THE FFIEC CHALLENGE A Call for Reliable Authentication

Transcription

1 THE FFIEC CHALLENGE A Call for Reliable Authentication March 14, 2006 ISACA LOS ANGELES RISK ADVISORY SERVICES INFORMATION RISK MANAGEMENT

2 Agenda The FFIEC Challenge Current/Future Authentication Scenarios The Authentication Risk Assessment Customer Security Awareness Evaluation Authentication Vendors/Technology Options Questions/Comments/Discussion 2

3 The FFIEC Challenge New Accounts & Other Frauds Misuse of Existing Accounts (credit card & non-credit card) All Identity Theft Number of Persons 3.25 Million 6.68 Million 9.93 Million Loss to Financial Institutions $32.9 Billion $14 Billion 46.9 Billion Loss to Victims $3.8 Billion $1.1 Billion $5 Billion Cost Spent Resolving Issues 194 million hours 100 million hours 297 million hours FTC,

4 FFIEC Guidance Requirements The new guidance states that, financial institutions regulated by the agencies should conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services. 4

5 The Challenge - Scope The FFIEC guidance is focused on highrisk transactions that include, access to customer information or the movement of funds to other parties. 5

6 The Challenge - Scope Access to customer information includes data types that can be used for account hijacking or identity theft, such as names, addresses and phone numbers, social security numbers, bank account numbers and account details held for bill payment purposes (credit cards and other bills paid through online banking). 6

7 The Challenge - Scope The movement of funds to other parties should include bill payment, wire transfers, transfers to accounts not held by the customer at that given institution, and transfers to other accounts held by the customer outside of a given institution. 7

8 Strong Authentication Other Drivers The call to action may also come from: Customers Competitors Regulatory Compliance Audit Reports Past Security Incidents 8

9 Current Authentication Scenarios Today, most financial institutions use singlefactor authentication, such as usernames and passwords, to restrict Internet access to their websites: Current State Authentication Single Factor Key 9

10 Future Authentication Scenarios Future State Authentication Two Factor Keys 10

11 Future Authentication Scenarios The guidance also takes into consideration a layered-security approach: Future State Authentication Transaction-Level Protection Transaction A Internet Banking Customer Username & Password Website Authentication Financial Institution Website Transaction B Personal/Financial Data PIN Website Authentication 11

12 Defining The Authentication Future State Customers Demand security Demand simple solutions Have varying needs by type FI Management Wants a flexible solution Demands value maximization Seeks to minimize risk and ensure compliance 12

13 Authentication Risk Assessment - Overview Authentication Risk Assessment The objectives of the authentication risk assessment are to identify and evaluate risks in the financial institution s Internet product and service offerings. Once identified, the risks should be measured against the effectiveness of the Internet authentication controls. 13

14 Authentication Risk Assessment - Overview Included in the scope of the assessment should be a review of current Internet authentication capabilities, as well as the technology which supports user authentication or the layers of security around authentication (e.g. perimeter security, anomaly detection and user account provisioning). 14

15 Authentication Risk Assessment - Overview Per each customer type and type of transaction: Calculate impact and likelihood of an authentication compromise Identify and score current security and authentication control strength Should a need for stronger authentication or layered security exist, define an action plan 15

16 Authentication Risk Assessment - Overview Risk Assessment Steps Classify/Define Data Identify Data Stores Identify Data Flows/Transactions (Internet only) Group Data Transactions Analyze and Assign Transaction Risk Factor, Likelihood Analyze Control Effectiveness 16

17 Internet Transaction Risk Scorecard Risk Factor (Impact) Likelihood (1-5) Inherent Risk Score Control Strength Score Residual Risk Score (1-5) (RFxL) (ExF) (IR-CS) Application I Transaction Group A (Initiate) Transaction Group B (Modify) Transaction Group C (Execute) Non-Transaction Specific Data

18 Sample Risk Factors Customer Type I (Retail) Transaction Group A (Initiate) Create Account Open Account Transaction Group B (Modify) Change Address Establish Bill Pay Transaction Group C (Execute) Transfer Funds, High-Dollar Transfer Funds, Non High-Dollar Pay Bill Risk Factor

19 Typical Controls Examined Sample Manual Controls Security organization structure and authority Existing Internet risk-management activities Policies and procedures for user account provisioning, access and management Policies and procedures for password use, i.e. length, complexity, re-use, forced change Customer training/literature on the FI website on how to define strong usernames and passwords 19

20 Typical Controls Examined Sample Manual Controls Customer training on phishing, malware, etc. /written notification to customers that the FI will never ask for the username, password or social security number Fraud reporting process for customers Vendor oversight Implementation of layered security, i.e. is a separate pin to execute high-dollar fund transfers 20

