MDGFOA Electronic Banking Authentication Update

1
MDGFOAElectronic Banking Authentication Update

• Gregory E. Weddell, CTP, AAP
• Group Vice President
• Commercial Banking Solutions Group
• April 20, 2007

2
Welcome

• Agenda
• Background
• FFIEC Guidance
• Authentication Options
• Actions Being Taken to Meet Guidance
• Questions

3
Background

• News Flash Bad people will try to take
  advantage or you on the Internet
• Washington Post has 26 articles in the past 30
  days that reference Phishing USA Today 15
• Examples
• Taking the Bait On a Phish Scam Job Seekers Are
  Targets, Victims of Sophisticated Ploy
• FTC Identity Theft Remains Top Consumer
  Complaint
• Microsoft Targets Phishers IE 7 Still Not Safe
  Enough
• Banks pull out the big guns to protect online
  users
• Most computer attacks originate in U.S.
• PayPal to offer password key fobs to users
• Internet fraud has shaken publics confidence in
  Internet Banking see handout

4
Phishing Phacts

• An estimated 59 million phishing e-mails are sent
  each day.
• About 1 in 6 are opened.
• In 2006, about 109 million U.S. adults received
  phishing e-mail attacks, compared with 57 million
  in 2004.
• The average loss per victim in 2006 was 1,244,
  compared with 257 in 2004.
• Victims recovered an average of 54 percent of
  their losses in 2006, compared with 80 percent in
  2004. Source Washington Post, 2/10/2007

5
Phishing

• Phishing is a criminal activity using social
  engineering techniques and technical subterfuge.
  Phishers attempt to fraudulently acquire
  sensitive information, such as passwords and
  credit card details, by masquerading as a
  trustworthy person or business in an electronic
  communication. Technical subterfuge schemes plant
  crimeware onto PCs to steal credentials directly,
  often using Trojan keylogger spyware.
• Source wikipedia, AFWG

6
Phishing Phacts
Crimeware-spreading websites detected in February
shattered the previous record in June 2006 by 6
percent Source Anti-Phishing Working Group
7
Pharming

• Pharming is a hacker's attack aiming to redirect
  a website's traffic to another (bogus) website.
  Pharming can be conducted either by changing the
  hosts file on a victims computer or by
  exploitation of a vulnerability in DNS server
  software.
• Source wikipedia

8
Keystroke Logging

• Keystroke logging (often called keylogging) is a
  diagnostic used in software development that
  captures the user's keystrokes. Keystroke logging
  can be achieved by both hardware and software
  means. It can be useful to determine sources of
  error in computer systems and is sometimes used
  to measure employee productivity on certain
  clerical tasks. Such systems are also highly
  useful for law enforcement and espionagefor
  instance, providing a means to obtain passwords
  or encryption keys and thus bypassing other
  security measures. However, keyloggers are widely
  available on the internet and can be used by
  anyone for the same purposes.
• Source wikipedia

9
FFIEC Guidance

• FFIEC issued Guidance in October 2005 and an
  update in August 2006 stating
• The agencies consider single-factor
  authentication, as the only control mechanism, to
  be inadequate for high-risk transactions
  involving access to customer information or the
  movement of funds to other parties.
• The Federal Financial Institutions Examination
  Council is an interagency set out to dictate
  policies, standards, and report forms for the
  scrutiny of financial institutions by the Board
  of Governors of the Federal Reserve Board, the
  Federal Deposit Insurance Corporation, National
  Credit Union Administration, the Office of the
  Comptroller of Currency, and the Office of Thrift
  Supervision.

10
FFIEC Says..

• Single factor authentication is inadequate for
  access to high-risk transactions.
• Single factor authentication user ID password
• High risk transaction access to customer
  information
• Authentication should be appropriate to the
  risks.
• Where in sufficient, banks should implement
  multi-factor authentication, layered security or
  other controls reasonably calculated to mitigate
  risks

11
Background

• Authentication Techniques
• Multi-Factor Authentication
• Something you know
• Something you have (e.g. ATM Card, Token, PC)
• Something you are (e.g. fingerprint, facial scan,
  retina scan)
• Layered Security
• Multiple Single-Factor Authentication (e.g.
  second password, SiteKey pictures)
• Out of Band Authentication
• IP Address Location and Geo-location

12
FFIEC Says..

• Banks needed to complete Risk Assessment and
  implement risk mitigation activities by end of
  2006.
• Timing
• Q-1- What do the Agencies expect institutions to
  have accomplished by year-end 2006?
• A-1- The Agencies expect that institutions will
  complete the risk assessment and will implement
  risk mitigation activities by year-end 2006. The
  Agencies are not considering any general
  extension of the timing associated with this
  guidance.
• - FFIEC Guidance FAQ, August 2006

13
Actions Being Taken

• Many banks were already looking to improve
  authentication or had already done so.
• Some already had heighten authentication
• Examples Chevy Chase Bank requires use of hard
  tokens for Wire Release an example of
  authentication equal to the risk
• Some quick solutions in place
• Example Bank of Americas SiteKey service on
  consumer web site
• All must have Risk Assessment complete and
  actions to implement taken

14
Actions Being Taken

• Why not just have the fix in place?
• Few integrated vendor solutions were available
  when Guidance was issued
• Q-2- What if the financial institution or its
  technology service provider cannot implement a
  solution by year-end 2006?
• A-2- The Agencies examiners will assess the
  adequacy of each financial institutions
  authentication controls on a case-by-case basis.
• - FFIEC Guidance FAQ, August 2006

15
Actions Being Taken

• Why not just implement what is available?
• Banks seek to mitigate risk while not alienating
  customers
• Example of Actions Taken - Chevy Chase Online
  Access adding in June 2007
• RSA Cyota eSphinx risk-based authentication IP
  and Geo-location, behavior observation and
  out-of-band challenges
• Migrate from RSA SecurID tokens for Wire Release
  to RSA GoID for Wire and ACH Release
• GoID will allow use of token at all participating
  Financial Institutions

16
Actions Being Taken

• Jonathan Eber, a senior product manager at ACI in
  Boston, said hes still seeing a spectrum of
  attitudes toward the FFIEC guidelines. ACI sells
  software and services for linking banks with
  corporate customers.  About 35 percent of the
  banks that the company works with have "a sense
  of urgency about this," Eber said. "There is a
  middle part of the bell curve where people say,
  I know I have to do it, but Ill be in
  compliance by . next year. And there are some
  who say, This doesnt apply to me at all. "
• - Will Banks Make Federal Web Security
  Deadline?, zdnet.com

17
Actions Being Taken

• Ask your bank what they are doing to protect your
  personal and organizations funds

18
Questions?

• Greg Weddell
• 240-497-7788
• geweddell_at_chevychasebank.net