The Implementation of Multifactor Authentication in Canadian Financial Institutions. By Wilson Yee Tsun Lo ACC 626

Transcription

1 The Implementation of Multifactor Authentication in Canadian Financial Institutions By Wilson Yee Tsun Lo ACC 626

2 1.0 Introduction The Internet has enabled financial institutions to offer various additional banking services for both their individual and corporate customers. Individuals may perform online transactions and other banking services at their convenience with the click of a mouse. On the other hand, financial institutions benefit from improved efficiency and significant amount of savings. As such, online banking services are often promoted by these institutions to their customers. Nonetheless, with the increasing popularity of online financial services for customers, the main challenge is to ensure that their customer s confidential information is secured against fraud and other malicious attacks. Unlike performing a transaction at a branch where the identity may be verified in person with valid identifications, a detailed authentication process is required for online banking to monitor and control access to customer s banking information. Authentication techniques must be implemented by security professionals as a part of the company s security measures to prevent fraudulent attacks from exposing the company to unnecessary legal liabilities and a loss of business. The majority of financial institutions in the United States have implemented some form of multifactor authentication as required by the Federal Financial Institutions Examination Council. In Canada, although several institutions have voluntarily implemented multifactor authentication, there are currently no guidelines or regulations in place to enforce the security system for online banking services. The purpose of this report is to provide an analysis of multifactor authentication to determine whether financial institutions in Canada should implement some form of multifactor authentication. This is achieved by examining the features and issues of multifactor authentication and providing an in-depth analysis of the techniques that are available to implement multifactor authentication. 2.0 Analysis 2.1 What is Multifactor Authentication? Multifactor authentication is a security system in which more than one form of authentication is implemented to verify the legitimacy of a transaction. 1 In terms of internet banking services, it is used to prevent unauthorized access to a customer s online banking information by combining both physical and/or logical access controls. There are 3 general forms of authentication: 1 Multifactor Authenticaiton (MFA). 12 April TechTarget. 7 July < 1 of 14 1

3 1) Something you know (e.g. password) 2) Something you have (e.g. fob or a token) 3) Something you are (e.g. fingerprint or eye scan) 2 Multifactor authentication makes use of at least two of the above combinations. In addition to incorporating the use of technologies, institutions can also establish proper policies, procedures and controls. 3 The chief information security officer (CISO) works closely with the marketing team to design and implement a multifactor authentication product that is approved by bank customers in addressing the risks of the transactions. Risk-based assessments are carried out to determine the level of authentication controls required to properly address the risk of identity theft, online fraud and loss of confidential customer information. 4 If the risk is moderate, a combination of a shared secret and a token may be sufficient. The addition of biometrics, such as fingerprint recognition, may be required if the high-risk transactions are involved. The risk assessment must take into consideration the type of customers, the functions available, the sensitivity of the information, and the volume of transactions Implementation of Multifactor Authentication in United States The Federal Financial Institutions Examination Council (FFIEC) issued an announcement, Authentication in an Internet Banking Environment in mid-october 2005, which mandates financial institutions in the United States to review and determine which of the provided internet services require enhanced authentication techniques. 6 The single-factor authentication, which only requires one type of identification verification from the customer, is inadequate for online financial transactions. The FFIEC guideline states that the agencies consider single-factor authentication, as the only control mechanism, to be inadequate for highrisk transactions involving access to customer information or the movement of funds to other parties. 7 The FFIEC requested financial institutions to apply multifactor or any other approach that addresses high risk transactions by the end of 2006 for auditing compliance with the rules. 2 Authentication in an Internet Banking Environment. FFIEC. 11 July < 3 Ibid 4 Childs, Robert S. Banking on Multifactor Authentication. 22 February SearchFinancialSecurity. 3 June < 5 Authentication in an Internet Banking Environment. FFIEC. 11 July < 6 Cocheo, Steve. Read this before you take Multi-factor Plunge. American Bankers Association. ABA Banking Journal. May Vol. 98 Issue 5. Page ABI Inform. University of Waterloo, ON. 7 Authentication in an Internet Banking Environment. FFIEC. 11 July < 2 of 14 2

