The Implementation of Multifactor Authentication in Canadian Financial Institutions. By Wilson Yee Tsun Lo ACC 626



Similar documents
Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Online Cash Management Security: Beyond the User Login

Entrust IdentityGuard

Remote Access Securing Your Employees Out of the Office

Moving to Multi-factor Authentication. Kevin Unthank

Strong Authentication. Securing Identities and Enabling Business

Authentication in an Internet Banking Environment

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

Multifactor authentication systems Jiří Sobotka, Radek Doležel

Enhanced Security for Online Banking

ACI Response to FFIEC Guidance

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Voice Authentication On-Demand: Your Voice as Your Key

E-Banking Regulatory Update

Multi-Factor Authentication of Online Transactions

Online Gaming: Legalization with Protection for Minors, Adult Players, Problem Gamers

solutions Biometrics integration

IDRBT Working Paper No. 11 Authentication factors for Internet banking

Securing corporate assets with two factor authentication

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

Chapter 1: Introduction

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Beyond passwords: Protect the mobile enterprise with smarter security solutions

Enhancing Organizational Security Through the Use of Virtual Smart Cards

An Enhanced Countermeasure Technique for Deceptive Phishing Attack

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Confidence in Commerce: Enabling e-banking and online services with two-factor authentication

The Convergence of IT Security and Physical Access Control

Multi-Factor Authentication

DigitalPersona, Inc. Creating the authentication infrastructure for a digital world.

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Identity Access Management: Beyond Convenience

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

Two-Factor Authentication

Jim Bray, Cyber Security Adviser InfoSight, Inc.

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

THE FFIEC CHALLENGE A Call for Reliable Authentication

Securing e-government Web Portal Access Using Enhanced Two Factor Authentication

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Transforming the Customer Experience When Fraud Attacks

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

How To Choose An Authentication Solution From The Rsa Decision Tree

Payments Fraud: It's Not Fun & Games

WHITE PAPER Usher Mobile Identity Platform

White Paper for Software Publishers. Strong Authentication: Securing Identities and Enabling Business

Guide to Evaluating Multi-Factor Authentication Solutions

The Convergence of IT Security and Physical Access Control

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates

Research Article. Research of network payment system based on multi-factor authentication

Entrust IdentityGuard Versatile Authentication Platform for Enterprise Deployments. Sam Linford Senior Technical Consultant

Enhancing Web Application Security

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Authentication Levels. White Paper April 23, 2014

FFIEC CONSUMER GUIDANCE

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

IT Compliance Volume II

Achieving Universal Secure Identity Verification with Convenience and Personal Privacy A PRIVARIS BUSINESS WHITE PAPER

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

M&T BANK CANADIAN PRIVACY POLICY

RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards

Advanced Authentication

Two-Factor Authentication Making Sense of all the Options

Strong Authentication for Secure VPN Access

Improving Online Security with Strong, Personalized User Authentication

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Target Security Breach

OpenEdge Research & Development Group April 2015

Voice biometrics. Advait Deshpande Nuance Communications, Inc. All rights reserved. Page 1

Guide to Vulnerability Management for Small Companies

A brief on Two-Factor Authentication

Here are two informational brochures that disclose ways that we protect your accounts and tips you can use to be safer online.

Minnesota State Colleges and Universities System Guideline Chapter 5 Administration

Longmai Mobile PKI Solution

PCI and EMV Compliance Checkup

RSA SecurID Two-factor Authentication

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

CRS Report for Congress Received through the CRS Web

A Feasible and Cost Effective Two-Factor Authentication for Online Transactions

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Multi-Factor Authentication

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Securing Virtual Desktop Infrastructures with Strong Authentication

Multi-factor authentication

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Application of Biometric Technology Solutions to Enhance Security

French Justice Portal. Authentication methods and technologies. Page n 1

Smart Cards and Biometrics in Privacy-Sensitive Secure Personal Identification Systems

