Will banks make federal Web security deadline?

Will banks make federal Web security deadline?

Summary: By way of its sister publication ComputerWorld, InfoWorld has a report card on how banks are doing in terms of meeting a multifactor online banking authentication deadline that was issued by the Feds last October.  But after reading the report, you can't help but wonder if the banking industry has a bit of a laissez-faire attitude about the whole thing.

TOPICS: Security

By way of its sister publication ComputerWorld, InfoWorld has a report card on how banks are doing in terms of meeting a multifactor online banking authentication deadline that was issued by the Feds last October.  But after reading the report, you can't help but wonder if the banking industry has a bit of a laissez-faire attitude about the whole thing.  Wrote the story's author Jaikumar Vijayan:

But a majority of U.S. banks appear unprepared to meet the Dec. 31 deadline for complying with the guidelines, several analysts said last week. They placed much of the blame for the current lack of preparedness on the fact that the guide-lines aren't mandatory and don't specify what form of strong authentication banks should implement.....Jonathan Eber, a senior product manager at P&H Solutions in Boston, said he's still seeing a spectrum of attitudes toward the FFIEC guidelines. P&H sells software and services for linking banks with corporate customers.  About 35 percent of the banks that the company works with have "a sense of urgency about this," Eber said. "There is a middle part of the bell curve where people say, 'I know I have to do it, but I'll be in compliance by Q1 or Q2 of next year.' And there are some who say, 'This doesn't apply to me at all.' "

Here, we have another problem where the Feds are trying to address a serious problem -- identity theft -- with a relatively toothless approach.  The language in the guidelines is very reminiscent of current legislative language regarding disclosure when some sort of important database get compromised.  In fact, there are multiple proposals in both the House and the Senate some of which leave it up to the organization whose databases were compromised to determine if the breach is significant enough to warrant disclosure or not.  Opponents to requiring disclosure in every case say that consumers will be overwhelmed (to that I say, "Go ahead.. overwhelm me").

Likewise, the federal guidelines regarding multifactor authentication for online banking: 

Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of authentication technologies and methods should depend upon the results of the financial institution’s risk assessment process. 

The word "should" appears in at least three places and is often dependent on other highly subjective matter such as "the results of the financial institution's risk assessment process."  It seems to me to be a conflict of interest whenever the organization that has to bear the cost of certain changes is also the one assessing whether those changes are necessary in the first place.  Need more evidence.  On page 3, the Federal guidelines go so far as to list the three factors of security: 

  • Something the user knows (e.g., password, PIN);
  • Something the user has (e.g., ATM card, smart card) and ;
  • Something the user is (e.g., biometric characteristic, such as a fingerprint).

Multifactor authentication therefore relies on two or three of the above factors in combination.  Yet, according to the InfoWorld article, instead of adding one or two additional factors to the most common form of online banking authentication (what the user knows: userID & password), they're just  piling additional "what the user knows" items into the authentication process.  For example, according to the InfoWorld story:

Earlier this month, the company's Zions Bank unit added a multifactor authentication feature called SecurEntry for users of its online banking services. Woods said SecurEntry is based on technology from RSA Security and allows Zions Bank to better authenticate users to its Web site and ensure that they know they're connected to a legitimate site....The technology works by profiling the devices that customers typically use to log into the bank's online systems. Whenever there are changes, such as when a customer logs in from a new location or using a different system, SecurEntry challenges the user with specific questions that only he should be able to answer, Woods said. He added that the bank views the process as being minimally disruptive to users. 

First, I'm sure there are security experts that would disagree.  But adding more questions (in the "what you know" factor category) is not to me, a multifactor authentication feature as the story says.  It's just a more burdensome version of single factor authentication.  Second, the minimally disruptive comment gets half-way to the heart of the matter.  Zions Bank as well as any other bank could easily supply all of their customers with a keyfob or credit card-sized random number generator (aka: what you have) that generates random numbers that match those generated by the bank's servers every 3-5 minutes.  Without a matching number at time of login, you don't get in.  This is the so-called second factor of authentication that European banks frequently require of their customers.  But here in the US, as I've written before, most people here are addicted to convenience. Anything that remotely resembles friction (everything from having to get out of your car to buy your coffee to carrying a random number generator around with you) is the kiss of death for businesses.

