environment for electronic financial services. Risk Assessment: Since the FFIEC s first guidance released in 2001, the methods and sophistication of fraudsters and hackers have evolved. The FFIEC has acknowledged the development as a high risk security concern and recommends that financial institutions perform annual risk assessments, which address: Changes in the internal and external threat environment; Changes in the customer base adopting electronic banking; Changes in the customer functionality offered through electronic banking; and Actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry. The FFIEC s guidance states that not all transactions pose the same level of risk, and financial institutions should implement robust solutions that address the risk exposures of Internet Banking Environments. Layered Security: Since virtually every authentication technique can be compromised, financial institutions should not reply solely on any single control for authorizing high-risk transactions, but rather institute a system of layered security release Supplement to Authentication in an Internet Banking Environment. The FFIEC s guidelines make it clear that single-factor authentication is inadequate. To enhance authentication security controls, the FFIEC recommends a layered security approach that relies upon multiple types of authentication controls, established at different transaction periods. The best approach will include a combination of multi-factor authentication and effective layered security controls, such as device identification or challenge questions. The solution will have the Internet Banking s customer acceptance, be reliable, scalable, and interoperable with existing and future plans. What is briidge.net Connect? Briidge.net Connect is an authentication solution that operates as a cloud-based service. The solution enables financial institutions to provide a consistent security experience across multiple service channels by offering mobile and web Software Development Kits ( SDK ). The
6 briidge.net Connect SDK is used by embedding it into existing applications. Rather than developing and implementing a strong authentication solution for each stand-alone application, financial institutions can seamlessly embed briidge.net Connect functionality into existing web and mobile applications. This allows financial institutions to maintain full control of the customer experience. To facilitate the consistent customer experience across channels it enables customers to use their personal devices in a simple and secure manner (e.g., personal mobile phone, tablet, laptop, and workstations) for personal banking accounts, without separate mobile apps, desktop software, or carrying external devices such as OTP tokens. How does briidge.net Connect Work? Coalfire s testing procedures found that each user is assigned a unique cryptographic key for each device used. User verification requires a multi-device 4-6 digit PIN Code (or Passcode). Only users with verified devices can access the user verification service. Unlike a typical SMS based system, the application provides its own dedicated secure channel to the briidge.net Connect application via Transport Layer Security (TLS) v1.2. Layered Security and Dynamic Authentication Connect Service: One of the strengths of briidge.net Connect is the ability to provide a unique device ID, which allows organizations to identify customers across multiple channels. It installs a credential in the personal devices customers use (i.e. mobile phones, tablets, laptops, etc.). During setup, briidge.net Connect interrogates the customer s device and determines the most secure location to store the unique cryptographic key that protects the customer s Digital ID. The SDK determines if the device has a hardware secure container, such as Trusted Execution Environment ( TEE ), Hardware Secure Element ( HW-SE ), SIM Secure Element ( SIM-SE ) or Intel Identity Protection Technology ( IPT ). If a hardware secure container is not found, Connect constructs a software based Virtual Secure Element ( vse ) on the device using cryptographic keys with secure key management. The key management protocols are facilitated by a cloud-based Hardware Security Module ( HSM ), which implements specifications for cryptographic security from Federal Information Processing Standard ( FIPS ) In addition, the Company incorporates a key management protocol for personalizing the credential based on the Global Platform ( GP ) SCP-03 standard. Ordinary devices contain a trusted credential, which provides an assurance to a financial institution that the device accessing their services meets an acceptable level of security. bridge.net Connect can help organizations with respect to customer authentication. The Company has evolved the traditional client-server username/password concept to be simpler and more secure with a cryptographic PIN ( Crypto-PIN ) Code that unlocks keys from secure storage used to generate dynamic authentication cryptograms. The same Passcode or PIN is synchronized across all of a user s enrolled devices. Together, verified device and Crypto- PIN are two factors of authentication. The Crypto-PIN itself is never stored on the customer s
7 device or any of the servers, making the process real-time. Coalfire reviewed the account access and authentication transaction processes and verified that the Customer provides a unique, dynamic, cryptographic authentication token for each transaction, which verifies the device and user. Figure 3 - SecureKey bridge.net Connect Overview Page 8 Connect integrates with existing technologies, while enhancing their capabilities. Briidge.net Connect allows financial institutions to integrate other authentication technologies. Fingerprints or other biometric scans can be included as additional authentication factors or high-risk transactions. This is a significant advantage to financial institutions that already have fraud engines and identity verification systems in place. Briidge.net Connects device identification process is compatible with multiple platforms. All devices registered and associated to the end user s digital ID become trusted. Customers only need one credential for many devices, which provides dynamic authentication for every access, and every transaction.