Opinion and recommendations on challenges raised by biometric developments

ADVANCE AUTHENTICATION TECHNIQUES

Security Upgrade FAQs

ENHANCING ATM SECURITY USING FINGERPRINT AND GSM TECHNOLOGY

MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

WHITEPAPER. Identity Access Management: Beyond Convenience

Transcription:

The Implementation of Multifactor Authentication in Canadian Financial Institutions By Wilson Yee Tsun Lo ACC 626

1.0 Introduction The Internet has enabled financial institutions to offer various additional banking services for both their individual and corporate customers. Individuals may perform online transactions and other banking services at their convenience with the click of a mouse. On the other hand, financial institutions benefit from improved efficiency and significant amount of savings. As such, online banking services are often promoted by these institutions to their customers. Nonetheless, with the increasing popularity of online financial services for customers, the main challenge is to ensure that their customer s confidential information is secured against fraud and other malicious attacks. Unlike performing a transaction at a branch where the identity may be verified in person with valid identifications, a detailed authentication process is required for online banking to monitor and control access to customer s banking information. Authentication techniques must be implemented by security professionals as a part of the company s security measures to prevent fraudulent attacks from exposing the company to unnecessary legal liabilities and a loss of business. The majority of financial institutions in the United States have implemented some form of multifactor authentication as required by the Federal Financial Institutions Examination Council. In Canada, although several institutions have voluntarily implemented multifactor authentication, there are currently no guidelines or regulations in place to enforce the security system for online banking services. The purpose of this report is to provide an analysis of multifactor authentication to determine whether financial institutions in Canada should implement some form of multifactor authentication. This is achieved by examining the features and issues of multifactor authentication and providing an in-depth analysis of the techniques that are available to implement multifactor authentication. 2.0 Analysis 2.1 What is Multifactor Authentication? Multifactor authentication is a security system in which more than one form of authentication is implemented to verify the legitimacy of a transaction. 1 In terms of internet banking services, it is used to prevent unauthorized access to a customer s online banking information by combining both physical and/or logical access controls. There are 3 general forms of authentication: 1 Multifactor Authenticaiton (MFA). 12 April 2007. TechTarget. 7 July 2008. <http://searchsecurity.techtarget.com/sdefinition/0,,sid14_gci1249137,00.html#>. 1 of 14 1

1) Something you know (e.g. password) 2) Something you have (e.g. fob or a token) 3) Something you are (e.g. fingerprint or eye scan) 2 Multifactor authentication makes use of at least two of the above combinations. In addition to incorporating the use of technologies, institutions can also establish proper policies, procedures and controls. 3 The chief information security officer (CISO) works closely with the marketing team to design and implement a multifactor authentication product that is approved by bank customers in addressing the risks of the transactions. Risk-based assessments are carried out to determine the level of authentication controls required to properly address the risk of identity theft, online fraud and loss of confidential customer information. 4 If the risk is moderate, a combination of a shared secret and a token may be sufficient. The addition of biometrics, such as fingerprint recognition, may be required if the high-risk transactions are involved. The risk assessment must take into consideration the type of customers, the functions available, the sensitivity of the information, and the volume of transactions. 5 2.2 Implementation of Multifactor Authentication in United States The Federal Financial Institutions Examination Council (FFIEC) issued an announcement, Authentication in an Internet Banking Environment in mid-october 2005, which mandates financial institutions in the United States to review and determine which of the provided internet services require enhanced authentication techniques. 6 The single-factor authentication, which only requires one type of identification verification from the customer, is inadequate for online financial transactions. The FFIEC guideline states that the agencies consider single-factor authentication, as the only control mechanism, to be inadequate for highrisk transactions involving access to customer information or the movement of funds to other parties. 7 The FFIEC requested financial institutions to apply multifactor or any other approach that addresses high risk transactions by the end of 2006 for auditing compliance with the rules. 2 Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. 3 Ibid 4 Childs, Robert S. Banking on Multifactor Authentication. 22 February 2006. SearchFinancialSecurity. 3 June 2008. <http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1294354,00.html>. 5 Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. 6 Cocheo, Steve. Read this before you take Multi-factor Plunge. American Bankers Association. ABA Banking Journal. May 2006. Vol. 98 Issue 5. Page 54-55. ABI Inform. University of Waterloo, ON. 7 Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. 2 of 14 2