Forget the hard dollar cost of implementing such a system (which most banks would never bear unless the government required it).  Banks can't afford the cost of sending their customers to the competitor where convenience rules over better security.  I know, I know.  It's dumb.  Well, we're dumb.  But that's the way it is.  Unfortunately.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Great, thanks for post

    Yes, this business of piling on more of "what the user knows" is baloney. It?s worthless. It?s like asking for the 3 additional numbers.
  • There has to be a better way...

  • There is a better way

  • Agree with the principles, but...

    In practice, following the European model is not going to create the utopia you are envisioning. I've lived in Europe for the last 4 years (in the UK and also on the continent) and as a regular user of many banking sites and credit card sites in both America and in Europe, I can tell you that Europe does not have their priorities right on this.

    When switching back and forth, I find myself complaining about how ridiculously unusable the banking sites are in Europe, in comparison to those in America. While the Citibank UK site is apparently obsessed with meeting their regulatory requirements, and provides umpteen levels of passwords and javascript keyboards, it is time consuming and, in your words, inconvenient, to do practically anything. On the other hand, Bank of America's US site has made continued advances in providing real practical security, most recently in the form of new anti-phishing features. The same holds true for credit card sites and business banking sites across practically every bank I've seen.

    You're right that Americans might be a bit too obsessed with convenience, but government regulation is not the answer to solve this security problem - it is a killer of innovation into truly insighful ideas that might lead to protection against real security threats that are constantly evolving. Leave security in the hands of those who have the biggest interest in protecting it - the banks themselves. If security breaches continue to occur, consumers will learn to chose banks with better security.
    • Agree with the principles, but...

      Picking Bank of America's SiteKey security solution as a good security example is a big mistake. First, it is cumbersome and inconvenient.
      Second, it offers no protection against Keylogger Exploits and it's based on a cookie ID that is easily lost, stolen or simply disappears. The secret picture is just another layer of something you know not something you have.
  • Of course they will

    They'll make it on time and just under the wire. That's likely why the federal mandate is so thin.

    I also think the necessary audience is not reading this article.

    Your points are consistent with my customer experience. My bank recently implemented additional multiple screens of "what the user knows".

    Worse still, the implemented solution randomly presents options of first 4 digits, last 5 digits, last 4 digits, etc. of the users SSN and other usual information. This effectively exposes most (if not all) of the SSN over the web. Thankfully, it is transacted over SSL, but they've missed the point. If my identity has been stolen, the culprit ALREADY HAS ALL of the supposed pseudo-random information.

    Further, we've simply made theft easier by only requiring the last 4-digits of virtually everything. The last four digits of every kind of ID conceiveable are blissfully printed on every receipt for virtually any payment transaction. We have not advanced AT ALL. We have actually lept backward!

    The work of a bank's IT staff has been reduced to inconveniencing a customer under the sham of authentication. It is now more difficult for ME to get to MY money. Nothing has really changed for the thief. And that's the usual result of government directing things government truly has no business directing.

    Government will never wise-up and until a bank gets sucked dry the industry will not truly change. The change may be as horrific as a government-run bank where no one will be able to control thier funds.
  • Banks arn't the only issue

    How is making logging into my banks website more conveluted going to fight identity theft?

    Give my any valid credit card (yours, your sisters, your uncles) and by the end of the day of visiting stores, it'll be maxed. Identification isn't verified. Visa has done a great job of pushing the "quick swipe" checkout where the only person that wins is Visa who gets paid regardless.