8 Figure 4 - Secure Connect Scalability Summary and Conclusion: Based upon the results of our review, briidge.net Connect meets the FFIEC s layered security guidance for authentication in an Internet Banking Environment. Briidge.net Connect will provide a financial institution with the assurance of secure customer authentication. The threats from Crimeware and Banking Trojans are dramatically reduced by SecureKey s design. The multi-device Crypto-PIN is not usable without the verified physical devices that users have registered. Passwords, usernames, and PII cannot be stolen because Connect replaces them with cryptograms and verified devices. Connect does not have exposure to the same threats as password based schemes, because the solution does not depend on knowledge-based authentication factors vulnerable to theft and replay. The benefits of an SDK solution enable a financial institution to implement additional levels of security that can be used for low-to-high risk transactions in all types of Internet Banking Environments.
Supplement to Authentication in an Internet Banking Environment
Federal Financial Institutions Examination Council 3501 Fairfax Drive Room B7081a Arlington, VA 22226-3550 (703) 516-5588 FAX (703) 562-6446 http://www.ffiec.gov Purpose Supplement to Authentication in
More informationGuide to Evaluating Multi-Factor Authentication Solutions
Guide to Evaluating Multi-Factor Authentication Solutions PhoneFactor, Inc. 7301 West 129th Street Overland Park, KS 66213 1-877-No-Token / 1-877-668-6536 www.phonefactor.com Guide to Evaluating Multi-Factor
More informationElectronic Fraud Awareness Advisory
Electronic Fraud Awareness Advisory Indiana Bankers Association Fraud Awareness Task Force February, 2012 Electronic Fraud Awareness Advisory Purpose/Summary The Indiana Bankers Association (IBA) was involved
More informationA brief on Two-Factor Authentication
Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.
More informationKEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS
KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS Plurilock Security Solutions Inc. www.plurilock.com info@plurilock.com 2 H IGHLIGHTS: PluriPass is Plurilock static keystroke dynamic biometric
More informationSound Business Practices for Businesses to Mitigate Corporate Account Takeover
Sound Business Practices for Businesses to Mitigate Corporate Account Takeover This white paper provides sound business practices for companies to implement to safeguard against Corporate Account Takeover.
More informationThe Key to Secure Online Financial Transactions
Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on
More informationWhite Paper. FFIEC Authentication Compliance Using SecureAuth IdP
White Paper FFIEC Authentication Compliance Using SecureAuth IdP September 2015 Introduction Financial institutions today face an important challenge: They need to comply with guidelines established by
More informationACI Response to FFIEC Guidance
ACI Response to FFIEC Guidance Version 1 July 2011 Table of contents Introduction 3 FFIEC Supervisory Expectations 4 ACI Online Banking Fraud Management 8 Online Banking Fraud Detection and Prevention
More informationUnderstanding It s Me 247 Security. A Guide for our Credit Union Clients and Owners
Understanding It s Me 247 Security A Guide for our Credit Union Clients and Owners October 2, 2014 It s Me 247 Security Review CU*Answers is committed to the protection of you and your members. CU*Answers
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationESET Secure Authentication
ESET Secure Authentication Second factor authentication and compliance Document Version 1.2 6 November, 2013 www.eset.com ESET Secure Authentication - second factor authentication and compliance 2 2 Summary