According to a study performed by Javelin Strategy & Research, approximately 20% of the banks in the survey were using multi-factor authentication before the deadline. In 2007, 88% of the banks have implemented multi-factor authentication techniques. 8 It should be noted that there were some confusions among the banks on the authentication technique to implement before the 2006 year-end deadline. The FFIEC guideline states that it does not endorse any particular technology. 9 It only asks financial institutions to assess their own risk and conclude on an alternative that meets their needs. However, banks, vendors and experts were over focused on the term multi-factor authentication. The FFIEC guideline does not explicitly state that multi-factor authentication is the only solution. 10 2.3 Multi-factor Authentication Technologies 2.3.1 Share Secrets Selected by the customer during the enrollment stage, shared secrets represent some information that is known by both the customer and authenticating entity. By demanding a periodic change to the shared secret, this can enhance the security of the system, as the risk of theft decreases when it is periodically updated. Security is also enhanced when more than one shared secret is used by authenticating entities. Some examples of shared secrets include 11 : Password and PINs Questions or queries that require specific customer knowledge to answer Customer-selected images that must be identified or selected from a pool of images 12 2.3.2 Tokens Tokens are physical devices that are classified under something you have. In order to achieve multi-factor authentication, companies only have to add this technology to its existing user name and password system. The three common types of tokens are: USB Tokens A USB token is a small device that can be attached to a keychain or placed in a pocket. In order to access a computer or network, the USB token is inserted into the USB port, and the user enters his/her password for authorization. Customers are not required to install any specific 8 Bruno-Britz, Maria. FFIEC Rules Making a Difference Javelin study finds more banks using multifactor authentication. Bank Systems & Technology. December 2007. Vol. 44 Issue 12. Page 17. ABI Inform. University of Waterloo, ON. 9 Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. 10 Feig, Nancy. The Final Countdown As the FFIEC Online Banking Authentication Deadline Looms, Banks work through the Confusion to select their Solutions. Bank Systems & Technology. September 2006. Vol. 43 Issue 9. Page 11. ABI Inform. University of Waterloo, ON. 11 Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. 12 Ibid 3 of 14 3

hardware on their computer. The authentication service then verifies the user by prompting for their password to log in to the system. 13 As USB tokens are difficult to copy and tamper-proof, they are a good candidate for storing a variety of information and security functions, such as cryptography, and other physical and logical access controls. They can store digital certificates that may be used in a public key infrastructure environment. Because of their acceptable size, processing power and storage capabilities, USB tokens are becoming popular. Its size allows the user to carry it around in their pocket and they are simple to use. 14 One of the vendors that produce USB tokens is SafeNet. The SafeNet ikey USB Token is a USB-based portable PKI authentication token that generates and stores digital credentials. 15 It allows the company to implement the technology without installing any card readers or biometric devices. Smart Cards A smart card is comparable to a credit card in its shape and size. Similar to a USB token, a microprocessor is embedded in it, containing user credentials such as digital certificates, encryption keys, and digital signatures. For log-in purposes, the smart card is inserted into a network-attached or embedded smart card reader, and the reader sends the data to the authentication server. Similarly, the authentication service then verifies the user by prompting for their password to log in to the system. 16 Due to the similarities between a smart card and a USB token, SafeNet is also a vendor that produces Smart Cards. The SafeNet Smart Card is provided in two formats as a Java card or as a multi-function card employing the highly secure DKCCOS card operating system. 17 It can also be used as a physical access control card by using magnetic stripe technologies. One-time Passwords (OTP) A one-time password (OTP) token generates a unique password every 30 or 60 seconds. Customers must enter a regular password and the OTP generated by the token in order to be authenticated. By changing the password after every use, it becomes increasingly difficult for a thief to access a customer s online account. OTP either applies mathematical algorithm to 13 Ibid 14 Multi-factor Authentication. Safe Net. 11 June 2008. <http://www.safenet-inc.com/library/8/multifactor_authentication_white_paper.pdf>. 15 Ibid 16 Ibid 17 Ibid 4 of 14 4