    Before I got married I gave my girl friend (now wife) a credit card to do some shopping. Now it was agreed as to how much we/she was to spend and on what. 11 stores and 2000.00 later she had signed 5 receipts with her name, 6 quick swipes and hadn't once been asked for ID (I was with her just in case) but was alarmed on how easy it was.

    IMO how information including physical CC's are handled should be a priority rather than worrying about how difficult it can be made for me to remember the passwords to my banks website.
    • Quick Swipe = Quick Fraud

      I can't believe any retailer would consider using quick swipe tills, and yet they do. In the UK, stores such as Tecsos & Asda (Wal-Mart) have just started to installing self-service checkouts, now in the Asda stores, you have to put your card in a reader, and enter a PIN to access the card (much like smart cards), BUT in the Tescos stores (at least in my area) you just have to swipe the card on the side of the till, no PIN, not even a signature.
      Now when you think that in the UK we've just gone through a huge Chip & PIN switch over, (with TV/Radio adverts, posters etc, telling people the benefit of Chip & PIN) because of the huge fraud problem, which was costing card companies, retailers, and customers 100s millions a year, it just doesn't make sense not to use it!
      Personally I wouldn't be against using Chip & PIN online. My bank could supply a card reader for under ?10 (it doesn't have to, I already carry one for VPN access to the office), and then if I want to login to my account, I just put the credit/debit card in and enter the PIN (as long as the details are encrypted via SSL), you could even add another factor such as a username or password.
      Having said this, the bank I have a joint account with my partner with, seem to just want to strip functionality out of the accounts, in an attempt to stop fraud. I already have to enter a 10 digit user id, then a passcode, then select letters from a password, just to login. But if I want to transfer money to a new payee, I can't do it online, I have to phone them, and ask them to setup a new payee. On top of that they have put limits on all transfers, so I can only transfer ?1000 a time to anyone.
      I work in IT security, and i've found that you can't replace poor security with lack of functionality, otherwise you just end up p*ssing off the end user. What is needed is a balance between functionality & security.
      Surfice to say, we're now looking at closing our account, and moving to another bank!
  • Credit & Debit Card Security

    The amount of post to your article tells me what the real problem is. People do not care untill it happens to them and sometimes the banks do not act when informed of a breach.

    The first time my account was used illegally showed up in my account showed up in the pending file on a Friday before a Monday holiday. I went to the bank on the following Tuesday morning and talked to them about it. By that time they knew who the charge was from. I told them not to pay it but they paid it anyway. Then I started getting charges daily for small amounts like $20 or $30 and a lot of $1 charges also. I notified the bank everyday for about 3 weeks about what was going on and they just kept putting the charges through. I think they were greedy for the $30 bucks they charged me each time there was an overdraw. Finally one of the merchants questioned the charges legitimacy. My account went over $2000 but I did get a refund of all charges.
  • Do you have any idea what's involved with adding another factor of I.D.?

    I do. I work for a large credit union and we are pursuing multi-factor authentication for our on-line banking service. Like most financial institutions, we did not write the software for our system, but bought it from a third party and paid beaucoup bucks to have it modified to fit our existing systems. To have this same vendor add the required code for *any* additional authentication, will cost at least twice what we paid for the system originally. Not to mention that the vendor has no current code for this, but will have to write new code for whatever form of additional ID we request. (Which means an extended period of debugging.) Then there is the problem of the cost of whatever we have to give to our members (fobs, cards, etc.) to perform this additional identification. That's all the technology side. What about the member? Generally, they do NOT want to have to enter yet another code, password, PIN, etc. The convenience factor is totally on the consumer side, as they don't want any complications. They also don't want us to lower the amount of interest we're paying their saving accounts, nor increase the interest rates on mortgages and loans to pay for this. A Bank would have even larger customer problems, because they have to pay dividends to their stockholders.

    So, before you decide that "banks" are dragging their tails to implement this new fangled authorization technique, check with someone on the implentation end first to get the other side of the story, please. We're stuck in the middle.