More informationMulti-Factor Authentication of Online Transactions
Multi-Factor Authentication of Online Transactions Shelli Wobken-Plagge May 7, 2009 Agenda How are economic and fraud trends evolving? What tools are available to secure online transactions? What are best
More informationTHE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS
THE CHANGING FACE OF CYBERCRIME AND WHAT IT MEANS FOR BANKS David Glockner, Managing Director strozfriedberg.com Overview The big picture: what does cybercrime look like today and how is it evolving? What
More informationSTRONGER AUTHENTICATION for CA SiteMinder
STRONGER AUTHENTICATION for CA SiteMinder Adding Stronger Authentication for CA SiteMinder Access Control 1 STRONGER AUTHENTICATION for CA SiteMinder Access Control CA SITEMINDER provides a comprehensive
More informationXYPRO Technology Brief: Stronger User Security with Device-centric Authentication
Ken Scudder Senior Director Business Development & Strategic Alliances XYPRO Technology Talbot A. Harty CEO DeviceAuthority XYPRO Technology Brief: Stronger User Security with Device-centric Authentication
More informationRemote Access Securing Your Employees Out of the Office
Remote Access Securing Your Employees Out of the Office HSTE-NB0011-RV 1.0 Hypersecu Information Systems, Inc. #200-6191 Westminster Hwy Richmond BC V7C 4V4 Canada 1 (855) 497-3700 www.hypersecu.com Introduction
More informationEntrust IdentityGuard
+1-888-437-9783 sales@identisys.com IdentiSys.com Distributed by: Entrust IdentityGuard is an award-winning software-based authentication enterprises and governments. The solution serves as an organization's
More informationFFIEC Authentication Guidance Examination in 2012: Are You Prepared?
FFIEC Authentication Guidance Examination in 2012: Are You Prepared? Areas of Continuity, Change, and Emphasis The Knowledge Congress LIVE Webcast March 8, 2012 Andrew Lorentz Partner, Washington, D.C.
More informationFFIEC CONSUMER GUIDANCE
FFIEC CONSUMER GUIDANCE Important Facts About Your Account Authentication Online Banking & Multi-factor authentication and layered security are helping assure safe Internet transactions for banks and their
More informationSecuring corporate assets with two factor authentication
WHITEPAPER Securing corporate assets with two factor authentication Published July 2012 Contents Introduction Why static passwords are insufficient Introducing two-factor authentication Form Factors for
More informationStrong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment
Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment IIIIII Best Practices www.gemalto.com IIIIII Table of Contents Strong Authentication and Cybercrime... 1
More informationHard vs. Soft Tokens Making the Right Choice for Security
Hard vs. Soft Tokens Making the Right Choice for Security HSTE-NB0012-RV 1.0 Hypersecu Information Systems, Inc. #200-6191 Westminster Hwy Richmond BC V7C 4V4 Canada 1 (855) 497-3700 www.hypersecu.com
More informationHere are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online.
Here are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online. FFIEC BUSINESS ACCOUNT GUIDANCE New financial standards will assist credit
More informationWHITEPAPER. Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users
Fraud Protection for Native Mobile Applications Benefits for Business Owners and End Users Table of Contents How TrustDefender Mobile Works 4 Unique Capabilities and Technologies 5 Host Application Integrity
More informationPassword Management Evaluation Guide for Businesses
Password Management Evaluation Guide for Businesses White Paper 2016 Executive Summary Passwords and the need for effective password management are at the heart of the rise in costly data breaches. Various
More informationBriefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.
