MDGFOA Electronic Banking Authentication Update - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

MDGFOA Electronic Banking Authentication Update

Description:

Washington Post has 26 articles in the past 30 days that reference Phishing; USA ... Banks seek to mitigate risk while not alienating customers ... – PowerPoint PPT presentation

Number of Views:46
Avg rating:3.0/5.0
Slides: 19
Provided by: U4151
Category:

less

Transcript and Presenter's Notes

Title: MDGFOA Electronic Banking Authentication Update


1
MDGFOAElectronic Banking Authentication Update
  • Gregory E. Weddell, CTP, AAP
  • Group Vice President
  • Commercial Banking Solutions Group
  • April 20, 2007

2
Welcome
  • Agenda
  • Background
  • FFIEC Guidance
  • Authentication Options
  • Actions Being Taken to Meet Guidance
  • Questions

3
Background
  • News Flash Bad people will try to take
    advantage or you on the Internet
  • Washington Post has 26 articles in the past 30
    days that reference Phishing USA Today 15
  • Examples
  • Taking the Bait On a Phish Scam Job Seekers Are
    Targets, Victims of Sophisticated Ploy
  • FTC Identity Theft Remains Top Consumer
    Complaint
  • Microsoft Targets Phishers IE 7 Still Not Safe
    Enough
  • Banks pull out the big guns to protect online
    users
  • Most computer attacks originate in U.S.
  • PayPal to offer password key fobs to users
  • Internet fraud has shaken publics confidence in
    Internet Banking see handout

4
Phishing Phacts
  • An estimated 59 million phishing e-mails are sent
    each day.
  • About 1 in 6 are opened.
  • In 2006, about 109 million U.S. adults received
    phishing e-mail attacks, compared with 57 million
    in 2004.
  • The average loss per victim in 2006 was 1,244,
    compared with 257 in 2004.
  • Victims recovered an average of 54 percent of
    their losses in 2006, compared with 80 percent in
    2004. Source Washington Post, 2/10/2007

5
Phishing
  • Phishing is a criminal activity using social
    engineering techniques and technical subterfuge.
    Phishers attempt to fraudulently acquire
    sensitive information, such as passwords and
    credit card details, by masquerading as a
    trustworthy person or business in an electronic
    communication. Technical subterfuge schemes plant
    crimeware onto PCs to steal credentials directly,
    often using Trojan keylogger spyware.
  • Source wikipedia, AFWG

6
Phishing Phacts
Crimeware-spreading websites detected in February
shattered the previous record in June 2006 by 6
percent Source Anti-Phishing Working Group
7
Pharming
  • Pharming is a hacker's attack aiming to redirect
    a website's traffic to another (bogus) website.
    Pharming can be conducted either by changing the
    hosts file on a victims computer or by
    exploitation of a vulnerability in DNS server
    software.
  • Source wikipedia

8
Keystroke Logging
  • Keystroke logging (often called keylogging) is a
    diagnostic used in software development that
    captures the user's keystrokes. Keystroke logging
    can be achieved by both hardware and software
    means. It can be useful to determine sources of
    error in computer systems and is sometimes used
    to measure employee productivity on certain
    clerical tasks. Such systems are also highly
    useful for law enforcement and espionagefor
    instance, providing a means to obtain passwords
    or encryption keys and thus bypassing other
    security measures. However, keyloggers are widely
    available on the internet and can be used by
    anyone for the same purposes.
  • Source wikipedia

9
FFIEC Guidance
  • FFIEC issued Guidance in October 2005 and an
    update in August 2006 stating
  • The agencies consider single-factor
    authentication, as the only control mechanism, to
    be inadequate for high-risk transactions
    involving access to customer information or the
    movement of funds to other parties.
  • The Federal Financial Institutions Examination
    Council is an interagency set out to dictate
    policies, standards, and report forms for the
    scrutiny of financial institutions by the Board
    of Governors of the Federal Reserve Board, the
    Federal Deposit Insurance Corporation, National
    Credit Union Administration, the Office of the
    Comptroller of Currency, and the Office of Thrift
    Supervision.

10
FFIEC Says..
  • Single factor authentication is inadequate for
    access to high-risk transactions.
  • Single factor authentication user ID password
  • High risk transaction access to customer
    information
  • Authentication should be appropriate to the
    risks.
  • Where in sufficient, banks should implement
    multi-factor authentication, layered security or
    other controls reasonably calculated to mitigate
    risks

11
Background
  • Authentication Techniques
  • Multi-Factor Authentication
  • Something you know
  • Something you have (e.g. ATM Card, Token, PC)
  • Something you are (e.g. fingerprint, facial scan,
    retina scan)
  • Layered Security
  • Multiple Single-Factor Authentication (e.g.
    second password, SiteKey pictures)
  • Out of Band Authentication
  • IP Address Location and Geo-location

12
FFIEC Says..
  • Banks needed to complete Risk Assessment and
    implement risk mitigation activities by end of
    2006.
  • Timing
  • Q-1- What do the Agencies expect institutions to
    have accomplished by year-end 2006?
  • A-1- The Agencies expect that institutions will
    complete the risk assessment and will implement
    risk mitigation activities by year-end 2006. The
    Agencies are not considering any general
    extension of the timing associated with this
    guidance.
  • - FFIEC Guidance FAQ, August 2006

13
Actions Being Taken
  • Many banks were already looking to improve
    authentication or had already done so.
  • Some already had heighten authentication
  • Examples Chevy Chase Bank requires use of hard
    tokens for Wire Release an example of
    authentication equal to the risk
  • Some quick solutions in place
  • Example Bank of Americas SiteKey service on
    consumer web site
  • All must have Risk Assessment complete and
    actions to implement taken

14
Actions Being Taken
  • Why not just have the fix in place?
  • Few integrated vendor solutions were available
    when Guidance was issued
  • Q-2- What if the financial institution or its
    technology service provider cannot implement a
    solution by year-end 2006?
  • A-2- The Agencies examiners will assess the
    adequacy of each financial institutions
    authentication controls on a case-by-case basis.
  • - FFIEC Guidance FAQ, August 2006

15
Actions Being Taken
  • Why not just implement what is available?
  • Banks seek to mitigate risk while not alienating
    customers
  • Example of Actions Taken - Chevy Chase Online
    Access adding in June 2007
  • RSA Cyota eSphinx risk-based authentication IP
    and Geo-location, behavior observation and
    out-of-band challenges
  • Migrate from RSA SecurID tokens for Wire Release
    to RSA GoID for Wire and ACH Release
  • GoID will allow use of token at all participating
    Financial Institutions

16
Actions Being Taken
  • Jonathan Eber, a senior product manager at ACI in
    Boston, said hes still seeing a spectrum of
    attitudes toward the FFIEC guidelines. ACI sells
    software and services for linking banks with
    corporate customers.  About 35 percent of the
    banks that the company works with have "a sense
    of urgency about this," Eber said. "There is a
    middle part of the bell curve where people say,
    I know I have to do it, but Ill be in
    compliance by . next year. And there are some
    who say, This doesnt apply to me at all. "
  • - Will Banks Make Federal Web Security
    Deadline?, zdnet.com

17
Actions Being Taken
  • Ask your bank what they are doing to protect your
    personal and organizations funds

18
Questions?
  • Greg Weddell
  • 240-497-7788
  • geweddell_at_chevychasebank.net
Write a Comment
User Comments (0)
About PowerShow.com