Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Transcription

1 Polling Question Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication. Please type in your response. This poll will close promptly at 1:00 pm CDT

2 Getting the Facts on Multi-Factor Webinar Donna Dodson National Institute of Standards and Technology (NIST) Kimberly Cahill, NBE, CISA Bank Information Technology Analyst Comptroller of the Currency Gary Greenwald Managing Director, Cash Management Capabilities and Information Products Citigroup Corporate and Investment Bank

3 Getting the Facts on Multi-Factor Webinar Donna Dodson National Institute of Standards and Technology (NIST)

4 E-Authentication Guidance OMB 04-04, E-Authentication Guidance for Federal Agencies Defines four levels of assurance in term of the consequences of authentication errors and misuse of credentials Risk assessment reviewing privacy, inconvenience, damage to reputation, harm to agencies and programs, financial liability, crime, safety NIST Special Publication , Electronic Authentication Guideline Establishes technical requirements to meet four levels of assurance Identity proofing, tokens, credentials, protocols, assertions

5 Authentication Model Local or Remote Players Claimants Subscribers Registration Authorities Credential Service Provider Verifiers Relying Parties

6 Authentication Elements Token something that the claimant possesses and controls (typically a key or password) used to authenticate the claimant s identity Credential An object that authoritatively binds an identity to a token possessed and controlled by a person Assertion - a statement from a verifier to a relying party that contains identity information about a subscriber

7 Authentication Factors Something you know Typically some kind of password Something you have For local authentication typically an ID card For remote authentication typically a cryptographic key hard & soft tokens Something you are A biometric Problematic without supervision Capture can deter fraud even if not checked in authentication process The more factors, the stronger the authentication

8 Tokens Single-factor token a token that utilizes one of the three factors to achieve authentication. For example, a password is something you know, and can be used to authenticate the holder to a remote system. Multi-factor token a token that utilizes two or more factors to achieve authentication. For example, a private key on a smart card that is activated via PIN is a multi-factor token. The PIN is something you know and the smart card is something you have.

9 Common Types of Tokens Memorized secret token Pre-registered knowledge token Look-Up secret token Out of band token One time password device Software cryptographic token Hardware cryptographic token

10 Token Selection Considerations Security considerations Single factor vs multifactor vs multitoken Hardware vs software Protocol Associations Costs Usability

11 Polling Question Have you fully implemented a Multi-Factor Authentication program per the FFIEC guideline? Yes No

12 Getting the Facts on Multi-Factor Webinar Kimberly Cahill, NBE, CISA Bank Information Technology Analyst Comptroller of the Currency

13 Disclaimer The views and opinions expressed are not official positions of the FFIEC or the Comptroller of the Currency.

14 Agenda What Prompted Guidance Guidance Other Considerations

15 What Prompted the Guidance? Cybercrime yielding more cash than drugs TJX data breach info used to make fraudulent purchases. In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Lost or stolen customer information cost surveyed companies as much as $22million

16 Common Threats Losing Data Hacking Phishing Pharming Spying Disgruntled Insiders Criminals Terrorists

17 Consumer Concern 67% are very concerned about identity theft. 73% worried about fraudulent use 25% say stopped buying online 57% say switch banks for better security

18 Authentication Guidance OCC Bulletin

19 Guidance The level of authentication used by the FI should be appropriate to the risks associated with those products and services. FIs should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. Where risk assessments indicate that the use of single-factor authentication is inadequate, FIs should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. The agencies consider single-factor authentication, as the only control mechanism, to be inadequate in case of high-risk transactions

20 Key Principals of the Guidance 4 Principles Risk Based Process Based Not prescriptive Technology neutral

21 Key Steps for Conformance Risk Assessment Implement Risk Mitigation Strategy Customer Awareness Adjust the program

22 Risk Assessment Identify and rank high risk Internet transactions Describe specific customer information viewable during Internet sessions Evaluate current authentication procedures Identify any gaps

23 Acceptable Risk Mitigation Techniques Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement: multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

24 Authentication Selection Multifactor Token Biometrics Smart cards One-time passwords Layered Security Transaction analysis (Unusual Behavior) IP Address Challenge/Response questions Out-of-band confirmations

25 Other Risk Controls Content Minimize (mask) confidential information Segregate access Separate basic info, bill payment, funds transfer Accessibility Encrypt confidential information

26 Monitoring and Reporting Audit Features - Behavior Patterns Service Provider s Reports Independent Audit Review Report to Board

27 Customer Awareness New FTC Education Website Key defense, but not a control Continue efforts Track your efforts (Call center, clicks on alert and disclosure links, type of marketing, trends in losses)

28 Acct Origination & Verification Reliable identity verification at origination is critical for: Compliance w/ USA Patriot Act Relevance of subsequent authentication practices Negative confirmation Positive confirmation Out-of-wallet questions

29 Bottom-Line An acceptable solution today might not be acceptable tomorrow.the bad guys are just as smart as the good guys developing the solution Banks need an on-going risk assessment process!

30 Bank Supervision Policy FFIEC Information Security Booklet 12 CFR 30, Appendix B OCC : Online Authentication OCC : Website Spoofing OCC : Customer Notification OCC : Disposal of Consumer Info FAQs on Guidance

31 Polling Question Implementing Multi-Factor Authentication has met my expectations. Strongly Agree Agree Agree Somewhat Disagree Strongly Disagree

32 Getting the Facts on Multi-Factor Webinar Gary Greenwald Managing Director, Cash Management Capabilities and Information Products Citigroup Corporate and Investment Bank

33 The Opportunity Look beyond website access control Paperless workflows Legally binding electronic signatures Document integrity and rights management

34 Case Study: Pharmaceutical Electronic submissions to the FDA Costs are rising Time to market is long Paper intensive What are we providing? Identity issuance Compliance with strict FDA regulations Operational infrastructure

35 Case Study: Managing Corporate Bank Accounts Need for better process Visibility Control Efficiency What are we providing? Standard for account opening and managing corporate bank accounts, working with industry groups A single digital identity across banks End-user interface

36 Case Study: Corporate Payment Files Improved process for straight through processing (STP) of payment files Driven by Industry move to STP and even corporate SWIFT connectivity Issue: What individual has released the payment file? Is he/she entitled? Use of digital signatures to confirm identity of the senders, provide audit trail, etc.

37 Role of Banks Sit above technology layer Focus on high assurance Using multi factor tools for strong authentication Positions banks as leaders Focus on what banks do well KYC Trusted parties Subject to regulatory oversight Know and understand the importance of strong policies and legal structures Integral part of the global payment and trade infrastructure Extensions into public sector, consumers and other verticals

38 Q&A Using the CHAT Window on the right side of your screen, send a text directly to ALL PANELISTS