Polling Question Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Please type in your response. This poll will close promptly at 1:00 pm CDT Getting the
More informationElectronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust
Electronic Prescribing of Controlled Substances: Establishing a Secure, Auditable Chain of Trust Imprivata Confirm ID and the DEA Interim Final Rule on EPCS Technology requirements to comply with the DEA
More informationWhitepaper on AuthShield Two Factor Authentication with ERP Applications
Whitepaper on AuthShield Two Factor Authentication with ERP Applications By INNEFU Labs Pvt. Ltd Table of Contents 1. Overview... 3 2. Threats to account passwords... 4 2.1 Social Engineering or Password
More informationEMV-TT. Now available on Android. White Paper by
EMV-TT A virtualised payment system with the following benefits: MNO and TSM independence Full EMV terminal and backend compliance Scheme agnostic (MasterCard and VISA supported) Supports transactions
More informationIDRBT Working Paper No. 11 Authentication factors for Internet banking
IDRBT Working Paper No. 11 Authentication factors for Internet banking M V N K Prasad and S Ganesh Kumar ABSTRACT The all pervasive and continued growth being provided by technology coupled with the increased
More informationFrequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment. August 15, 2006
Board of Governors of the Federal Reserve System Federal Deposit Insurance Corporation National Credit Union Administration Office of the Comptroller of the Currency Office of Thrift Supervision Frequently
More informationFFIEC BUSINESS ACCOUNT GUIDANCE
FFIEC BUSINESS ACCOUNT GUIDANCE New financial standards will assist credit unions and business account holders to make online banking safer and more secure from account hijacking and unauthorized funds
More informationMobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX
Mobile Banking Secure Banking on the Go Matt Hillary, Director of Information Security, MX Mobile Banking Channels SMS / Texting Mobile Banking Channels Mobile Web Browser Mobile Banking Channels Mobile
More informationMANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security
MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security You re more connected, but more at risk too Enterprises are increasingly engaging with partners, contractors
More informationOnline security. Defeating cybercriminals. Protecting online banking clients in a rapidly evolving online environment. The threat.
Defeating cybercriminals Protecting online banking clients in a rapidly evolving online environment The threat As the pace of technological change accelerates, so does the resourcefulness and ingenuity
More informationTrue Identity solution
Identify yourself securely. True Identity solution True Identity authentication and authorization for groundbreaking security across multiple applications including all online transactions Biogy Inc. Copyright
More informationUser Authentication for Software-as-a-Service (SaaS) Applications White Paper
User Authentication for Software-as-a-Service (SaaS) Applications White Paper User Authentication for Software-as-a-Service (SaaS) Applications White Paper Page 1 of 16 DISCLAIMER Disclaimer of Warranties
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationInternet Banking Authentication Guidance is Out
Brace Yourself: Updated d FFIEC Internet Banking Authentication Guidance is Out October 13, 2011 Paul Rainbow, Manager David Dyk, Manager 1 The material appearing in this presentation is for informational
More informationUsing Strong Authentication for Preventing Identity Theft
Position Paper Using Strong Authentication for Preventing Identity Theft Robert Pinheiro Consulting LLC Better identity authentication has been proposed as a potential solution not only to identity theft,
More informationHow To Protect Your Online Banking From Fraud
DETECT MONITORING SERVICES AND DETECT SAFE BROWSING: Empowering Tools to Prevent Account Takeovers SUMMARY The Federal Financial Institutions Examination Council (FFIEC) is planning to update online transaction
More informationSecurity Architecture Whitepaper
Security Architecture Whitepaper 2015 by Network2Share Pty Ltd. All rights reserved. 1 Table of Contents CloudFileSync Security 1 Introduction 1 Data Security 2 Local Encryption - Data on the local computer
More informationSecuring e-government Web Portal Access Using Enhanced Two Factor Authentication
Securing e-government Web Portal Access Using Enhanced Two Factor Authentication Ahmed Arara 1, El-Bahlul Emhemed Fgee 2, and Hamdi Ahmed Jaber 3 Abstract This paper suggests an advanced two-factor authentication
More informationCreating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates
Creating Trust Online TM Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates January 2007 Setting the stage Banking and doing business
More informationImplementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.
Implementing two-factor authentication: Google s experiences Cem Paya (cemp@google.com) Information Security Team Google Inc. Google services and personalization Identity management at Google 1. Internal
More informationBEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS
BEST SECURITY PRACTICES IN ONLINE BANKING PLATFORMS TABLE OF CONTENTS BEST SECURITY PRACTICES Home banking platforms have been implemented as an ever more efficient 1 channel through for banking transactions.