4 According to a study performed by Javelin Strategy & Research, approximately 20% of the banks in the survey were using multi-factor authentication before the deadline. In 2007, 88% of the banks have implemented multi-factor authentication techniques. 8 It should be noted that there were some confusions among the banks on the authentication technique to implement before the 2006 year-end deadline. The FFIEC guideline states that it does not endorse any particular technology. 9 It only asks financial institutions to assess their own risk and conclude on an alternative that meets their needs. However, banks, vendors and experts were over focused on the term multi-factor authentication. The FFIEC guideline does not explicitly state that multi-factor authentication is the only solution Multi-factor Authentication Technologies Share Secrets Selected by the customer during the enrollment stage, shared secrets represent some information that is known by both the customer and authenticating entity. By demanding a periodic change to the shared secret, this can enhance the security of the system, as the risk of theft decreases when it is periodically updated. Security is also enhanced when more than one shared secret is used by authenticating entities. Some examples of shared secrets include 11 : Password and PINs Questions or queries that require specific customer knowledge to answer Customer-selected images that must be identified or selected from a pool of images Tokens Tokens are physical devices that are classified under something you have. In order to achieve multi-factor authentication, companies only have to add this technology to its existing user name and password system. The three common types of tokens are: USB Tokens A USB token is a small device that can be attached to a keychain or placed in a pocket. In order to access a computer or network, the USB token is inserted into the USB port, and the user enters his/her password for authorization. Customers are not required to install any specific 8 Bruno-Britz, Maria. FFIEC Rules Making a Difference Javelin study finds more banks using multifactor authentication. Bank Systems & Technology. December Vol. 44 Issue 12. Page 17. ABI Inform. University of Waterloo, ON. 9 Authentication in an Internet Banking Environment. FFIEC. 11 July < 10 Feig, Nancy. The Final Countdown As the FFIEC Online Banking Authentication Deadline Looms, Banks work through the Confusion to select their Solutions. Bank Systems & Technology. September Vol. 43 Issue 9. Page 11. ABI Inform. University of Waterloo, ON. 11 Authentication in an Internet Banking Environment. FFIEC. 11 July < 12 Ibid 3 of 14 3

5 hardware on their computer. The authentication service then verifies the user by prompting for their password to log in to the system. 13 As USB tokens are difficult to copy and tamper-proof, they are a good candidate for storing a variety of information and security functions, such as cryptography, and other physical and logical access controls. They can store digital certificates that may be used in a public key infrastructure environment. Because of their acceptable size, processing power and storage capabilities, USB tokens are becoming popular. Its size allows the user to carry it around in their pocket and they are simple to use. 14 One of the vendors that produce USB tokens is SafeNet. The SafeNet ikey USB Token is a USB-based portable PKI authentication token that generates and stores digital credentials. 15 It allows the company to implement the technology without installing any card readers or biometric devices. Smart Cards A smart card is comparable to a credit card in its shape and size. Similar to a USB token, a microprocessor is embedded in it, containing user credentials such as digital certificates, encryption keys, and digital signatures. For log-in purposes, the smart card is inserted into a network-attached or embedded smart card reader, and the reader sends the data to the authentication server. Similarly, the authentication service then verifies the user by prompting for their password to log in to the system. 16 Due to the similarities between a smart card and a USB token, SafeNet is also a vendor that produces Smart Cards. The SafeNet Smart Card is provided in two formats as a Java card or as a multi-function card employing the highly secure DKCCOS card operating system. 17 It can also be used as a physical access control card by using magnetic stripe technologies. One-time Passwords (OTP) A one-time password (OTP) token generates a unique password every 30 or 60 seconds. Customers must enter a regular password and the OTP generated by the token in order to be authenticated. By changing the password after every use, it becomes increasingly difficult for a thief to access a customer s online account. OTP either applies mathematical algorithm to 13 Ibid 14 Multi-factor Authentication. Safe Net. 11 June < 15 Ibid 16 Ibid 17 Ibid 4 of 14 4