    Larry Fugate
    • Simpler Solution

      My work has a RAS gateway frontend to the actual system. The gateway prompts for userid and a generated password using my safeword platinum pin code generator. Once that passes, the gateway opens/hands off the session to the Corporate network for regular authentication. It is not very intrusive and can be layered in front of your existing system with no modifications. Twice now, they have swapped the gateway and authentication tokens to put in a cheaper and easier system.

      As for the cost, well, the gateway is yours to shoulder (but again, it is not that high), however, you have an advertising edge that can draw customers when you tell people you are on the leading edge of security. The pin generator is not that expensive, and you could actually set it up as an opt in for your customers. They can choose to be more secure.

    • I sure do, as we are supporting CU Security

      Check out the OHVA OnhandID Smart Key and SoundPass software: www.ohvasecurity.com
      Simple to install, deploy, use, and it's inexpensive strong 2-Factor designed for Credit Unions. There is a good Article about the OnhandID Smart Key in the CU-Trends May 2006 edition:
    • Yes, try smarter contracting

      Larry's example is true of any technology engagement that is poorly contracted and managed. It has nothing to do with banking or security.

      The cost issues outlined should have been known up-front. Such a financial fiasco as described is a failure of IT management to adequately prepare for the future of its system. The situation should be held as unacceptable by the corporation, the customers, and the government alike (though government projects I think have too often similar low levels of planning and management).

      If such sloppy work is characteristic of the banking industry (which I choose to doubt), then there is yet a different problem altogether: the ineptness of bank IT. But it only takes a few of such botched implementations to run things afoul for all of us.
    • You decided to be in the middle...

      You want us to understand the bank industry for being so lazy and sloppy implementing security options. But what you are showing us is that you paid big bucks for software that it is not secure enough or doesn't provide enough customizable security options.

      Next time pay smarter, not higher.

      So, maybe I should understand that it's not the whole bank the problem, but only the banks' IT departments.


    • Quietly praying that some other IT fool.....

      will be the first to have a catastrophic loss, thus driving the gov't to force a secure system on everyone, which means you don't have to justify keeping your members' money and ID safe.
  • alternate secured payment systems

    Here in France we use smart cards (with an encryption chip) since nearly 20 years, and online banking is never automatic but has to be requested specically by bank customers, who will get their access keys only through anonymized snail mail.

    I have never seen any magnetic tape reader since years (the devices that have it do that only for foreign cards that don't have a chip, and transactions cannot be performed without a prior verification using a system that federates all information from Visa, MasterCard, Amex, and other issuers of credit cards).

    All credit cards can be deactivated in a matter of minutes, thanks to the national system that federates and protects all French customers.

    But the most important thing is that French are used to not trust any direct online communication from a bank, they trust the snail mail or documents they get in the street agencies, and the physical presence of these banks is the most important aspect of the trust people can have.

    Banks also propose systems that allow performing online transactions without revealing the credit card number.

    But the best thing to protect customers is that shops are partly responsible of the fraudulous transactions they have accepted. That's why they subscribe to serious providers of credit card processing systems, or pay insurrance costs on all transactions, so the resellers are trained to use all possible verifications.

    Also, no french bank send any alert by email for operations made on customers account. When they need to communicate urgently with customers, they phone them and request users to send normal snail mail ot to take rendez-vous so that the customers will commplete was is needed for their account management.

    The systems currently used by eBay, PayPal, and most American banks that we can see here don't apply in France, even when these banks are represented in France. The Internet is not the place for asking any private data to bank accoint owners, or to (re)activate online operations; if US customers learned to reject such insecure ways of asking verification data online, phishing would disappear, and with it one of the most important risk that all users worldwide are now experimenting.

    Thanks, we are protected in France by the fact that most phishing really use the incorrect language, or incorrect bank logos, or old trademarks, and contain so many errors that it is easy to see that these viral/phishing spams are just lying (a recent example is the new Mytob viral viriant that pretends to come from user's ISP, but forget to include the correct logo or trademark, use the wrong language, contain lots of typos, and ask to open a file for further information when all what should be present in the email would be to call the ISP support by phone; and the mail asks for informations that was never wanted when the subscription was initiated).

