User authentication has been getting a lot of attention lately, what with lingering threats of identity theft, a U.S. regulatory initiative to have banks and other depository institutions raise their level of customer validation technology, and the Securities and Exchange Commission looking closely at how the brokerage industry is handling the issue.
The technological solutions can be enticingly cool–password-generating tokens, digital signatures, smart cards, fingerprint or other biometric devices–but also expensive and cumbersome to install and administer, requiring considerable education of the market. And there are persistent forms of attacks, known as “man in the middle” and “man in the browser,” for which these countermeasures aren’t effective.
These deficiencies at the front end of the transaction have financial services companies looking to shore up security where they are in control–at the back end–where the watchword is, “Don’t intrude on the customer unnecessarily, and don’t intrude on the application unnecessarily,” says Avivah Litan, analyst with Stamford, Conn.-based Gartner.
With front-end approaches, financial companies are in a continuous arms race with hackers who are capable of staying a step ahead of technologies that can take a long time to roll out. According to a June survey by Deloitte & Touche of security officers at the world’s top 100 financial institutions, 78 percent confirmed a security breach from outside the organization this year, up from 26 percent in 2005.
Ted DeZabala, a principal in the security services group at Deloitte & Touche, says that phishing and pharming–attempts to lure consumers to illegitimate Web sites–were the dominant types of attacks, followed by spyware. Identity theft and account fraud, along with identity management, were among the top five security priorities for the financial firms surveyed.
“The extent and nature of these breaches signals a new reality for the global financial services industry,” says DeZabala. “Professional hackers and organized crime have entered the domain once ruled by script kiddies’ and one-off hackers. This shift means organizations not only face more sophisticated and hard-to-track attacks, but are also challenged by increased risk and potential loss.”
The hackers’ increased sophistication has led firms to take security initiatives that adapt quickly to changing threats. Typifying this recognition is a program by the Financial Services Technology Consortium (FSTC)–consisting of major financial institutions, vendors, trade groups and government representatives–to promote mutual authentication, in which the service provider and customer gain mutual assurance of each other’s legitimacy. The New York-based FSTC, led by former Citigroup technologist Dan Schutzer, takes a holistic view of the challenge, encompassing both online and off-line interactions, but online ID theft has clearly galvanized such responses. The FSTC has just launched a new phase of its project, titled Authenticating Financial Institutions to Consumers, aimed at evaluating and testing solutions under development in the technology and telecommunications sectors.
A Positive Return
“The best way to protect against attacks that you don’t even know exist yet is back-end protection,” says Gartner’s Litan. “It’s not going to catch 100 percent of the attacks, but it’s going to catch at least 98 percent. And if you get it to 98 percent, the 2 percent fraud that you’ll end up eating is lower than the cost of millions of tokens and consumer training.”
The credit card industry has already faced this issue, Litan says, and has focused on back-end fraud detection, which is easier and quicker to implement.
According to Litan, fewer than 20 percent of banks she surveyed recently are in compliance with new, stronger authentication guidelines promulgated by the umbrella regulatory agency, the Federal Financial Institutions Examination Council (FFIEC). Those guidelines emphasize two-factor authentication, in which the customer uses a security token or other method in addition to the standard password. Another survey, by Newport Beach, Calif. brokerage firm Roth Capital Partners, puts the compliant proportion at 16 percent.
At a least a third of large U.S. financial institutions won’t have advanced fraud detection and transaction monitoring in place by the end of the year, says Gwenn Bezard, an analyst at Boston-based Aite Group, based on a survey in August and September of 12 financial institutions among the top 50 banks and top 10 brokerages, serving a combined total of 19 million online banking and brokerage customers.
Half the respondents said they are facing or expect to face important technical or process integration challenges on their way to fraud detection and transaction monitoring. But that’s not necessarily slowing them down. Of the respondents, 92 percent had already selected a vendor, with EMC Corp.’s RSA Security leading the pack and Corillian Corp., VeriSign Corp., Bharosa and Entrust following, in that order.
A 67 percent majority “believe that the enhancement or deployment of fraud detection and transaction monitoring technology will be the primary factor in making the online channel more secure over the next five years,” Bezard reports. The remaining one-third of respondents “believe stronger authentication will be the primary factor.”
The best approach, Gartner’s Litan says, is to pick a vendor that has a good back-end fraud detection product and a range of front-end options for when the back-end system sends up a red flag. The July acquisition of Business Signatures by Addison, Texas-based information security company Entrust fills this need. “They have very satisfied customers on both sides,” remarks Litan.
Entrust offers front-end authentication as a wallet-sized number-grid card. Business Signatures has a fraud detection product that looks for suspicious patterns in data traffic between the consumer and the bank’s or brokerage’s Web site. According to Entrust CTO Chris Voice, it takes a company 10 to 12 weeks to be up and running with the Business Signatures system.
“There are very few options left at this point,” Voice adds. “Doing a proof of concept in days and deployment in weeks makes it possible to get to the finish lines set by regulators.” And several customers have already run the low-touch fraud detection system past regulators, and it passes muster for FFIEC compliance, he says.
In view of the Dec. 31 deadline, Entrust is offering “significant savings” to buyers of a front- and back-end bundle from the company, Voice says. In addition, the charge is a flat fee based on company size, rather than the typical per-user pricing model. “It’s very cost-effective for small organizations and very cost-effective for large organizations,” he adds.
H&R Block’s online brokerage has adopted the Business Signatures fraud detection system. Another 30 brokerages use the system through an application service provider–a form of outsourcing–says Peter Relan, the former Business Signatures CEO who is Entrust’s chief strategist.
Other firms taking a similar approach and relying on other vendors, notably RSA Security of Bedford, Mass., include E-Trade Financial and Charles Schwab & Co. But underscoring the challenges facing firms that are scrambling to get ahead of regulatory requirements, it doesn’t always make for a seamless transition, Litan notes. After Ameritrade Holding Corp. acquired TD Waterhouse USA earlier this year, Ameritrade upgraded security for the Waterhouse customers–and some of them were temporarily locked out of their accounts. “These upgrades have provided a significant improvement,” says TD Ameritrade spokesperson Kim Hillyer, adding that the problems were quickly addressed.