6 generate a new password, or relies on time synchronization between the server and the client. This is beneficial because customers do not have to worry about the risk of a theft stealing the password. However, there is a significant cost associated with this technology as hardware tokens must be supplied to customers, along with the necessary training. 18 RSA is one of the most well-known vendors that produce OTP s. Information Security Magazine ranked RSA Security SecurID as the 2005 product of the year gold award. By automatically changing the password every 60 seconds, it provides authentication when accessing data and applications via wireless networks, VPNs, and web servers. It is a token that cannot be reverse-engineered and cannot be easily broken. With its size and reputation, SecurID allows large companies to handle authentication for millions of users and hundreds of applications using its Authentication and Deployment managers Biometrics Biometric technologies are most commonly combined with a password or a token to produce a multifactor authentication system. Categorized under something you are, they record a unique physiological or physical characteristic of the individual and use it to verify a user s identity. Facial structure, iris configuration, or fingerprints is classified as physiological characteristics. The rate of movement, such as the pattern of typing on a computer keyboard is classified as a physical characteristic. During the enrollment process, a sample of data relating to the user s characteristics is gathered and stored in the biometric-based system as the template. Similar to passwords, there is a risk that these templates may be stolen. When customers log in with a live-scan, the result is compared to the registered template. Access is only granted when the result matches with the template. 20 Financial institutions in North America and Europe have increased the use of biometrics as a measure of increasing security and convenience. For example, institutions in the United States used fingerprint recognition and voice verification to comply with FFIEC. Biometrical enabled ATMs are also popular in Japan, and have been implemented in India, Latin America, and the Middle East. World Financial biometrics Market, a consulting firm, determined that 18 Myerson, Judith. Pros and cons of multifactor authentication technology for consumers. 28 May SearchFinancialSecurity.com. 3 June < 19 Products of the Year: Authentication and Authorization. 4 January SearchSecurity.com. 11 June < 20 Authentication in an Internet Banking Environment. FFIEC. 11 July < 5 of 14 5

7 $117.3 million in 2006 was generated from the sale of biometrics, and estimates that $2.07 billion will be generated in Biometric data is similar to other data. It is stored in a server, which is prone to hackers if it is not secured. Companies must ensure the transmission is encrypted when transmitting from the biometric reader to the authenticating server. 22 However, there are no regulations to protect biometric data, as it is normally treated as an authentication credential. Regulations such as Sarbanes-Oxley, Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act require security and access controls for customers and employee data only. Biometric data is not considered as employee or customer data, thus it is not being accounted for in the regulations. 23 Biometrics provides financial institutions with better security, convenience and time efficiency. However, customers who do not know how a biometrics work perceives this tool as an invasion of their privacy. Employees and customers may be reluctant and unwilling to submit their personal biometric information. 24 This technology is complicated and requires a huge initial investment in hardware and software, when compared to passwords. For this reason, biometric authentication should only be used in high-risk systems when the cost of the breach outweighs the cost of implementing the system. For example, it may be used in a company with high-value money transfers or large amount of customer data. 25 The market for biometrics is segmented. Companies do not know whether to buy a fingerprint reader, a voice recognition system or an iris scanner. It is hard to compare each product during a company s bid process as each product is unique in terms of approach and installation. 26 However, the two biometric techniques that are becoming popular and gaining acceptance are: 21 Frost & Sullivan: The Use of Biometrics in Financial Institutions Is on the Rise. Wireless News. 31 May ABI Inform. University of Waterloo, ON. 22 Dubin, Joel. Should we use biometric authentication on devices. 6 June SearchSecurity.com. 11 June < 23 Dubin, Joel. Is there any policy or regulation to help protect biometric data. 2 May SearchSecurity.com. 7 June < 57>. 24 Frost & Sullivan: The Use of Biometrics in Financial Institutions Is on the Rise. Wireless News. 31 May ABI Inform. University of Waterloo, ON. 25 Dubin, Joel. Will biometric authentication replace the password. 15 December SearchSecurity.com. 6 June < 26 Dubin, Joel. Should we use biometric authentication on devices. 6 June SearchSecurity.com. 11 June < 6 of 14 6