    Yes, forget magnetic bank:credit card and learn to use only smart cards that make copying solen credit cards or building fake cards really difficult. Learn to bring with you only bank cards that limit the total amount of transactions that can be performed in a week. Use several cards, and bring only one when you get outside.
    Refuse to go in shops that only have a magnetic tape reader and not the chip reader of smart cards.

    Ban all online shops that can deliver products through local shops if you're not at home, or require at least that the reseller indicates (rpior to the sale) the location of this shop to get your product if you are not at home. Don't authorize delivery on locations you don't know, and claim your money if something is bought using your account but delivered in a place far from your home.

    If the product is deliverd by a commercial postal service, make sure you know which service is used and if you can trust them.

    Campaign now for requesting that all delivery services allow you to designate a delivery location of your choice, with a certified identity and verified address.

    Campaign also so that online shops or even street shops will allow you to use the delivery services of your choice and only those. Other delivery systems should then progressively die, or would have to adapt and enhance their security.

    Learn also to verify your bank billing, and even for small amounts, go to the police so that they can trace and arrest the authors in the place where they are operating.

    Anf finally, all online shops that are asking for private data without being secured by a trusted certificate that really identify them should be forbidden by law; they should be fully held responsible legally in case of abuse, and customers should be fully refundable by their bank immediately, and the banks (or an association of banks) will prosecute those non-compliant shops that are stealing private data insecurely (notably eBay/PayPal whose system is severely weak, as the only verification it does is the access to an email, something that is really insecure and defeated extremely frequently, 24/24 7/7 by billions of spams).

    Really, eBay and PayPal MUST change its system, so that NO money can be claimed from any account without performing first a true verification of the address (tip: send a snail mail, and the user to return a signed form, on a secured document that can't be reproduced, and increase the security by also asking to account owners to send a check with a small and fully refundable amount, simply because checks are now much more secure than credit cards, especially for small amounts).

    Stop asking anything on the Internet which can't be verified.

    And add another idea:
    campaign for the creation of a very large nationwide database where bank account owners will register the acceptable delivery options for their bought products. Online shops could then use this database to make sure that the delivery will not occur in a place not wanted by the user. Ask to your local mall that you visit at least every week, that they implement a delivery place for your products bought online elsewhere.

    Ask to your bank that they stop opening all transaction types that you have not subscribed, even if you paid for an international credit card (Allow users to open and close the types of transactions at any time, for free, for example the authorized countries or authorized currencies for change operations, or maximum amount that can be paid without prior authorization).

    (Note: in France, all transactions about 15 to 60 euros, depending on credit card types, must be specifically authorized by a communication between the shop and the national verification system, prior to accepting a sale, and the verification is systematic for all bank/credit cards without the chip, but many shops simply don't accept those insecure cards, that require additional insurance payed by the shop for each credit card, unlike the single insurance paid for cards issued by ALL banks in France that have the "CB" logo that means that the card is protected by the nationwide system).

    May be USA could adopt such similar CB system for their credit cards: campaign so that Visa, MasterCard, AmEx and Diners will adopt this common nationwide system in US, like they already do in France with the French CB system (which requires using a smart card with an electronic chip) and in other European countries.
    • micropayment through your ISP

      For cable and DSL subscribers, the ISP knows that your are connected from your home, and so can perform a verification that the IP used to buy a products on some online shops is the one that will be authorized for making the payment to the shop. Micropayments are now possible in France on almost all major ISPs directly through their monthly ISP subscription billing; for transactions to be possible through this system, online shops must comply with severe verification procedures, which involves verifying the identity and contact addresses of the seller, and the signature by the seller of a contract with usage policies.

