10:05 AM
Connect Directly

Zions, ING Pick RSA Risk-Based Authentication Solution

Banks starting to see value in mutual authentication schemes.

Experts have touted mutual authentication as one of the strongest means for financial institutions to secure their online operations, and banks are beginning to realize the value of the technology. This summer, Bedford, Mass.-based security solutions provider RSA saw its Adaptive Authentication solution implemented at Salt Lake City-based Zions Bank ($31 billion in assets) and ING Direct (Wilmington, Del.; $62 billion in assets) for the banks' online retail banking customers.

The RSA product employs site-to-user and user-to-site authentication, allowing the banks to verify customers and customers to verify that they are at the banks' legitimate Web sites, RSA says. "Our approach is risk-based authentication," explains Amir Orad, VP of marketing in RSA's consumer solutions group. "We transparently look at your activity and devices behind the scenes as you use the bank Web site."

The current authentication process of user name and password remains, Orad continues. However, they are part of a layered security solution that uses the risk-based authentication along with other techniques, he relates. Adding more muscle to the solution is the real-time data analysis provided by RSA's eFraud Network of clients, which share information on fraud and suspicious patterns. By sharing data and collaborating on fraud prevention, banks' ability to secure their operations increases greatly, Orad asserts. He stresses that no additional burden is placed on consumers.

Customers at Zions Bank seem to agree, according to Lee Carter, Zions' president of online banking. The bank rolled out the RSA technology in mid-July under the name SecurEntry. "Over 70 percent of our client base already signed up for this," Carter says. Enrollment initially was optional but is set to become mandatory this month, he notes.

Although Zions' call center receives calls about SecurEntry, Carter says the volume is within the range the bank predicted at the outset of the RSA implementation. Most calls are from clients who are getting used to the new system, such as those who forget the answers to challenge questions, he relates. "But it's really well-accepted by our clients," Carter reiterates. "It's convenient for them."

Convenience Is Key

Convenience was a major criterion for Zions. "[The solution] had to be portable to the clients - something they know and have, but not a physical object like a token," Carter says. The flexibility and open architecture of the solution also appealed to the bank so that it could add more layers of security if desired, Carter adds. For example, Zions and ING both use RSA's anti-phishing solution for added security.

While the trend to adopt risk-based mutual authentication solutions partly is due to the FFIEC guidance on online authentication, Zions "started the process before the FFIEC guidance came out," the bank's Carter says. "We want clients to know we're very concerned about their security. Having strong authentication is not a matter of being asked to do so by the government - it's just the right thing to do."

Of course, as threats evolve, so too must the solutions. "We're looking at cross-channel security because fraudsters will switch to other channels, such as VOIP," RSA's Orad says. "Banks are already looking at this."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.