generate a new password, or relies on time synchronization between the server and the client. This is beneficial because customers do not have to worry about the risk of a theft stealing the password. However, there is a significant cost associated with this technology as hardware tokens must be supplied to customers, along with the necessary training. 18 RSA is one of the most well-known vendors that produce OTP s. Information Security Magazine ranked RSA Security SecurID as the 2005 product of the year gold award. By automatically changing the password every 60 seconds, it provides authentication when accessing data and applications via wireless networks, VPNs, e-mail and web servers. It is a token that cannot be reverse-engineered and cannot be easily broken. With its size and reputation, SecurID allows large companies to handle authentication for millions of users and hundreds of applications using its Authentication and Deployment managers. 19 2.3.3 Biometrics Biometric technologies are most commonly combined with a password or a token to produce a multifactor authentication system. Categorized under something you are, they record a unique physiological or physical characteristic of the individual and use it to verify a user s identity. Facial structure, iris configuration, or fingerprints is classified as physiological characteristics. The rate of movement, such as the pattern of typing on a computer keyboard is classified as a physical characteristic. During the enrollment process, a sample of data relating to the user s characteristics is gathered and stored in the biometric-based system as the template. Similar to passwords, there is a risk that these templates may be stolen. When customers log in with a live-scan, the result is compared to the registered template. Access is only granted when the result matches with the template. 20 Financial institutions in North America and Europe have increased the use of biometrics as a measure of increasing security and convenience. For example, institutions in the United States used fingerprint recognition and voice verification to comply with FFIEC. Biometrical enabled ATMs are also popular in Japan, and have been implemented in India, Latin America, and the Middle East. World Financial biometrics Market, a consulting firm, determined that 18 Myerson, Judith. Pros and cons of multifactor authentication technology for consumers. 28 May 2008. SearchFinancialSecurity.com. 3 June 2008. <http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1315282,00.html>. 19 Products of the Year: Authentication and Authorization. 4 January 2005. SearchSecurity.com. 11 June 2008. <http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1041836,00.html>. 20 Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. 5 of 14 5