21 Typical Controls Examined Sample Automated Controls Authentication controls, ranked according to the NIST Assurance Level Automatic termination of internet sessions after a period of inactivity Encryption of passwords Hidden entry of passwords System capabilities to use special characters in passwords 21

22 Typical Controls Examined Sample Automated Controls Secure browsing of website (e.g. SSL) Account lockout after multiple failed attempts Integration with anomaly/fraud detection Data Integrity transmission controls Firewalls, Intrusion Detection systems Anti-virus protection on server network 22

23 Customer Security Awareness Customer Security Awareness Assessment financial institutions regulated by the [FFIEC] agencies should conduct risk-based assessments, evaluate customer awareness programs,.. 23

24 Customer Security Awareness The Customer Security Awareness Assessment focuses on the evaluation of the institution s existing Internet customer security awareness program(s), such as the institution s efforts to educate customers in the risks associated with increased Internet threats (e.g. pharming, phishing and malware) and the controls used to reduce these threats. 24

25 Customer Security Awareness Evidence of Customer Awareness The number of customers who report fraudulent attempts to obtain their authentication credentials The number of clicks on information security links of the financial institution s website The number of education statements issued via direct mail by the bank 25

26 Customer Security Awareness Evidence of Customer Awareness Low dollar losses relating to identity theft Other Activities Sample customer fraud claims Review customer response, acceptance and adoption of current security protocols and technologies. 26

27 Authentication Vendors/Technology Options Three security categories are identified through the FFIEC guidance: Authentication Layered Security Other Types of Security (not studied here) 27

28 Authentication Vendors/Technology Options KPMG divided solutions for authentication into three major areas including: Basic Authentication, Token-based Authentication Biometric Authentication 28

29 Authentication Vendors/Technology Options We then divided layered security solutions into three areas: Pattern Detection Software Installation Out-of-Band 29

30 Authentication Vendors/Technology Options Our evaluation We defined a total of 28 evaluation criteria. Each of the vendors was listed and offerings compared to each of the criteria identified. 30

31 Criteria Authentication Type Layered Security Software Basic Token-Based Biometric Pattern Detection Installation Out-of-band Vendor Challenge/Response Username/Password Digital Certificate Grid Card / Scratch Pad Hand-held Devices One-time password Phone/PDA Smartcard Software token USB Watermark Fingerprint pattern Keystroke Voice recognition Activity monitoring Behavioral Aalysis Device Forensics Device Identification Network Forensics Transaction analysis Cookie-based Digital Image Plug in Telephone dial-back Telephone Authentication Knowledge Based Auth Cross-industry collaboration Actimize X X X X X X X X Authentify X X X Corillian X X X X X X X Digital Resolve X X X X X X X Entrust X X X X X X X X X X X X MultiFactor Ath X X X X X X PassMark X X X X X X X X X X X X RSA/Cyota X X X X X X X X X X X X X Strikeforce X X X X 41st Parameter X X X X X TriCipher X X X X X X 31

32 Evaluation Scalability Time Estimates Costs (Hardware/Software, Deployment, Incremental, Maintenance Actimize Scalable based on # of servers deployed 4-6 months to implement, which includes fine tuning of models [rules] after historical data is analyzed No data provided No theoretical limitations Current deployment in the millions 6 weeks - enable time only; includes 2 weeks of QA Small deployment -Setup $15,000-$40,000 Authentify Authentify, the company, can handle 33,000 calls per hour. Does not include effort by company to formally roll-out. Large deployment - Setup $50,000 - $90,000 Corillian In recent testing of IA, authentication transactions averaged a 1/10 of a sec response time, when an excess of 1 million users were enrolled; 1 day for installation 2 to 4 weeks for implementation and deployment depending on the size of the deployment. No data provided Digital Resolve 500 transaction second on one dual processor server 9-12 wks $2000 per day for consulting services Currently deployed with 600,000 users Theoretical potential 65 million 3-4 weeks for 3000 user project User and Server license ($8.00 per user; server license is 15K - 25K per server Entrust 50,000 users to several millions theoretical (3-4 servers) Cost of cards (1.00 per card) Multi-Factor Authentication They claim that they can handle 40,000 users con-current (3,000,000) users. 5 working day to setup 3 or 4 weeks for deployment, training, & Q/A Med size 100,000 to 150,000 users 1.99 per year for license 32

33 Questions Questions/Comments/Discussion 33

34 Thank You / Contact Thank You John Moore Senior Manager, KPMG LLP JDMoore at kpmg.com The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. 34