      This can be used to buy CDs/DVDs or music/film downloads, or subscribing to some online services. Such things are also possible with the mobile phone subscription billing, or with the wired phone bill.

      With most micropayments performed this way, users would no longer need to give their credit card info online, most of the time, and only the most costly products or services would require it, and should be performed only through services that can perform a prior serious verification (notably, no product would be sent and no payment performed physically before there's been this verification, which includes calling a service by phone from a verified phone number, returning a signed form to complete a certified subscription, or sending a traceable snail mail to the subscriber to check his physical address.

      Banks and large shops or malls need to invent solutions which requires a action from the user, physically present in person, with a identity card, and then use these certified user/location to give some trust allowing transactions.

      Financial only transactions should really be forbidden between accounts that can't be traced back to a certified person or organization.

      And all these schemes should be monitored throughout the year by independant certification agencies that will see how those verification systems can be enhanced for better security.

      Other alternate systems: there's a bank in France from which you can request a temporary credit card number with an authorization key, that will remain valid only for a limited time and a limited amount of your choice for a single transaction. You use this temporary credit card number to buy products online, without ever revealing your true bank account number, or your credit card number, and even if these numbers are stolen, they will be immediately seen as fraudulous if used and opposed.

      Forget your Gold payment card, it's too dangerous to use outside or on the Internet. Use only limited cards, and claim to your banks only cards that can be limited, and possibly ask for multiple distinct credit cards that are protected and opposable separately.

      Mot of the time, you will pay small amounts outside using cash, so get a credit card that can be used only through ATM and not in any street or online shop. Please ask to banks to allow you to fix the maximum amount authorized per day or per week. If amounts are limited, then the risks are also limited, so the insurance costs are lowered, and those cards should be cheaper, and there would be much less fraud and theft (for now too many cards allow performing too expensive transactions without additional security).

      And why couldn't we have a secure USB key with the necessary chip provided by our bank to perform online transactions? Today there are USB connectors on any PC or Mac. We could use it only at home from a single ISP of our choice and not outdoor. It should be protected like the credit/debut cards using a PIN and a secured software approved by the bank. We would insert the USB key only during the time of the payment, and then would disconnect it, forbidding all further accesses. The USB key should also contain a button that needs to be pressed (to make it operable for about 2 minutes, and a LED to indicate that the USB key is ready to accept a transaction and to confirm a PIN), to protect the user if if forgets to disconnect the key from the USB connector after use. The interest of this solution: You don't need to buy and install a credit card reader, as all the electronic is on the small USB key. It will as secured as a smard-card plus PIN,except that it will have a different usage, specifically for online transactions. The key could have, like credit cards, a credit card number, and a secure ID. But the benefit of that is that users could ask to the bank to reject all online transactions performed with the credit card (that you use in street shops or ATM) and to accept online transaction only from this separate USB device which has a separate credit card number.
  • The solution

    Add this line to the legislation, you want to talk about the best minds snapping to attention to solve the problem fast.

    "Where identity theft/monetary loss occurs as a result of normal user authentication at a bank or financial institutions web services gateway, the financial institution is 100% liable for all costs associated with resolving all incurred costs including, but not limited to
    1) Financial restitition of lost money
    2) Credit Cleanup Costs
    3) Filing fees for all new documentation
    4) Lawyers fees where applicable".

    They will have a working solution in weeks.

  • multi factor authenication

    For several years, at my previous employer, I carried a SecureID fob that changed every 60 seconds - this allowed me to get to my e-mail server ONLY. I found it neither disruptive or inconvenient. It would be very nice if this were applied to banking or anything where personal info was sent.
    • SecureID good for closed networks

      SecureID is a very old Token technology good for a private Network not for online banking over the Internet. SecureID was just hacked at Citibank a couple of weeks ago because the access time open allows a hacker several minutes to login behind the user and it can be accessed using the last and current changing Password, picked off by a Keylogger. This is a known weakness with any
      Time-synchronous type of Token in which the user must type in the changing password.