Security, Compliance, and the Costs… Oh My! – Part Deux

by Tripp Johnson

Two of my favorite words are demystify and lucid.  According to The American Heritage® Dictionary of the English Language, Fourth Edition, demystify means to make less mysterious or remove the mystery from.  Lucid is defined as easily understood or intelligible.  

The FFIEC guidance from Oct. 12, 2005, Authentication in an Internet Banking Environment, has yet to be demystified or achieve even a remote status of lucidity. 

Clarity on the horizon? 
On Friday, December 2, 2005 more than 100 BITS Financial Services Roundtable members and senior officials from four of the agencies (FDIC, Federal Reserve Board, Office of Thrift Supervision and the Office of the Comptroller of the Currency) involved in drafting this now infamous guidance participated in a conference call.  Truth be told, no GonzoBankers were invited to this call; our legal team, headed up by Señor Hodge, is demanding answers to how such an injustice could have occurred.  Nevertheless, our Gonzo intelligence team uncovered a highlights document from this conference call. We feel it is our duty to inform our loyal constituents about some of FFIEC’s clarifying responses. Included with the following responses are questions and/or comments Gonzo would have asked or made if ….well you know.

• The guidance applies to both Internet banking and electronic banking.  The guidance states, “although this guidance is focused on the risks and risk management techniques associated with the Internet delivery channel, the principles are applicable to all forms of electronic banking activities.”  (Hell, guys, why couldn’t you just come right out and say that in the first place?  Oh, by the way, does electronic banking include the IVR?)
• The agencies will not endorse a specific scenario (e.g. challenge questions, etc.) but generally, additional control points beyond the use of an ID and static password would meet the objectives of the guidance.  (So, simply asking for a customer’s mother’s maiden name or favorite color after logging in might suffice?)
• The FFIEC agencies do not have an approved list of vendors or authentication techniques or endorse products or services. The FFIEC agencies are “technology neutral.”  (Vendor PR machines listen up:  none of your solutions are “approved,” so anyone the GonzoNation hears claiming to be approved by the FFIEC will be captured and receive a thousand lashes with a cat o’ nine tails.) 
• The guidance is risk-based and it is not technology specific.  Examiners will evaluate the authentication practices in light of the financial institution’s risk assessment. (Risk assessment – you mean we were supposed to conduct one of those? I thought we could just pawn the responsibility off to our Internet-banking vendor and wash our hands of this matter.) I must say, friends, this was one of the more enlightening statements, because how many of us have actually conducted and documented our electronic banking risk assessment.  My guess – not too many.  So what does the FFIEC want to see in this risk assessment? 
  • Identify all transactions and levels of access associated with Internet based customer products and services;
  • Identify and assess the risk mitigation techniques, including authentication methodologies, employed for each transaction type and level of access; and
  • Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access.  

• The guidance does not specifically require financial institutions to have two-factor authentication.  (Bingo! Yahtzee! Lemme see… the best way to phrase this… I TOLD YOU SO!)

This last statement was by far my favorite of the 51 questions answered:

 

 

• The FFIEC agencies are constantly communicating with examiners to ensure a consistent approach in interpretation of the guidance. However, the agencies recognize that from time to time there may be differences in opinion among agencies. The agencies will try to resolve these differences as quickly as possible.

 

What this means, of course, is that there will be no consistency in how examinations are conducted because each FFIEC agency will have its own interpretation of the guidance. I feel better already.

GonzoBankers, let’s get serious for a moment.  Why are we having such a difficult time with this one FFIEC guidance?  It is not as if we haven’t had to comply with other guidelines in the past.  Maybe it is the Internet factor and we just are not sure where to start.  Or maybe it has been all the noise from a few PR-driven vendors scaring the hell out of us then quickly proclaiming, “We have your silver bullet.” Or possibly it’s because (as pointed out above) even FFIEC isn’t sure what it is looking for.  My guess is it’s a little bit of all of that plus a whole lot more. 

View the Internet like a new branch
For just a moment, let’s forget about the FFIEC guidance and think about building a new branch.

When you build a new branch, is your only security measure a lock on the front door?  Besides the lock on the front door, at most branches you employ some if not all of the following:

• Security guard
• Security cameras – lots of them: in the parking lot, at the ATM, inside the lobby, behind the tellers, outside the vaults, etc.
• Locks on all the cash drawers
• Locking combinations to the cash dispensers
• User name and passwords for just about every transaction a teller needs to make, plus the supervisor override passwords necessary when the transaction amount exceeds a certain teller’s limit

Hopefully you are starting to get the picture.  The Internet channel has matured; consequently, the potential risks and threats have also matured. Therefore, it is time we begin to view our online banking, oops, electronic banking security just as we do all other forms of bank security – a little more thought and some big picture thinking can go a long way.  That said, why not start by doing a risk assessment.  Novel idea, huh? 

