Although the FFIEC only released its guidance on authentication for electronic banking in late October, Kevin Doyle saw the writing on the wall months earlier.
Back in April, the NCUA examiners that regulate Pennsylvania State Employees' Credit Union (PSECU, Harrisburg, Pa., $2.3 billion in assets) began asking about how the bank intended to protect itself against phishing attacks, in which thieves entice bank customers to relinquish their Web banking passwords. The credit union had recently signed up with Cyota's (New York) FraudAction service, which offers preventative measures against phishing attacks.
But then, the examiners also asked about stronger measures. "They actually started asking questions about what we're going to do with authentication," says Doyle, PSECU's information security manager, who then began to explore the topic in depth. That led him to ink another deal with Cyota in early October to perform analysis of online banking transactions to assess fraud risk.
Thus, Doyle's organization was ready when the FFIEC announced two weeks later that it considered "single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties," the guidance states. "I guess I could see it coming," Doyle adds.
Although at first glance, the FFIEC guidance seemed to advocate the use of tokens, smart cards or other device-based form of two-factor authentication, a careful reading revealed that behind-the-scenes measures were acceptable.
That was fine for Doyle, who wasn't keen on rolling out physical devices to customers. "I don't like the smart card, token, or biometric solutions, basically because of the costs and the support we'd have to put into it, and also because it impacts the user experience with the product," he says.
Instead, the Cyota solution monitors usage patterns for unusual activity. Upon discovering behavior such as a login from an unfamiliar location or IP address, or the establishment of a new payee, the system will automatically telephone the customer at any one of his or her pre-arranegd numbers. This technique is considered "out-of-band authentication," that is, the system verifies customer identity using a separate channel from the one used to initiate the transaction. "It's a legitimate course of action, and requires no additional distribution of new hardware," explains Naftali Bennett, CEO of Cyota. "It leverages existing hardware."
In this way, the monitoring of banking transactions has begun to resemble that of credit card transactions. "Banks need to monitor online transactions just like in the credit card world, where every single credit card transaction is being monitored for suspicious activities," says Bennett. "It doesn't really matter how the fraudster obtained your credit card. As long as the bank monitors your transaction, it can detect suspicious patterns."
On the Net: