Experts have touted mutual authentication as one of the strongest means for financial institutions to secure their online operations, and banks are beginning to realize the value of the technology. This summer, Bedford, Mass.-based security solutions provider RSA saw its Adaptive Authentication solution implemented at Salt Lake City-based Zions Bank ($31 billion in assets) and ING Direct (Wilmington, Del.; $62 billion in assets) for the banks' online retail banking customers.
The RSA product employs site-to-user and user-to-site authentication, allowing the banks to verify customers and customers to verify that they are at the banks' legitimate Web sites, RSA says. "Our approach is risk-based authentication," explains Amir Orad, VP of marketing in RSA's consumer solutions group. "We transparently look at your activity and devices behind the scenes as you use the bank Web site."
The current authentication process of user name and password remains, Orad continues. However, they are part of a layered security solution that uses the risk-based authentication along with other techniques, he relates. Adding more muscle to the solution is the real-time data analysis provided by RSA's eFraud Network of clients, which share information on fraud and suspicious patterns. By sharing data and collaborating on fraud prevention, banks' ability to secure their operations increases greatly, Orad asserts. He stresses that no additional burden is placed on consumers.
Customers at Zions Bank seem to agree, according to Lee Carter, Zions' president of online banking. The bank rolled out the RSA technology in mid-July under the name SecurEntry. "Over 70 percent of our client base already signed up for this," Carter says. Enrollment initially was optional but is set to become mandatory this month, he notes.
Although Zions' call center receives calls about SecurEntry, Carter says the volume is within the range the bank predicted at the outset of the RSA implementation. Most calls are from clients who are getting used to the new system, such as those who forget the answers to challenge questions, he relates. "But it's really well-accepted by our clients," Carter reiterates. "It's convenient for them."
Convenience Is Key
Convenience was a major criterion for Zions. "[The solution] had to be portable to the clients - something they know and have, but not a physical object like a token," Carter says. The flexibility and open architecture of the solution also appealed to the bank so that it could add more layers of security if desired, Carter adds. For example, Zions and ING both use RSA's anti-phishing solution for added security.
While the trend to adopt risk-based mutual authentication solutions partly is due to the FFIEC guidance on online authentication, Zions "started the process before the FFIEC guidance came out," the bank's Carter says. "We want clients to know we're very concerned about their security. Having strong authentication is not a matter of being asked to do so by the government - it's just the right thing to do."
Of course, as threats evolve, so too must the solutions. "We're looking at cross-channel security because fraudsters will switch to other channels, such as VOIP," RSA's Orad says. "Banks are already looking at this."