AUTHENTICATION IN AN INTERNET ENVIRONMENT

1
AUTHENTICATION IN AN INTERNET ENVIRONMENT

• Dominick E. Nigro
• NCUA Information Systems
• Officer

2
Reason For Guidance

• Changes to Privacy and Security Regulations
• Increased Incidents of Identity Theft/Fraud
• Authentication Methods Contribute to Identity
  Theft/Fraud
• Authentication Technology Advances

3
Why Effective Authentication?

• Safeguard Member Information
• Reduce Fraud/Identity Theft
• Prevent Money Laundering and Terrorist Financing
• Promote Legal Enforceability of Electronic
  Agreements and Transactions
• Reduce Risk of Business with Unauthorized
  Individuals

4
What does NCUA expect?

• Assess the Authentication Risks associated with
  Internet Based Services
• Assess effectiveness of Authentication
  Methodology
• Implement/Review program to Monitor Systems
• Determine reporting policies/procedures in place
  if Unauthorized Access occurs
• Evaluate Member Awareness Program

5
Authentication Risk Assessment

• Identify all Access and Transactions associated
  with Internet-based products and services
• Determine if Internet Based Services provide High
  Risk Transactions
• Identify Authentication Methods used for Internet
  Based Services
• Determine effectiveness of Authentication Methods
  for High Risk Transactions

6
Member Account Authentication

• If Risk Assessment identifies inadequate
  Authentication for High Risk Transactions
• Multifactor Authentication
• Layered Security
• Other Controls

7
Authentication Methods

• Multifactor Authentication
• Something the user knows (pin/password)
• Something the user has (smart card/token)
• Something a user is (biometrics, fingerprint)

8
Authentication Methods

• Layered Security Multiple controls and multiple
  control points
• Other Controls Technology and controls that are
  emerging or that may be introduced in the future

9
Monitoring Systems

• Detection of Unauthorized Access
• Implement Audit procedures which
• Assist in detection of fraud
• Money laundering
• Compromised passwords
• Other unauthorized activities

10
Reporting Requirements

• Unauthorized Access Requires Notifying
• Management
• NCUA Regional Director
• Appropriate Law Enforcement
• Filing Suspicious Activity Report
• Member Notification
• Appendix B of Part 748 of NCUA RR

11
Member Awareness Programs

• Key to reduce Fraud and Identity Theft
• Implement/Revise Member Awareness Program
• Evaluate Education efforts
• Identify additional efforts

12
Conclusion

• Assess Risk of Internet-based products and
  services
• Establish effective Authentication methods
• Monitor systems for Unauthorized Access
• Report Unauthorized Access
• Notify Members of Unauthorized Access, if
  warranted
• Educate members
• Complete process by Year-end 2006