Although the Federal Financial Institutions Examination Council (FFIEC) only released its guidance on authentication for electronic banking in late October, Kevin Doyle saw the writing on the wall months earlier. Back in April, the NCUA examiners that regulate Harrisburg, Pa.-based Pennsylvania State Employees' Credit Union (PSECU; $2.3 billion in assets) began asking about how the bank intended to protect itself against phishing attacks, in which thieves entice bank customers to relinquish their Web banking passwords. The credit union had recently signed up with Cyota's (New York) FraudAction service, which offers preventative measures against phishing attacks.
But then, the examiners also asked about stronger measures. "They actually started asking questions about what we're going to do with authentication," says Doyle, PSECU's information security manager. As a result, Doyle relates, he began to explore the topic in depth.
That led him to ink another deal with Cyota in early October to perform analysis of online banking transactions to assess fraud risk. Thus, Doyle's organization was ready when the FFIEC announced two weeks later that it considered "single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."
"I guess I could see it coming," Doyle says.
Although, at first glance, the FFIEC guidance seems to advocate the use of tokens, smart cards or other device-based forms of two-factor authentication, a careful reading reveals that behind-the-scenes measures are acceptable. And that was fine for Doyle, who notes that he isn't keen on rolling out physical devices to customers. "I don't like the smart card, token or biometric solutions, basically because of the costs and the support we'd have to put into it, and also because it impacts the user experience with the product," he says.
Instead, the Cyota solution monitors usage patterns for unusual activity. Upon discovering behavior such as a log-in from an unfamiliar location or IP address, or the establishment of a new payee, the system automatically telephones the customer at any one of his or her pre-arranged numbers.
This technique is considered "out-of-band authentication" -- that is, the system verifies customer identity using a separate channel from the one used to initiate the transaction, explains Naftali Bennett, CEO of Cyota. "It's a legitimate course of action and requires no additional distribution of new hardware," he says. "It leverages existing hardware."
In this way, the monitoring of banking transactions has begun to resemble that of credit card transactions. "Banks need to monitor online transactions just like in the credit card world, where every single credit card transaction is being monitored for suspicious activities," says Bennett. "It doesn't really matter how the fraudster obtained your credit card [number] -- as long as the bank monitors your transaction, it can detect suspicious patterns."