$117.3 million in 2006 was generated from the sale of biometrics, and estimates that $2.07 billion will be generated in 2013. 21 Biometric data is similar to other data. It is stored in a server, which is prone to hackers if it is not secured. Companies must ensure the transmission is encrypted when transmitting from the biometric reader to the authenticating server. 22 However, there are no regulations to protect biometric data, as it is normally treated as an authentication credential. Regulations such as Sarbanes-Oxley, Health Insurance Portability and Accountability Act and Gramm-Leach-Bliley Act require security and access controls for customers and employee data only. Biometric data is not considered as employee or customer data, thus it is not being accounted for in the regulations. 23 Biometrics provides financial institutions with better security, convenience and time efficiency. However, customers who do not know how a biometrics work perceives this tool as an invasion of their privacy. Employees and customers may be reluctant and unwilling to submit their personal biometric information. 24 This technology is complicated and requires a huge initial investment in hardware and software, when compared to passwords. For this reason, biometric authentication should only be used in high-risk systems when the cost of the breach outweighs the cost of implementing the system. For example, it may be used in a company with high-value money transfers or large amount of customer data. 25 The market for biometrics is segmented. Companies do not know whether to buy a fingerprint reader, a voice recognition system or an iris scanner. It is hard to compare each product during a company s bid process as each product is unique in terms of approach and installation. 26 However, the two biometric techniques that are becoming popular and gaining acceptance are: 21 Frost & Sullivan: The Use of Biometrics in Financial Institutions Is on the Rise. Wireless News. 31 May 2008. ABI Inform. University of Waterloo, ON. 22 Dubin, Joel. Should we use biometric authentication on devices. 6 June 2006. SearchSecurity.com. 11 June 2008. <http://searchsecurity.techtarget.com/expert/knowledgebaseanswer/0,289625,sid14_gci1197706,00.html>. 23 Dubin, Joel. Is there any policy or regulation to help protect biometric data. 2 May 2007. SearchSecurity.com. 7 June 2008. <http://searchsecurity.techtarget.com/expert/knowledgebaseanswer/0,289625,sid14_gci1259638_tax299857,00.html?bucket=eta&topic=2998 57>. 24 Frost & Sullivan: The Use of Biometrics in Financial Institutions Is on the Rise. Wireless News. 31 May 2008. ABI Inform. University of Waterloo, ON. 25 Dubin, Joel. Will biometric authentication replace the password. 15 December 2006. SearchSecurity.com. 6 June 2008. <http://searchsecurity.techtarget.com/expert/knowledgebaseanswer/0,289625,sid14_gci1242775,00.html>. 26 Dubin, Joel. Should we use biometric authentication on devices. 6 June 2006. SearchSecurity.com. 11 June 2008. <http://searchsecurity.techtarget.com/expert/knowledgebaseanswer/0,289625,sid14_gci1197706,00.html>. 6 of 14 6

Face Recognition This technology makes a two or three dimensional map by identifying specific features on the face. The template that is generated is stored and used for later comparisons. Face recognition is a new technology that requires further improvements. 27 A well-known biometrics vendor is Acsys Biometrics, who specializes in the development of facial biometrics and voice biometrics. Their biometric solutions may be customized to fit the needs of government agencies, financial institutions, manufacturing and health sectors. 28 Fingerprint recognition This technology analyzes the pattern and only stores the unique marks on the fingerprint. As fingerprints are unique and complex, it is the most accurate and mature biometric technology. Fingerprint recognition technology requires the installation of special hardware and software into the user s computer. It is to easier to install and more user-friendly for customers than other advance technologies such as an iris scan. 29 Instead of using password logins, HP has developed laptops that rely on fingerprint recognition technologies to access the computer program and data. Entrust is another well-known vendor that provides multifactor authentication. Its Entrust IdentityGuard allows companies to assign authentication techniques to various users and applications based on the risk of a given transaction. It can protect valuable data and applications with a wide range of authenticators such as one-time-password tokens, grid card, biometrics, question and answers, out-of-band and mutual authentication. 30 2.3.4 Out-of-Band Authentication Out-of-Band authentication occurs when the identity of the party who initiated the transaction is confirmed by a medium other than the one that the party used to request the transaction. For example, when a party initiates an online fund transfer or other monetary transaction, the server will generate a telephone call that will ask for a pre-determined confirmation number, word or phrase to confirm the transaction. 31 Authentify is a leader in out-of-bank authentication. It uses the telephone as an automated authentication device to provide an Internet security process. After a transaction is 27 Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. 28 The Evolution of Security. Acsys Biometrics Corp. 20 July 2008. <http://www.acsysbiometrics.com/>. 29 Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. 30 Entrust Bolsters GetAcess with IdentityGuard Multifactor Authentication. Wireless News. 9 September 2007. ABI Inform. University of Waterloo, ON. 31 Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. 7 of 14 7