You may actually find that you don’t need to do anything because the functionality offered via your electronic banking is deemed by the bank to be low risk.  On the other hand, you may find the results of your risk assessment warrant you update your resume because it is only a matter of time before the contents of the vault are electronically transferred via the Internet to some remote island off the coast of Greenland.  Or maybe you consider your job is done because you jumped on the bandwagon and changed the lock on the Internet front door.  Possibly, but what happens if that lock is picked?  Will you even know it happened?  If it is picked, what will you do about it once the fraud and theft have occurred?

Spotlighting some lesser known solutions
There are a few vendors who seem to be hogging all the press these days surrounding this particular FFIEC guidance: RSA Security (proud owner of Cyota and recently Passmark), Corillian and Digital Insight.  In the spirit of Gonzo we feel it is appropriate to highlight some other solutions that you may not have heard of because they don’t have the PR mechanics of some of these folks.  That said, here is where the disclaimer comes in: Cornerstone Advisors and GonzoBanker do not endorse any of the following vendors, nor do we recommend their solutions.

Following Part 1 of this series I received a dozen or so calls from vendors wanting to demo their solutions to me.  Believe it or not, I agreed to about half of them and decided to simply point out three companies that I believe stood out from the pack.  Each company chosen does more than just change the lock, so to speak, on your electronic banking front door – not that changing the lock won’t work for your bank.  Okay, enough legal disclaimer stuff.

Cydelity
Founded: September 2003
Headquarters: Santa Clara, CA
Employees: 25

Cydelity maintains its solution offers the only integrated login authentication and transaction monitoring solution to detect, isolate and prevent online fraud. Cydelity’s solution is non-intrusive; behind the scene it monitors and validates all online banking traffic in real time.  Cydelity’s Web site outlines the six levels covered by its multi-factor advanced analytics and behavior modeling security solution.

Key differentiators from other well-known vendors as described by Cydelity during our briefing:

• Individual bank and consumer behavioral profiling
• No application engineering
• Response based on individual activity
• Real-time detection and prevention
• Adapts to any environment
• Transactional integrity
• Addresses full fraud cycle
• Access – transactions
• Passive – no point of failure
• Fully functional – out of the box
• Real-time detection and notification
• Rapid deployment

The last thing Cydelity wanted me to know was that its first step in any engagement is performing a risk assessment. 

iovation 
Founded:  2004 (the iovation technology has been running in production environments since 2002)
Headquarters:  Portland, OR
Employees:  30
Clients:  First Financial Equities, Citadel Commerce, Navaho Networks, UltimateBet.com, Bodog.com, FullTilt.com, AbsolutePoker.com

Iovation’s mantra is, “Reputation is everything.”  When iovation speaks of reputation, it is usually referring to the reputation of a device.  Iovation pioneered a device recognition and reputation technology called Device Reputation Intelligence (DRI), which it explained consists of two core elements:

• DevicePrint, which uniquely identifies a customer’s device
• Device Reputation Authority (DRA), a central repository for device-to-account associations

I prefer to see things in pictures, so iovation gave me permission to reprint the following:

 

In Gonzo speak, iovation builds and tracks reputations for individual devices then stores those reputations in a giant repository.  I guess iovation to devices is kind of like Santa Claus – who knows if you’ve been good or bad.  Iovation’s list may not be as large as Santa’s; at the moment the company states it is tracking more than 2 million devices connected to the Internet and processing well over 100 million device recognition and reputations annually. 

The 41st Parameter
Founded:  March 2004
Headquarters:  Scottsdale, AZ
Employees: 22
Clients:  American Express, Neiman Marcus, 2Checkout.com, Digital River, Abebooks

41st Parameter describes its solution as covert and near real-time, offering the following market solutions:

The company’s ImageMask solution is the first I have seen that addresses online check fraud.  To see how this product works, click here.

During our conversation, 41st Parameter highlighted the following attributes of its market solutions:

PhishingNet provides account login and activity monitoring for banks.

• Differentiates legitimate versus fraudulent users
• Transparent to users
• Transparent PC Fingerprint
• No integration
• No interface

FraudNet authenticates purchases for merchants.

• EZKeys
• TimeDiff linking
• Over 256 algorithms
• Increased sales
• Reduced chargebacks
• Reduced false positives

The company summarized its approach with the following:

• “Zero Imposition”
• 100% coverage
• No customer training or added call-center costs
• High detection rate and minimal false positives
• Equally effective against fraudulent logins that do not involve transactions
• Detects man-in-the-middle attacks

GonzoBankers, there are numerous security solutions that will allegedly meet the FFIEC compliance guidelines, but just meeting the guidelines will not make the issue of security and electronic banking threats disappear. The problem will continue to grow, that I can promise.  In highlighting the aforementioned vendors, I wanted to point out that some solutions can quickly assist you in changing the lock on the front door of your Internet bank. Others go well beyond just being locksmiths.

In the immortal words of Dylan Thomas:  “Do not go gentle into that good night.”

Next time,
-tj

Read parts 1 and 3 of this series:
Security, Compliance, and the Costs….Oh My!
“Stupid Is As Stupid Does” — Security, Compliance and the Costs… Oh My! The Last Chapter