Some Implications of the FFIEC Guidance
What Are High-Risk Transactions?
According to the FFIEC guidance, the risk assessment process should:
- Identify all transactions and levels of access associated with Internet-based customer products and services;
- Identify and assess the risk mitigation techniques, including authentication methodologies, employed for each transaction type and level of access; and
- Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access.
The FAQ
docment issued on August 15, 2006 makes it clear that all transactions
that allow access to customer information are "high risk."
Intuitively, however, a high-risk transaction involving access to
customer information ought to be one that could allow a fraudster to
bring harm to a banking customer by enabling identity theft or allowing
money
to be stolen from the customer, or that could allow a fraudster to
interfere
with the customer's ability to access their online account.
High-risk transactions involving access to customer information include:
High-risk transactions involving access to customer information include:
- Any transactions that allow someone to discover a Social Security Number, birthdate, or account number associated with a particular online account.
- Any transactions that allow someone to view check images of a particular customer, since these images contain bank routing numbers and account numbers that could enable a fraudster to steal money from a checking account.
- Any transactions that allow someone to modify or otherwise edit customer information, including names, addresses, phone numbers, and especially passwords.
One type of online banking service that may or may not be covered by
the FFIEC guidance are transactions that allow one to pay a bill
online by providing a merchant or other creditor with the bank routing number and checking account
number from which the bill is to be paid. These transactions involve use of the ACH network.
Once these numbers are provided, the money is automatically debited
from the corresponding checking account. Currently, there is no way to
verify that the person seeking to debit a particular checking account
by providing these numbers is actually authorized to access the account. NACHA,
the electronic payments association, is currently testing a concept called Secure Vault Payments that seeks to do this. The method depends on the same
authentication procedures that banks will be deploying for online
account access.
The Need For Mutual Authentication
There are two types of authentication to consider when a thinking about
online banking services. There is authentication of the
customer to the bank, and there is authentication of the bank to the
customer. The first type of authentication is what the FFIEC
guidance is primarily concerned with - providing a more secure way for
a bank to know that it is dealing with a legitimate request for access
to an online account. However, customers often give away
information to fraudsters because they are fooled by look-alike
but phony banking websites that request customers to enter personal
information. This points to a need for customers to better be
able to recognize their legitimate banking website before they divulge
sensitive information. Together, these two types of
authentication are referred to as "mutual authentication."
There are two ways that are most prevalent for a banking website to authenticate itself to a customer.
- Customers who are tech-savvy can check the website's certificate to make sure it is associated with their bank. The World Wide Web Consortium conducted a Workshop on Transparency and Usability of Web Authentication in March 2006 to come up with better ways to enable people to better authenticate websites.
- Customers can choose a secret image or phrase that will be displayed to them to indicate it is safe to provide additional information to their legitimate banking website. This is illustrated by Bank of America's SiteKey service that allows Bank of America customers to recognize the bank's website through a previously-selected image, while allowing Bank of America to recognize their customers using traditional passwords in combination with recognition of the customer's computer by means of a computer "signature."
The FFIEC guidance does not specify any particular type of
authentication technology that should be adopted. Decisions
about which specific authentication technologies a bank should adopt
depends upon the outcome of a bank's risk assessment, as well as other
business and customer considerations.
Some Risk Factors To Consider
As banks begin implementing better authentication to satisfy the FFIEC
guidance, fraudsters will adjust their tactics accordingly.
Phishing emails, which are designed to direct customers to phony
websites that ask people to enter sensitive personal information, may
evolve as fraudster's needs for personal information changes. For
example, some newer authentication methods depend on recognition of a
customer's computer as a second authentication factor, in addition to a
password. When a customer uses a new computer, that computer
must be "registered." Prearranged challenge/response questions
are often used to authenticate a customer using a new computer, so that
the new computer can be registered. Examples of such questions are:
What high school did you go to? What city were you born in?
What was your first car? It's not unreasonable to imagine
that phishing emails will evolve to steal these questions and answers.
Prearranged challenge/response questions are similar to passwords in that
they are information a banking customer knows that can be stolen.
As such, the
use of prearranged challenge/response questions may be the "low hanging
fruit" that fraudsters may focus on as these become more widely used.
A Man-in-the-Middle attack places a fraudster between a banking
customer and the bank's website, so that the customer believes he is
interacting with his bank's website when he is actually interacting
with the
fraudster's site. The fraudster can then modify the transactions
initiated by the customer to the fraudster's advantage. Man-in-the-Middle attacks can thwart a two-factor authentication scheme that uses one-time password
tokens as the "something you have" authentication factor, for example,
if the bogus site can use the one-time password provided by a banking
customer for accessing an online banking account before the one-time
password expires. One way to prevent Man-in-the-Middle attacks is through mutual
authentication, so that banking customer can easily distinguish between a
legitimate banking website and a fraudulent one. An
educated banking customer whose bank implements a well-designed
mutual authentication scheme for online banking would not provide a
one-time password, or any other sensitive information, to a look-alike banking website until the customer verifies that the website is legitimate.
Malware
can be surreptitiously installed on a banking customer's
computer as a result of downloading a computer virus, or by visiting a
website that attempts to automatically install these programs.
One form of malware is designed to record all the keystrokes made
by customers, and transmit them to fraudsters. These keystroke
loggers allow fraudsters to steal passwords and other personal
information that can enable identity theft. However, as banks
begin implementing better mutual authentication, this information by
itself
will become less useful for allowing fraudsters to break into
customer's accounts.
Another form of malware could allow a fraudster to hijack an online
session that has already been established. Even though the use of
stronger authentication by a bank may prevent a fraudster from
initially accessing someone's online account, malware installed on the
customer's computer might enable a fraudster to conduct illicit
transactions once the online session is established. For
instance, malware might initiate a transaction that moves money out of
a customer's account, even though the customer legitimately
initiated the online session with the bank. This
points to a need to consider transaction-based authentication, in
addition to authentication at the start of the online session.
Depending upon the risks that are perceived, banks may want to consider
separately authenticating individual transactions that move given amounts of money out of customer's accounts.