made, the Authentify software will immediately contact the party to gather user contact and a proof of consent. 32 2.4 Issues related to Multi-factor Authentication? One issue related to multifactor authentication is getting general customer acceptance. It is difficult and time-consuming to educate and explain the idea behind multifactor authentication. Customers want to access their banking information fast and without any trouble. As a token may be lost or stolen, it would create a lot of trouble for the customer to replace it. In addition, the accuracy of biometric readers is questionable. The user s fingerprints may be smudged, faces and voices may change over time and these biometric data can potentially be misread. As a result, this may prevent the access of legitimate users or permit the access of unauthorized users. 33 By asking customers to provide an answer to a question that the customer previously created, this causes a lot of trouble when they forget the answer they previously chosen. Customers will have to contact the institution s customer service hotline, and ask them to reset the web account. A verification process is also in place when the customer wishes to contact a service representative. This time consuming process defeats the purpose of having a fast and trouble-free web account. Multifactor authentication is costly to implement and maintain. Companies may need to install a new set of hardware and application servers. Forrester Research, a research analyst firm, states that the estimated annual cost per user for the administration of password is between $340 and $800. For larger companies that require password for a wide range of applications, the average annual cost is $550 per user. 34 The maintenance costs, in addition to the initial installation costs required for the specific multifactor authentication tool are often reasons for institutions to defer the implementation until it is deemed necessary by the enactment of a regulation by a governing body. For multi-national firms, they should consider the ease of deployment, which includes enrollment and administration. It is difficult to deploy multifactor authentication tools and software to all offices around the world. For example, distributing tokens for a geographically dispersed company will be a hard task, as each token must be assigned to the right employee, 32 The Leader in Out-of-Bank Authentication. Authentify. 14 July 2008. <http://www.authentify.com/index.html>. 33 Dubin, Joel. Should we use biometric authentication on devices. 6 June 2006. SearchSecurity.com. 11 June 2008. <http://searchsecurity.techtarget.com/expert/knowledgebaseanswer/0,289625,sid14_gci1197706,00.html>. 34 Byme, Jim. Large-scale Biometric Management: A Centralized, Policy-based Approach to Reducing Organizational Identity Chaos. Vol. 6 2003. ISACA. 7 June 2008. <http://www.isaca.org/content/contentgroups/journal1/20033/largescale_biometric_management_a_centralized,_policy-based_approach_to_reducing_organizational_ide.htm>. 8 of 14 8

registered and enrolled into the system. The challenge is to find out and verify whether the enrolled employee is actually the intended user. 35 Although multi-factor authentication is effective in fighting online fraud, criminals have switched back to phone and mail-frauds where they pretend to be bank representatives and ask for account details. An investigation performed by Javelin Strategy and Research has discovered that the number of fraud and victims in the United Sates is overall continuously declining as a result of the multi-factor authentication and other fraud-fighting tools. Specifically, there are 3 consecutive years of declining losses from identify theft. However, the number of old vishing methods by criminal enterprises have increased to 40% of all fraud incidents in 2007 from 3% in 2006, as it is less expensive and easy to deceive careless customers. 36 Vishing uses Voice over IP to gain access to the telephone system and scam customers to disclose personal information by claiming to be a legitimate financial institution. 37 Multifactor authentication may not be useful when the situation involves friends or family members. Investigators have seen a persistent increase in the number of family or friend related identity theft, and victims do not want to accuse them. The victims want their money back, but they don t want their family member arrested. In this situation, any multi-factor authentication or other techniques will not be capable of preventing any fraud actions. 38 2.5 Implementation of Multifactor Authentication in Canada There are currently no requirements for Canadian banks to implement multifactor authentication. However, according to Celent LLC, a Boston-based research firm, about 44% of Canadian banks have some sort of multi-factor authentication for online banking. 39 TD Bank Financial Group, which is one of the early adopters, launched EasyWeb IdentificationPlus in April 2007, which allows customers to choose five questions from a list and provide answers for future verification purposes. The online system asks one of these questions when the customer logs in from a different computer or performs a high-risk transaction. The system places a web cookie on the customer s computer after the question is answered so that a question will not be 35 Stephenson, Peter. Multifactor authentication 2008. 1 January 2008. SC Magazine. 6 June 2008. <http://www.scmagazineus.com/multifactor-authentication-2008/grouptest/57/>. 36 Fest, Glen. Thwarted Online, Fraud Goes Low-Tech Again. USBanker. April 2008. Vol. 118 Issue 4 Page 16. ABI Inform. University of Waterloo, ON. 37 Vishing or Voice Phishing. 28 April 2008. RCMP. 11 July 2008. <http://www.rcmp.ca/scams/vishing_e.htm>. 38 Fest, Glen. Thwarted Online, Fraud Goes Low-Tech Again. USBanker. April 2008. Vol. 118 Issue 4 Page 16. ABI Inform. University of Waterloo, ON. 39 Buckler, Grant. There's no single answer to securing online banking. 1 November 2007. The Globe and Mail. 7 June 2008. <http://www.theglobeandmail.com/servlet/story/rtgam.20071017.wgtauthentic1018/bnstory/globetq/home/>. 9 of 14 9