8 Face Recognition This technology makes a two or three dimensional map by identifying specific features on the face. The template that is generated is stored and used for later comparisons. Face recognition is a new technology that requires further improvements. 27 A well-known biometrics vendor is Acsys Biometrics, who specializes in the development of facial biometrics and voice biometrics. Their biometric solutions may be customized to fit the needs of government agencies, financial institutions, manufacturing and health sectors. 28 Fingerprint recognition This technology analyzes the pattern and only stores the unique marks on the fingerprint. As fingerprints are unique and complex, it is the most accurate and mature biometric technology. Fingerprint recognition technology requires the installation of special hardware and software into the user s computer. It is to easier to install and more user-friendly for customers than other advance technologies such as an iris scan. 29 Instead of using password logins, HP has developed laptops that rely on fingerprint recognition technologies to access the computer program and data. Entrust is another well-known vendor that provides multifactor authentication. Its Entrust IdentityGuard allows companies to assign authentication techniques to various users and applications based on the risk of a given transaction. It can protect valuable data and applications with a wide range of authenticators such as one-time-password tokens, grid card, biometrics, question and answers, out-of-band and mutual authentication Out-of-Band Authentication Out-of-Band authentication occurs when the identity of the party who initiated the transaction is confirmed by a medium other than the one that the party used to request the transaction. For example, when a party initiates an online fund transfer or other monetary transaction, the server will generate a telephone call that will ask for a pre-determined confirmation number, word or phrase to confirm the transaction. 31 Authentify is a leader in out-of-bank authentication. It uses the telephone as an automated authentication device to provide an Internet security process. After a transaction is 27 Authentication in an Internet Banking Environment. FFIEC. 11 July < 28 The Evolution of Security. Acsys Biometrics Corp. 20 July < 29 Authentication in an Internet Banking Environment. FFIEC. 11 July < 30 Entrust Bolsters GetAcess with IdentityGuard Multifactor Authentication. Wireless News. 9 September ABI Inform. University of Waterloo, ON. 31 Authentication in an Internet Banking Environment. FFIEC. 11 July < 7 of 14 7

9 made, the Authentify software will immediately contact the party to gather user contact and a proof of consent Issues related to Multi-factor Authentication? One issue related to multifactor authentication is getting general customer acceptance. It is difficult and time-consuming to educate and explain the idea behind multifactor authentication. Customers want to access their banking information fast and without any trouble. As a token may be lost or stolen, it would create a lot of trouble for the customer to replace it. In addition, the accuracy of biometric readers is questionable. The user s fingerprints may be smudged, faces and voices may change over time and these biometric data can potentially be misread. As a result, this may prevent the access of legitimate users or permit the access of unauthorized users. 33 By asking customers to provide an answer to a question that the customer previously created, this causes a lot of trouble when they forget the answer they previously chosen. Customers will have to contact the institution s customer service hotline, and ask them to reset the web account. A verification process is also in place when the customer wishes to contact a service representative. This time consuming process defeats the purpose of having a fast and trouble-free web account. Multifactor authentication is costly to implement and maintain. Companies may need to install a new set of hardware and application servers. Forrester Research, a research analyst firm, states that the estimated annual cost per user for the administration of password is between $340 and $800. For larger companies that require password for a wide range of applications, the average annual cost is $550 per user. 34 The maintenance costs, in addition to the initial installation costs required for the specific multifactor authentication tool are often reasons for institutions to defer the implementation until it is deemed necessary by the enactment of a regulation by a governing body. For multi-national firms, they should consider the ease of deployment, which includes enrollment and administration. It is difficult to deploy multifactor authentication tools and software to all offices around the world. For example, distributing tokens for a geographically dispersed company will be a hard task, as each token must be assigned to the right employee, 32 The Leader in Out-of-Bank Authentication. Authentify. 14 July < 33 Dubin, Joel. Should we use biometric authentication on devices. 6 June SearchSecurity.com. 11 June < 34 Byme, Jim. Large-scale Biometric Management: A Centralized, Policy-based Approach to Reducing Organizational Identity Chaos. Vol ISACA. 7 June < 8 of 14 8

