News

04:20 PM
Judy Ward
Judy Ward
News
Connect Directly
RSS
E-Mail
50%
50%

How United Bankers’ Bank Ensures Customer Authentication Online

Correspondent bank taps fingerprint-recognition system for secure online transactions.

United Bankers' Bank (UBB, part of United Bankers' Bancorporation, combined $7.8 billion in assets) officials knew they had to move carefully when they started thinking in 2001 about providing online access for the bank's customers - other banks. UBB focuses on correspondent services, and says it ranks among the largest correspondent banks in the Federal Reserve's 9th District.

"Our customers are banks, and that means they are moving a lot of money around," says Daren Mehl, assistant vice president of information technology at UBB in Bloomington, Minn. "Before we started doing wire transfers and automated clearing online, we wanted to make sure we could authenticate that the users of the system are who they say they are."

To do that, UBB needed a reliable authentication system that customers would find easy to use. Bank officials ultimately chose U.are.U Online, a fingerprint-recognition system made by Redwood City, Calif.-based DigitalPersona, Inc., in 2002. The rollout began in November 2003, allowing UBB customers to automatically log onto UBB's Web site with the touch of a finger, and without passwords.

Previously, the bank had been using a proprietary dial-in network with passwords for customers. While it had not caused problems, Mehl says, "The technology had changed. Customers wanted us to move online."

UBB first considered three authentication options: smart cards, tokens and biometrics. "We ruled out smart cards right away, because it is so expensive," Mehl says. Smart cards and tokens also carry a security risk because they can be passed to somebody else, which ruled out the latter, Mehl explains.

So that left biometrics and fingerprints as the best technological choice. "You cannot pass your finger to someone and say, 'Can you log on for me?' " Mehl says. UBB considered a few other vendors, but DigitalPersona had an advantage: The bank had used its U.are.U Pro for Active Directory fingerprint-recognition technology on its own employees' desktops since 2000, and it worked well. UBB proceeded to build the Web site and its interface with the bank's internal system. "It took only a month to integrate the authentication system, if that," Mehl says.

Customer Buy-In

Following four months of beta testing, rollout of the new technology to 25 customers a week began in November. "To help buy-in into the program, we did buy one [U.are.U Online] system for each customer, just to get them going," Mehl says. Those that want extra sensors for additional computers can buy them. Currently, UBB has 322 customers on the system, out of the 360-plus customers that the bank wants to transition to it. "By the end of March, we plan to have every single customer signed," Mehl says.

Asked about the project's challenges, Mehl mentions that he and his colleagues first had to learn how DigitalPersona's system works, but, "Once we figured out the intricacies of the product, it really was not that difficult to integrate. It used our existing technology," he says. But some customers had reservations about Big Brother watching, he says. "We had to teach customers that it is not actually storing your fingerprints."

In the end, bank officials are pleased with U.are.U Online. Mehl cites the "security, peace of mind and ease of use for customers." When doing transactions online, he adds, the bank's concern is "liability and security and protecting our image, our name."

---

Snapshot

Institution: United Bankers' Bank (UBB, Bloomington, Minn.), part of United Bankers' Bancorporation.

Assets: Combined $7.8 billion.

Business Challenge: Provide secure online transactions.

Solution: DigitalPersona, Inc.'s (Redwood City, Calif.) U.are.U Online fingerprint-recognition system.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.