asked again when the customer uses the same computer to login the next time. On the other hand, HSBC Bank s online service asks a question regardless of the computer the customer is using. 40 When looking at the multifactor authentication techniques offered by TD Bank Financial Group and HSBC Bank, one would question whether they are really offering multifactor authentication. The two banks are enhancing security by making use of two share secrets. However, it would not be difficult for hackers to gain access to both these shared secrets as they are most likely stored together in the bank s database. Although Canadian banks are mainly focused on online services, they are also investing multi-factor authentication tools for ATMs and phone transactions. Celent quotes that 7% of Canadians use phone, 27% uses online, 29% in-person and 33% uses bank machine for banking. ING Direct s services are mostly provided by phone, since it does not have any branches. In order to verify the caller, ING employees compare the calling number with customer records. In addition, ING Direct has tried voice identification, but there are accuracy problems. 41 Other authentication methods are required if customers desire to perform a transaction from places other than the calling number stated in their records. 3.0 Conclusion Multifactor authentication provides better security to customers by making use of more than one form of authentication to validate a transaction. Although not mandatory, Canadian financial institutions should consider the implementation of multifactor authentication as it provides better security for their customers using their online services. They must understand that the costs of providing the security may be compensated by customer confidence and smaller losses from thefts. Financial institutions need to perform a risk assessment to determine the type of authentication required. However, institutions must take into consideration customer acceptance and the ease of development of the technology, as tokens may need to be distributed during enrolment. They need to be aware that criminals may simply switch to other forms of frauds that do not require usage of the internet. Manufacturers must constantly seek to improve and develop advanced technologies that produce the minimal amount of error. 40 Buckler, Grant. There's no single answer to securing online banking. 1 November 2007. The Globe and Mail. 7 June 2008. <http://www.theglobeandmail.com/servlet/story/rtgam.20071017.wgtauthentic1018/bnstory/globetq/home/>. 41 Ibid 10 of 14 10

Appendix The intended audiences of this report are Canadian financial institution executives, mainly chief information security officers, who are debating whether to implement multifactor authentication for their company. They must decide whether it is worthwhile to implement some form of multifactor authentication before a regulation is enacted. This would ensure that a proper planning for the implementation is carried out and not rushed. The executive also wants to satisfy their customers concerns regarding the security of internet services by implementing enhanced controls. 11 of 14 11

