Will banks make federal Web security deadline?

By way of its sister publication ComputerWorld, InfoWorld has a report card on how banks are doing in terms of meeting a multifactor online banking authentication deadline that was issued by the Feds last October.  But after reading the report, you can't help but wonder if the banking industry has a bit of a laissez-faire attitude about the whole thing.  Wrote the story's author Jaikumar Vijayan:

But a majority of U.S. banks appear unprepared to meet the Dec. 31 deadline for complying with the guidelines, several analysts said last week. They placed much of the blame for the current lack of preparedness on the fact that the guide-lines aren't mandatory and don't specify what form of strong authentication banks should implement.....Jonathan Eber, a senior product manager at P&H Solutions in Boston, said he's still seeing a spectrum of attitudes toward the FFIEC guidelines. P&H sells software and services for linking banks with corporate customers.  About 35 percent of the banks that the company works with have "a sense of urgency about this," Eber said. "There is a middle part of the bell curve where people say, 'I know I have to do it, but I'll be in compliance by Q1 or Q2 of next year.' And there are some who say, 'This doesn't apply to me at all.' "

Here, we have another problem where the Feds are trying to address a serious problem -- identity theft -- with a relatively toothless approach.  The language in the guidelines is very reminiscent of current legislative language regarding disclosure when some sort of important database get compromised.  In fact, there are multiple proposals in both the House and the Senate some of which leave it up to the organization whose databases were compromised to determine if the breach is significant enough to warrant disclosure or not.  Opponents to requiring disclosure in every case say that consumers will be overwhelmed (to that I say, "Go ahead.. overwhelm me").

Likewise, the federal guidelines regarding multifactor authentication for online banking: 

Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of authentication technologies and methods should depend upon the results of the financial institution’s risk assessment process. 

The word "should" appears in at least three places and is often dependent on other highly subjective matter such as "the results of the financial institution's risk assessment process."  It seems to me to be a conflict of interest whenever the organization that has to bear the cost of certain changes is also the one assessing whether those changes are necessary in the first place.  Need more evidence.  On page 3, the Federal guidelines go so far as to list the three factors of security: 

• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card) and ;
• Something the user is (e.g., biometric characteristic, such as a fingerprint).

Multifactor authentication therefore relies on two or three of the above factors in combination.  Yet, according to the InfoWorld article, instead of adding one or two additional factors to the most common form of online banking authentication (what the user knows: userID & password), they're just  piling additional "what the user knows" items into the authentication process.  For example, according to the InfoWorld story:

Earlier this month, the company's Zions Bank unit added a multifactor authentication feature called SecurEntry for users of its online banking services. Woods said SecurEntry is based on technology from RSA Security and allows Zions Bank to better authenticate users to its Web site and ensure that they know they're connected to a legitimate site....The technology works by profiling the devices that customers typically use to log into the bank's online systems. Whenever there are changes, such as when a customer logs in from a new location or using a different system, SecurEntry challenges the user with specific questions that only he should be able to answer, Woods said. He added that the bank views the process as being minimally disruptive to users. 

First, I'm sure there are security experts that would disagree.  But adding more questions (in the "what you know" factor category) is not to me, a multifactor authentication feature as the story says.  It's just a more burdensome version of single factor authentication.  Second, the minimally disruptive comment gets half-way to the heart of the matter.  Zions Bank as well as any other bank could easily supply all of their customers with a keyfob or credit card-sized random number generator (aka: what you have) that generates random numbers that match those generated by the bank's servers every 3-5 minutes.  Without a matching number at time of login, you don't get in.  This is the so-called second factor of authentication that European banks frequently require of their customers.  But here in the US, as I've written before, most people here are addicted to convenience. Anything that remotely resembles friction (everything from having to get out of your car to buy your coffee to carrying a random number generator around with you) is the kiss of death for businesses.

Forget the hard dollar cost of implementing such a system (which most banks would never bear unless the government required it).  Banks can't afford the cost of sending their customers to the competitor where convenience rules over better security.  I know, I know.  It's dumb.  Well, we're dumb.  But that's the way it is.  Unfortunately.