More informationThe Authentication Revolution: Phones Become the Leading Multi-Factor Authentication Device
The Authentication Revolution: Phones Become the Leading Multi-Factor Authentication Device PhoneFactor, Inc. 7301 West 129th Street Overland Park, KS 66213 1-877-668-6536 www.phonefactor.com Executive
More informationv. ) Case No. PETITION cause of action against Defendant, BancorpSouth Bank ("BancorpSouth"), states as follows:
1 IN THE CIRCUIT COURT OF GREENE COUNTY, MISSOURI DIVISION CHOICE ESCROW AND LAND TITLE, LLC, ) ) Plaintiff, ) ) v. ) Case No. ) BANCORPSOUTH BANK, ) Serve: Rodney Nichols, Agent, ) Carnahan, Evans, Cantwell
More informationApplying Cryptography as a Service to Mobile Applications
Applying Cryptography as a Service to Mobile Applications SESSION ID: CSV-F02 Peter Robinson Senior Engineering Manager RSA, The Security Division of EMC Introduction This presentation proposes a Cryptography
More informationAnthony J. Albanese, Acting Superintendent of Financial Services. Financial and Banking Information Infrastructure Committee (FBIIC) Members:
Andrew M. Cuomo Governor Anthony J. Albanese Acting Superintendent FROM: TO: Anthony J. Albanese, Acting Superintendent of Financial Services Financial and Banking Information Infrastructure Committee
More informationCybersecurity Best Practices in Mortgage Banking. Article by Jim Deitch October 2015
Cybersecurity Best Practices in Mortgage Banking Article by Jim Deitch Cybersecurity Best Practices in Mortgage Banking BY JIM DEITCH Jim Deitch Recent high-profile cyberattacks have clearly demonstrated
More informationE-Banking Regulatory Update
E-Banking Regulatory Update Hal R. Paretchan, CISA, CISSP, CFE Information Technology Specialist Federal Reserve Bank of Boston Supervision, Regulation & Credit (617) 973-5971 hal.paretchan@bos.frb.org
More informationhow can I provide strong authentication for VPN access in a user convenient and cost effective manner?
SOLUTION BRIEF CA Advanced Authentication how can I provide strong authentication for VPN access in a user convenient and cost effective manner? agility made possible provides a flexible set of user convenient,
More informationHow TraitWare TM Can Secure and Simplify the Healthcare Industry
How TraitWare TM Can Secure and Simplify the Healthcare Industry January 2015 Secure and Simplify Your Digital Life. Overview of HIPPA Authentication Standards When Title II of the Health Insurance Portability
More informationMobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager
Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords Mika Devonshire Associate Product Manager 1 Agenda 2 What is Cybersecurity? Quick overview of the core concepts 3 Cybercrime
More informationOnline Banking Risks efraud: Hands off my Account!
Online Banking Risks efraud: Hands off my Account! 1 Assault on Authentication Online Banking Fraud Significant increase in account compromises via online banking systems Business accounts are primary
More informationHang Seng HSBCnet Security. May 2016
Hang Seng HSBCnet Security May 2016 1 Security The Bank aims to provide you with a robust, reliable and secure online environment in which to do business. We seek to achieve this through the adoption of
More informationHow To Comply With Ffiec
SOLUTION BRIEF authentication in the internet banking environment: The solution for FFIEC compliance from CA Technologies agility made possible Introduction to FFIEC Compliance In October of 2005, the
More informationFive Trends to Track in E-Commerce Fraud
Five Trends to Track in E-Commerce Fraud Fraud is nothing new if you re in the e-commerce business you probably have a baseline level of fraud losses due to stolen credit cards, return fraud and other
More informationEBA STRONG AUTHENTICATION REQUIREMENTS
EBA STRONG AUTHENTICATION REQUIREMENTS FOR INTERNET PAYMENTS IN EU TO BE IMPLEMENTED BY AUGUST 1 ST 2015 LEGAL WHITEPAPER What are the strong authentication requirements under EBA Guidelines which European
More informationAdvanced Biometric Technology
INC Internet Biometric Security Systems Internet Biometric Security System,Inc.White Papers Advanced Biometric Technology THE SIMPLE SOLUTION FOR IMPROVING ONLINE SECURITY Biometric Superiority Over Traditional
More informationA Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014
A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,
More informationProtecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks
Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks Whitepaper W H I T E P A P E R OVERVIEW Arcot s unmatched authentication expertise and unique technology give organizations
More informationWHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS
WHITEPAPER SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS EXECUTIVE OVERVIEW 2-Factor as a Service (2FaaS) is a 100% cloud-hosted authentication solution that offers flexible security without compromising user
