According to the FFIEC guidance, the risk assessment process should:
- Identify all transactions and levels of access associated with Internet-based customer products and services;
- Identify and assess the risk mitigation techniques, including authentication methodologies, employed for each transaction type and level of access; and
- Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access.
The FAQ
docment issued on August 15, 2006 makes it clear that all transactions
that allow access to customer information are "high risk."
Intuitively, however, a high-risk transaction involving access to
customer information ought to be one that could allow a fraudster to
bring harm to a banking customer by enabling identity theft or allowing
money
to be stolen from the customer, or that could allow a fraudster to
interfere
with the customer's ability to access their online account.
High-risk transactions involving access to customer information include:
High-risk transactions involving access to customer information include:
- Any transactions that allow someone to discover a Social Security Number, birthdate, or account number associated with a particular online account.
- Any transactions that allow someone to view check images of a particular customer, since these images contain bank routing numbers and account numbers that could enable a fraudster to steal money from a checking account.
- Any transactions that allow someone to modify or otherwise edit customer information, including names, addresses, phone numbers, and especially passwords.
Other high-risk transactions covered by the FFIEC guidance are
those that facilitate the movement of money out of a customer's account.
Included among such services are online bill paying services, as well
as any other type of funds-transfer service.
One type of online banking service that may or may not be covered by the FFIEC guidance are transactions that allow one to pay a bill online by providing a merchant or other creditor with the bank routing number and checking account number from which the bill is to be paid. These transactions involve use of the ACH network. Once these numbers are provided, the money is automatically debited from the corresponding checking account. Currently, there is no way to verify that the person seeking to debit a particular checking account by providing these numbers is actually authorized to access the account. NACHA, the electronic payments association, is currently testing a concept called Secure Vault Payments that seeks to do this. The method depends on the same authentication procedures that banks will be deploying for online account access.
The need for mutual authentication
There are two types of authentication to consider when a thinking about online banking services. There is authentication of the customer to the bank, and there is authentication of the bank to the customer. The first type of authentication is what the FFIEC guidance is primarily concerned with - providing a more secure way for a bank to know that it is dealing with a legitimate request for access to an online account. However, customers often give away information to fraudsters because they are fooled by look-alike but phony banking websites that request customers to enter personal information. This points to a need for customers to better be able to recognize their legitimate banking website before they divulge sensitive information. Together, these two types of authentication are referred to as "mutual authentication."
There are two ways that are most prevalent for a banking website to authenticate itself to a customer.
One type of online banking service that may or may not be covered by the FFIEC guidance are transactions that allow one to pay a bill online by providing a merchant or other creditor with the bank routing number and checking account number from which the bill is to be paid. These transactions involve use of the ACH network. Once these numbers are provided, the money is automatically debited from the corresponding checking account. Currently, there is no way to verify that the person seeking to debit a particular checking account by providing these numbers is actually authorized to access the account. NACHA, the electronic payments association, is currently testing a concept called Secure Vault Payments that seeks to do this. The method depends on the same authentication procedures that banks will be deploying for online account access.
The need for mutual authentication
There are two types of authentication to consider when a thinking about online banking services. There is authentication of the customer to the bank, and there is authentication of the bank to the customer. The first type of authentication is what the FFIEC guidance is primarily concerned with - providing a more secure way for a bank to know that it is dealing with a legitimate request for access to an online account. However, customers often give away information to fraudsters because they are fooled by look-alike but phony banking websites that request customers to enter personal information. This points to a need for customers to better be able to recognize their legitimate banking website before they divulge sensitive information. Together, these two types of authentication are referred to as "mutual authentication."
There are two ways that are most prevalent for a banking website to authenticate itself to a customer.
- Customers who are tech-savvy can check the website's certificate to make sure it is associated with their bank. The World Wide Web Consortium conducted a Workshop on Transparency and Usability of Web Authentication in March 2006 to come up with better ways to enable people to better authenticate websites.
- Customers can choose a secret image or phrase that will be displayed to them to indicate it is safe to provide additional information to their legitimate banking website. This is illustrated by Bank of America's new SiteKey service that allows Bank of America customers to recognize the bank's website through a previously-selected image, while allowing Bank of America to recognize their customers using traditional passwords in combination with recognition of the customer's computer by means of a computer "signature."
The FFIEC guidance does not specify any particular type of authentication technology that should be adopted. Decisions about which specific authentication technologies a bank should adopt depends upon the outcome of a bank's risk assessment, as well as other business and customer considerations.
Some risk factors to consider in planning for better mutual authentication
As banks begin implementing better authentication to satisfy the FFIEC guidance, fraudsters will adjust their tactics accordingly. Phishing emails, which are designed to direct customers to phony websites that ask people to enter sensitive personal information, may evolve as fraudster's needs for personal information changes. For example, some newer authentication methods depend on recognition of a customer's computer as a second authentication factor, in addition to a password. When a customer uses a new computer, that computer must be "registered." Prearranged challenge/response questions are often used to authenticate a customer using a new computer, so that the new computer can be registered. Examples of such questions are: What high school did you go to? What city were you born in? What was your first car? It's not unreasonable to imagine that phishing emails will evolve to steal these questions and answers. Prearranged challenge/response questions are similar to passwords in that they are information a banking customer knows that can be stolen. As such, the use of prearranged challenge/response questions may be the "low hanging fruit" that fraudsters may focus on as these become more widely used.
A Man-in-the-Middle attack places a fraudster between a banking customer and the bank's website, so that the customer believes he is interacting with his bank's website when he is actually interacting with the fraudster's site. The fraudster can then modify the transactions initiated by the customer to the fraudster's advantage. Man-in-the-Middle attacks can thwart a two-factor authentication scheme that uses One-Time Password tokens as the "something you have" authentication factor, for example, if the bogus site can use the one-time password provided by a banking customer for accessing an online banking account before the one-time password expires. One way to prevent Man-in-the-Middle attacks is through mutual authentication, so that banking customer can easily distinguish between a legitimate banking website and a fraudulent one. An educated banking customer whose bank implements a well-designed mutual authentication scheme for online banking would not provide a one-time password, or any other sensitive information, to a look-alike banking website until the customer verifies that the website is legitimate.
Malware can be surreptitiously installed on a banking customer's computer as a result of downloading a computer virus, or by visiting a website that attempts to automatically install these programs. One form of malware is designed to record all the keystrokes made by customers, and transmit them to fraudsters. These keystroke loggers allow fraudsters to steal passwords and other personal information that can enable identity theft. However, as banks begin implementing better mutual authentication, this information by itself will become less useful for allowing fraudsters to break into customer's accounts.
Another form of malware could allow a fraudster to hijack an online session that has already been established. Even though the use of stronger authentication by a bank may prevent a fraudster from initially accessing someone's online account, malware installed on the customer's computer might enable a fraudster to conduct illicit transactions once the online session is established. For instance, malware might initiate a transaction that moves money out of a customer's account, even though the customer legitimately initiated the online session with the bank. This points to a need to consider transaction-based authentication, in addition to authentication at the start of the online session. Depending upon the risks that are perceived, banks may want to consider separately authenticating individual transactions that move given amounts of money out of customer's accounts.