10 registered and enrolled into the system. The challenge is to find out and verify whether the enrolled employee is actually the intended user. 35 Although multi-factor authentication is effective in fighting online fraud, criminals have switched back to phone and mail-frauds where they pretend to be bank representatives and ask for account details. An investigation performed by Javelin Strategy and Research has discovered that the number of fraud and victims in the United Sates is overall continuously declining as a result of the multi-factor authentication and other fraud-fighting tools. Specifically, there are 3 consecutive years of declining losses from identify theft. However, the number of old vishing methods by criminal enterprises have increased to 40% of all fraud incidents in 2007 from 3% in 2006, as it is less expensive and easy to deceive careless customers. 36 Vishing uses Voice over IP to gain access to the telephone system and scam customers to disclose personal information by claiming to be a legitimate financial institution. 37 Multifactor authentication may not be useful when the situation involves friends or family members. Investigators have seen a persistent increase in the number of family or friend related identity theft, and victims do not want to accuse them. The victims want their money back, but they don t want their family member arrested. In this situation, any multi-factor authentication or other techniques will not be capable of preventing any fraud actions Implementation of Multifactor Authentication in Canada There are currently no requirements for Canadian banks to implement multifactor authentication. However, according to Celent LLC, a Boston-based research firm, about 44% of Canadian banks have some sort of multi-factor authentication for online banking. 39 TD Bank Financial Group, which is one of the early adopters, launched EasyWeb IdentificationPlus in April 2007, which allows customers to choose five questions from a list and provide answers for future verification purposes. The online system asks one of these questions when the customer logs in from a different computer or performs a high-risk transaction. The system places a web cookie on the customer s computer after the question is answered so that a question will not be 35 Stephenson, Peter. Multifactor authentication January SC Magazine. 6 June < 36 Fest, Glen. Thwarted Online, Fraud Goes Low-Tech Again. USBanker. April Vol. 118 Issue 4 Page 16. ABI Inform. University of Waterloo, ON. 37 Vishing or Voice Phishing. 28 April RCMP. 11 July < 38 Fest, Glen. Thwarted Online, Fraud Goes Low-Tech Again. USBanker. April Vol. 118 Issue 4 Page 16. ABI Inform. University of Waterloo, ON. 39 Buckler, Grant. There's no single answer to securing online banking. 1 November The Globe and Mail. 7 June < 9 of 14 9

11 asked again when the customer uses the same computer to login the next time. On the other hand, HSBC Bank s online service asks a question regardless of the computer the customer is using. 40 When looking at the multifactor authentication techniques offered by TD Bank Financial Group and HSBC Bank, one would question whether they are really offering multifactor authentication. The two banks are enhancing security by making use of two share secrets. However, it would not be difficult for hackers to gain access to both these shared secrets as they are most likely stored together in the bank s database. Although Canadian banks are mainly focused on online services, they are also investing multi-factor authentication tools for ATMs and phone transactions. Celent quotes that 7% of Canadians use phone, 27% uses online, 29% in-person and 33% uses bank machine for banking. ING Direct s services are mostly provided by phone, since it does not have any branches. In order to verify the caller, ING employees compare the calling number with customer records. In addition, ING Direct has tried voice identification, but there are accuracy problems. 41 Other authentication methods are required if customers desire to perform a transaction from places other than the calling number stated in their records. 3.0 Conclusion Multifactor authentication provides better security to customers by making use of more than one form of authentication to validate a transaction. Although not mandatory, Canadian financial institutions should consider the implementation of multifactor authentication as it provides better security for their customers using their online services. They must understand that the costs of providing the security may be compensated by customer confidence and smaller losses from thefts. Financial institutions need to perform a risk assessment to determine the type of authentication required. However, institutions must take into consideration customer acceptance and the ease of development of the technology, as tokens may need to be distributed during enrolment. They need to be aware that criminals may simply switch to other forms of frauds that do not require usage of the internet. Manufacturers must constantly seek to improve and develop advanced technologies that produce the minimal amount of error. 40 Buckler, Grant. There's no single answer to securing online banking. 1 November The Globe and Mail. 7 June < 41 Ibid 10 of 14 10