More informationMulti-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access
Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access CONTENTS What is Authentication? Implementing Multi-Factor Authentication Token and Smart Card Technologies
More informationTHE FFIEC CHALLENGE A Call for Reliable Authentication
THE FFIEC CHALLENGE A Call for Reliable Authentication March 14, 2006 ISACA LOS ANGELES RISK ADVISORY SERVICES INFORMATION RISK MANAGEMENT Agenda The FFIEC Challenge Current/Future Authentication Scenarios
More informationImproving Online Security with Strong, Personalized User Authentication
Improving Online Security with Strong, Personalized User Authentication July 2014 Secure and simplify your digital life. Table of Contents Online Security -- Safe or Easy, But Not Both?... 3 The Traitware
More informationAuthentication in an Internet Banking Environment
Federal Financial Institutions Examination Council FFIEC Logo 3501 Fairfax Drive Room 3086 Arlington, VA 22226-3550 (703) 516-5588 FAX (703) 516-5487 http://www.ffiec.gov Authentication in an Internet
More informationIDENTIFY YOUR CUSTOMERS
CONFIDENTID MOBILE USER AUTHENTICATION IDENTIFY YOUR CUSTOMERS BEYOND A SHADOW OF A DOUBT solutions for SECURE MOBILE AND ONLINE BANKING AUTHENTICATE WITH CONFIDENCE RECOGNIZE YOUR CUSTOMERS AND YOUR RISKS
More informationBeyond passwords: Protect the mobile enterprise with smarter security solutions
IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive
More informationA Developer s Guide to Securing Mobile Applications
A Developer s Guide to Securing Mobile Applications Copyright 2014 VASCO Data Security. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted,
More informationADDING STRONGER AUTHENTICATION for VPN Access Control
ADDING STRONGER AUTHENTICATION for VPN Access Control Adding Stronger Authentication for VPN Access Control 1 ADDING STRONGER AUTHENTICATION for VPN Access Control A VIRTUAL PRIVATE NETWORK (VPN) allows
More informationHow To Choose An Authentication Solution From The Rsa Decision Tree
White paper The RSA Decision Tree: Selecting the Best Solution for Your Business What is the best authentication solution for my business? This is a recurring question being asked by organizations around
More informationONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS
$ ONLINE BANKING SECURITY TIPS FOR OUR BUSINESS CLIENTS Boston Private Bank & Trust Company takes great care to safeguard the security of your Online Banking transactions. In addition to our robust security
More informationGlobal ediscovery Client Data Security. Managed technology for the global legal profession
Global ediscovery Client Data Security Managed technology for the global legal profession Epiq Systems is a global leader in providing fully integrated technology products and services for ediscovery and
More informationContactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions. July, 2006. Developed by: Smart Card Alliance Identity Council
Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked Questions July, 2006 Developed by: Smart Card Alliance Identity Council Contactless Smart Cards vs. EPC Gen 2 RFID Tags: Frequently Asked
More informationANALYTICS WHITE PAPER. MicroStrategy Analytics: Delivering Secure Enterprise Analytics
MicroStrategy Analytics: Delivering Secure Enterprise Analytics Copyright Information All Contents Copyright 2015 MicroStrategy Incorporated. All Rights Reserved. Trademark Information MicroStrategy, MicroStrategy
More informationWhite Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication
White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication Page 1 of 8 Introduction As businesses and consumers grow increasingly reliant on the Internet for conducting
More informationAnti-Money Laundering Policy Manual Table of Contents [Sample Client] Table of Contents
Table of Contents [ Client] Table of Contents TABLE OF CONTENTS... 1 CHAPTER 1 INTRODUCTION... 3 1.1 GOALS AND OBJECTIVES... 3 1.2 REQUIRED REVIEW... 3 1.3 APPLICABILITY... 3 1.4 MONEY LAUNDERING DEFINED...
More informationIDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape
IDENTITY & ACCESS BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape Introduction How does your enterprise view the BYOD (Bring Your Own Device) trend opportunity
More informationSmart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi
Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public
More informationKey Authentication Considerations for Your Mobile Strategy
Key Authentication Considerations for Your Mobile Strategy The Need for Mobile Authentication Reaches Critical Mass According to an old adage, consumers speak through their pocketbooks. While that saying
More informationModern two-factor authentication: Easy. Affordable. Secure.