Works Cited Note: Items in bold represent new sources found after the submission of the annotated bibliography Authentication in an Internet Banking Environment. FFIEC. 11 July 2008. <www.ffiec.gov/pdf/authentication_guidance.pdf>. Bruno-Britz, Maria. FFIEC Rules Making a Difference Javelin study finds more banks using multifactor authentication. Bank Systems & Technology. December 2007. Vol. 44 Issue 12. Page 17. ABI Inform. University of Waterloo, ON. Buckler, Grant. There's no single answer to securing online banking. 1 November 2007. The Globe and Mail. 7 June 2008. <http://www.theglobeandmail.com/servlet/story/rtgam.20071017.wgtauthentic1018/b NStory/GlobeTQ/home/>. Byme, Jim. Large-scale Biometric Management: A Centralized, Policy-based Approach to Reducing Organizational Identity Chaos. Vol. 6 2003. ISACA. 7 June 2008. <http://www.isaca.org/content/contentgroups/journal1/20033/largescale_biometric_management_a_centralized,_policybased_approach_to_reducing_organizational_ide.htm>. Childs, Robert S. Banking on Multifactor Authentication. 22 February 2006. SearchFinancialSecurity. 3 June 2008. <http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1294354,00.html>. Cocheo, Steve. Read this before you take Multi-factor Plunge. American Bankers Association. ABA Banking Journal. May 2006. Vol. 98 Issue 5. Page 54-55. ABI Inform. University of Waterloo, ON. Dubin, Joel. Is there any policy or regulation to help protect biometric data. 2 May 2007. SearchSecurity.com. 7 June 2008. <http://searchsecurity.techtarget.com/expert/knowledgebaseanswer/0,289625,sid14_gci 1259638_tax299857,00.html?bucket=ETA&topic=299857>. Dubin, Joel. Should we use biometric authentication on devices. 6 June 2006. SearchSecurity.com. 11 June 2008. 12 of 14 12

<http://searchsecurity.techtarget.com/expert/knowledgebaseanswer/0,289625,sid14_gci 1197706,00.html>. Dubin, Joel. Will biometric authentication replace the password. 15 December 2006. SearchSecurity.com. 6 June 2008. <http://searchsecurity.techtarget.com/expert/knowledgebaseanswer/0,289625,sid14_gci 1242775,00.html>. Entrust Bolsters GetAcess with IdentityGuard Multifactor Authentication. Wireless News. 9 September 2007. ABI Inform. University of Waterloo, ON. The Evolution of Security. Acsys Biometrics Corp. 20 July 2008. <http://www.acsysbiometrics.com/>. Feig, Nancy. The Final Countdown As the FFIEC Online Banking Authentication Deadline Looms, Banks work through the Confusion to select their Solutions. Bank Systems & Technology. September 2006. Vol. 43 Issue 9. Page 11. ABI Inform. University of Waterloo, ON. Fest, Glen. Thwarted Online, Fraud Goes Low-Tech Again. USBanker. April 2008. Vol. 118 Issue 4 Page 16. ABI Inform. University of Waterloo, ON. Frost & Sullivan: The Use of Biometrics in Financial Institutions Is on the Rise. Wireless News. 31 May 2008. ABI Inform. University of Waterloo, ON. The Leader in Out-of-Bank Authentication. Authentify. 14 July 2008. <http://www.authentify.com/index.html>. Multifactor Authenticaiton (MFA). 12 April 2007. TechTarget. 7 July 2008. <http://searchsecurity.techtarget.com/sdefinition/0,,sid14_gci1249137,00.html#>. Multi-factor Authentication. Safe Net. 11 June 2008. <http://www.safenetinc.com/library/8/multifactor_authentication_white_paper.pdf>. Myerson, Judith. Pros and cons of multifactor authentication technology for consumers. 28 May 2008. SearchFinancialSecurity.com. 3 June 2008. <http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1315282,00.html>. Products of the Year: Authentication and Authorization. 4 January 2005. SearchSecurity.com. 11 June 2008. <http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1041836,00.html>. 13 of 14 13

Stephenson, Peter. Multifactor authentication 2008. 1 January 2008. SC Magazine. 6 June 2008. <http://www.scmagazineus.com/multifactor-authentication-2008/grouptest/57/>. Vishing or Voice Phishing. 28 April 2008. RCMP. 11 July 2008. <http://www.rcmp.ca/scams/vishing_e.htm>. 14 of 14 14

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information