12 Appendix The intended audiences of this report are Canadian financial institution executives, mainly chief information security officers, who are debating whether to implement multifactor authentication for their company. They must decide whether it is worthwhile to implement some form of multifactor authentication before a regulation is enacted. This would ensure that a proper planning for the implementation is carried out and not rushed. The executive also wants to satisfy their customers concerns regarding the security of internet services by implementing enhanced controls. 11 of 14 11

13 Works Cited Note: Items in bold represent new sources found after the submission of the annotated bibliography Authentication in an Internet Banking Environment. FFIEC. 11 July < Bruno-Britz, Maria. FFIEC Rules Making a Difference Javelin study finds more banks using multifactor authentication. Bank Systems & Technology. December Vol. 44 Issue 12. Page 17. ABI Inform. University of Waterloo, ON. Buckler, Grant. There's no single answer to securing online banking. 1 November The Globe and Mail. 7 June < NStory/GlobeTQ/home/>. Byme, Jim. Large-scale Biometric Management: A Centralized, Policy-based Approach to Reducing Organizational Identity Chaos. Vol ISACA. 7 June < Childs, Robert S. Banking on Multifactor Authentication. 22 February SearchFinancialSecurity. 3 June < Cocheo, Steve. Read this before you take Multi-factor Plunge. American Bankers Association. ABA Banking Journal. May Vol. 98 Issue 5. Page ABI Inform. University of Waterloo, ON. Dubin, Joel. Is there any policy or regulation to help protect biometric data. 2 May SearchSecurity.com. 7 June < _tax299857,00.html?bucket=ETA&topic=299857>. Dubin, Joel. Should we use biometric authentication on devices. 6 June SearchSecurity.com. 11 June of 14 12

14 < ,00.html>. Dubin, Joel. Will biometric authentication replace the password. 15 December SearchSecurity.com. 6 June < ,00.html>. Entrust Bolsters GetAcess with IdentityGuard Multifactor Authentication. Wireless News. 9 September ABI Inform. University of Waterloo, ON. The Evolution of Security. Acsys Biometrics Corp. 20 July < Feig, Nancy. The Final Countdown As the FFIEC Online Banking Authentication Deadline Looms, Banks work through the Confusion to select their Solutions. Bank Systems & Technology. September Vol. 43 Issue 9. Page 11. ABI Inform. University of Waterloo, ON. Fest, Glen. Thwarted Online, Fraud Goes Low-Tech Again. USBanker. April Vol. 118 Issue 4 Page 16. ABI Inform. University of Waterloo, ON. Frost & Sullivan: The Use of Biometrics in Financial Institutions Is on the Rise. Wireless News. 31 May ABI Inform. University of Waterloo, ON. The Leader in Out-of-Bank Authentication. Authentify. 14 July < Multifactor Authenticaiton (MFA). 12 April TechTarget. 7 July < Multi-factor Authentication. Safe Net. 11 June < Myerson, Judith. Pros and cons of multifactor authentication technology for consumers. 28 May SearchFinancialSecurity.com. 3 June < Products of the Year: Authentication and Authorization. 4 January SearchSecurity.com. 11 June < 13 of 14 13

15 Stephenson, Peter. Multifactor authentication January SC Magazine. 6 June < Vishing or Voice Phishing. 28 April RCMP. 11 July < 14 of 14 14