Modern two-factor authentication: Easy. Affordable. Secure. www.duosecurity.com Your systems and users are under attack like never before The last few years have seen an unprecedented number of attacks
More informationMoving Beyond User Names & Passwords Okta Inc. info@okta.com 1-888-722-7871
Moving Beyond User Names & Passwords An Overview of Okta s Multifactor Authentication Capability Okta Inc. 301 Brannan Street San Francisco, CA 94107 info@okta.com 1-888-722-7871 Contents 1 Moving Beyond
More informationFRAUD PREVENTION IN M-COMMERCE: ARE YOU FUTURE PROOFED? A Chase Paymentech Paper
FRAUD PREVENTION IN M-COMMERCE: ARE YOU FUTURE PROOFED? A Chase Paymentech Paper In the UK, Europe s largest online market, consumers continue to embrace m-commerce at an astonishing speed with an estimated
More informationThe Security Behind Sticky Password
The Security Behind Sticky Password Technical White Paper version 3, September 16th, 2015 Executive Summary When it comes to password management tools, concerns over secure data storage of passwords and
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationJim Bray, Cyber Security Adviser InfoSight, Inc.
Best Practices for protecting patient data Training and education is your best defense! Presented by Jim Bray, Cyber Security Adviser InfoSight, Inc. 2014 InfoSight Cyber Security starts with education
More informationIntel Identity Protection Technology (IPT)
Intel Identity Protection Technology (IPT) Enabling improved user-friendly strong authentication in VASCO's latest generation solutions June 2013 Steve Davies Solution Architect Intel Corporation 1 Copyright
More informationTarget Security Breach
Target Security Breach Lessons Learned for Retailers and Consumers 2014 Pointe Solutions, Inc. PO Box 41, Exton, PA 19341 USA +1 610 524 1230 Background In the aftermath of the Target breach that affected
More informationThe Convergence of IT Security and Physical Access Control
The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which
More informationSecuring Virtual Desktop Infrastructures with Strong Authentication
Securing Virtual Desktop Infrastructures with Strong Authentication whitepaper Contents VDI Access Security Loopholes... 2 Secure Access to Virtual Desktop Infrastructures... 3 Assessing Strong Authentication
More informationMobile Security. IIIIII Security solutions for mobile as an endpoint. financial services & retail. enterprise. public sector. telecommunications
Mobile Security IIIIII Security solutions for mobile as an endpoint financial services & retail enterprise public sector telecommunications transport IIIIII Table of Contents The challenges of mobile security....
More informationMoving Beyond User Names & Passwords
OKTA WHITE PAPER Moving Beyond User Names & Passwords An Overview of Okta s Multifactor Authentication Capability Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107 info@okta.com 1-888-722-7871
More informationTransitioning to Push Authentication
Transitioning to Push Authentication Summary Current out-of-band authentication solutions have not proven to be up to the task of protecting critical user data, and have been disabled in a variety of recent
More informationFive keys to a more secure data environment
Five keys to a more secure data environment A holistic approach to data infrastructure security Compliance professionals know better than anyone how compromised data can lead to financial and reputational
More informationEnterprise Computing Solutions
Business Intelligence Data Center Cloud Mobility Enterprise Computing Solutions Security Solutions arrow.com Security Solutions Secure the integrity of your systems and data today with the one company
More informationDEA's New Proposed Regulations For E-Prescribing
Portfolio Media, Inc. 648 Broadway, Suite 200 New York, NY 10012 www.law360.com Phone: +1 212 537 6331 Fax: +1 212 537 6371 customerservice@portfoliomedia.com DEA's New Proposed Regulations For E-Prescribing
More informationVoiceTrust Whitepaper. Employee Password Reset for the Enterprise IT Helpdesk
VoiceTrust Whitepaper Employee Password Reset for the Enterprise IT Helpdesk Table of Contents Introduction: The State of the IT Helpdesk...3 Challenge #1: Password-Related Helpdesk Costs are Out of Control...
More information