GonzoBankers, I seriously tried to avoid commenting on the recent FFIEC guidance for Authentication in an Internet Banking Environment. However, with the vendor community press release engine in full swing, I could no longer keep quiet. I know, I know, keeping our opinions to ourselves has never been our modus operandi here at Gonzo HQ…
On October 12 of last year, the Federal Financial Institutions Examination Council issued the following guidance with a year-end 2006 deadline:
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
I realize there was a lot more said but the aforementioned was the gist of it.
Now, where in the above language do you see the words “two-factor authentication”? You don’t! Nonetheless, from sea to shining sea, the vendor, IT, security, and compliance chatter is, “What are you going to do about implementing two-factor authentication?” And has anyone else noticed that the two-factor authentication conferences are springing up like wild daisies.
First Things First
The FFIEC guidance in no way, shape or form mandates two-factor authentication. Sure, it might allude to it, but to reiterate, the guidance states, “…financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.”
Many pundits and security gurus have deconstructed that sentence, pointing out just how loose the wording is. Therefore, the point I would like to make is a semantic one. Please use the words “multifactor,” “layered security,” or “other controls” instead of two-factor when referring to this FFIEC guidance.
Okay, now that I got that off of my chest, let’s get down to business.
Vendors Fuel the Fire
Exactly one month following the FFIEC memo, the good folks from Beaverton, Oregon, stepped up to the plate proclaiming, “First to Integrate FFIEC-Compliant Strong Authentication Solution into Online Banking Applications.” After reading this, my first thought was, “Damn, those guys move fast.” But then it occurred to me: how do they know they are compliant? To my knowledge, no more specific compliance checklist was issued with the FFIEC mandate. If one was and I simply missed it, I would appreciate someone out there sending me a copy. I won’t hold my breath.
The so-called multifactor authentication conferences many financial institution employees are running off to are nothing more than vendors showcasing their products as the silver-bullet solution. Unfortunately, more often than not, the product being demoed has yet to be installed in a financial institution, nor has it proven to scale in a live Internet banking environment. Nonetheless, our blind-lemming tendency as bankers is to purchase first then figure out how to deploy it.
Yep, the barn doors were blasted off the hinges, and corralling the cattle rush of security prodigies has been futile. Granted, not every financial institution drank the entire glass of Kool-Aid, but all took at least a swig, and Internet banking authentication compliance catapulted to the top of most banks’ project lists.
The Unfortunate Truth – Complying Ain’t Cheap
There are not many external forces that can light a fire under bankers, but Wal-Mart applying for a banking charter and the federal government issuing a mandate usually do the trick (stay tuned for the next Wal-Mart discussion).
I hope we all agree that financial institutions must improve their Internet banking authentication. Even if we don’t, we still have to do something by the end of this year.
To that point, financial institutions have several options:
You could also toss biometrics into this mix but I don’t want to even consider the cost of rolling that technology out to 25,000 Internet banking customers. At least not in 2006 or 2007, 2008……
GonzoBankers, even though the feds issued the mandate, we bankers still have to foot the bill. The options listed above were among those included in a survey sponsored by virtual token provider Sestus Data Corporation it which it compared the total cost of ownership for multifactor authentication alternatives based on a regional bank scenario with 25,000 Internet banking users.
1. Hardware Tokens
Implementation costs:
| Server Infrastructure | $30,000 – $75,000 |
| Implementation Staffing | $3,800 – $8,000 |
| Vendor Support | $10,000 – $20,000 |
| Token Production | $161,000 – $1,200,000 |
| Token Distribution | $40,000 – $80,000 |
| Implementation time | 1 – 3 months |
Recurring costs:
| Annual Licensing | $112,000 – $275,000 |
| Support & Administration | $100,000 – $200,000 |
| Token replacement based on 3% loss rate | $5,000 – $40,000 |
Hardware token vendors include but are not limited to:
| ActivCard | TriCipher |
| Aladdin Knowledge Systems | RSA |
| Authenex | Vasco |
| Datakey | Verisign |
| Griffin Technologies |
The total cost for implementing a hardware token solution for 25,000 Internet banking customers ranged from $641,000 to $2,400,000 for the first year, and $400,000 to $600,000 each year thereafter.
2. Software Solutions
| Network infrastructure | $15,000 |
| Staffing | $3,000 |
| Vendor Support | $10,000 |
| Implementation time | Software has less implementation cost than hardware token solutions and in some cases can be implemented in four to six weeks. |
| Annual Licensing | $15,000 – $50,000 |
| Support & Administration | $100,000 – $200,000 |
| Token replacement based on 3% loss rate | $5,000 – $40,000 |
Vendors offering a software solution include:
| 41st Parameter | Anakam |
| Authentify | Cavion |
| Cyota | Digital Resolve |
| PassMark Security | Secure Computing |
| Soltrus | Think Security |
The total cost of ownership for a software solution ranged from $358,000 to $1,100,000 for the first year, and $330,000 to $1,100,000 each year thereafter.
3. Homegrown Solutions
The survey pointed out that it is extremely difficult to quantify the total cost of homegrown solutions, and I would agree with that assessment. Bankers choosing to go down this path should document every detail of the solution, just in case the security programming guru decides not to show up for work one day.
Corillian released an in-house solution called Intelligent Authentication; S1 partnered with PassMark; Digital Insight formed an alliance with TriCipher; and Online Resources partnered with Cyota.
Words of Caution
Choosing the right solution for your bank and, more importantly, your customers is not a simple plug-and-play initiative. I am seeing many IT security folks charged with selecting, implementing and rolling out their company’s Internet banking multifactor authentication solution. Although I hold a special place in my heart for my IT brethren, they usually don’t pay attention to the end-user impact.
Don’t get me wrong, IT needs to be involved in this initiative, but this type of project is not a security issue per se. Any initiative where the end result has a direct impact on the customer should be led by the business, not by IT, compliance, risk management or security.
I understand that my business friends are probably cursing me at this point. Still, I make no apologies.
Final Thoughts
There is a common understanding among bankers that as long as we are in compliance life is good. A passing grade is all we really want or need. Unfortunately, no one knows how we will be graded on the FFIEC mandate, at least not yet. It’s a helluva predicament, but it’s the hand we’ve been dealt. My biggest fear is that we implement any of the aforementioned multifactor solutions and consider that to be the endpoint. GonzoBankers, as you embark upon the FFIEC mandate journey, be ever mindful that internet threats will never go away; they simply migrate or adapt to overcome the defenses we throw at them. What may be considered by some to be compliant by the end of this year might not be in 2007.
Now don’t we all feel much better?
May the force be with you…..