CreditUnionMagazine.com
Navigation bar
Lending Marketing Technology Operations Human Resources Communications Credit Union Data Products Buyers Guide Info Systems Guide
Online Poll

Should CUs accept the matricula consular as a form of ID?

Yes
No
CUNA: Credit Union National Association

How To Keep Ahead Of FFIEC Mandates

By Vance Bjorn

  • Passé password burdens
  • Token and smart card concerns
  • Biometric options
    		•


    Online banking has increased 47% during the past two years, making it the fastest-growing Internet activity, according to a new survey by the Pew Internet & American Life Project. With that growth comes the prevalence of online fraud—scams such as identity theft, phishing, and pharming, which plague credit unions and their members.

    That's why the Federal Financial Institutions Examination Council (FFIEC) in November 2005 issued a mandate that financial institutions adopt new, secondary secure-identification technology--often termed two-factor or multi-factor authentication--by year's end. Fraud scams as well as general privacy issues surrounding financial account access exist because passwords, tokens, and smart cards have become burdensome, costly, and unreliable. However, they still remain the most pervasive authentication tools used.

    Some progressive credit unions rely on technologies such as biometrics that integrate and adapt to the evolution of online banking as well as other security conscious environments. Biometrics coupled with legacy security methods adheres to the FFIEC mandate while ensuring members their information is secure.

    Passé password burdens

    Passwords are even less secure today then when first adopted, despite more stringent rules such as expiration dates and size and character requirements. Employees often are required to change and acquire new passwords for every new or existing application they access. Constantly having to change passwords increases the likelihood employees will forget them.

    In addition, multiple users often share one computer, which can create issues in accessing information that the user is authorized to view. Other inherent flaws are:

    1) Passwords that are easy to guess;
    2) One password used for multiple applications. When someone cracks the code, several doors open.
    3) Shared passwords, which certain individuals can compromise; and
    4) Long passwords, which are difficult to crack, can be difficult to remember.

    As a result, the cost of managing password-based security represents an increasing burden for many credit unions offering online banking.

    These concerns lead some credit unions to search for simpler, more reliable, and cost-effective solutions. The solution most companies turn to is multi-factor authentication. This requires an additional layer of security, and at least a second or even a third form of identification. It also complies with FFIEC recommendations. According to an October 2005 Gartner report, about 65% of all U.S. banks will use transaction anomaly detection and user profiling systems by the end of 2010.

    Token and smart card concerns

    Several two-factor authentication solutions exist, including tokens and smart cards. These solutions typically authenticate users based on two factors: knowledge and possession.

    That means users must have both the device and a personal identification number (PIN), or password, to unlock a device. Companies looking for strong multi-factor authentication solutions often will use a token or smart card in addition to a password to authenticate users. Increasing the number of required credentials (factors) is a broadly accepted method of increasing security.

    Token and smart card password-based authentication solutions, however, require a large upfront and ongoing cost to operate. They typically require maintaining a private key infrastructure, which users often forget. Traditional strong authentication solutions also don't support all applications and don't tightly integrate into the native network directory and management infrastructure. These issues have limited the deployment of token and smart card authentication products only to users who require secure remote access.

    Biometric options

    One of the leading alternatives credit unions adopt for multi-factor authentication is biometrics, specifically fingerprint-based authentication. This method avoids many of the security issues discussed. For example, fingerprints are less susceptible to human error. You can't "guess" them, or share them. And users don’t have to think up a "strong" fingerprint, so the security of the metric isn’t dependent on human effort.

    Unlike tokens and smart cards, people can't "forget" their fingerprints—eliminating a common source of calls to the credit union's help desk. As biometrics technologies use a physical characteristic instead of something employees must remember or carry around, they’re convenient and less susceptible to misuse.

    Fingerprint-based authentication creates a more secure environment by requiring users to prove who they are in the most natural and convenient way. An individual’s fingerprint is mapped to their credentials on a server that tracks and maps their identities to their applications. The whole fingerprint-based authentication process is more convenient, more reliable, and less costly. Fingerprint-based authentication solutions also are much more secure and allow credit unions to meet FFIEC recommendations easily. Mountain America Credit Union, West Jordan, Utah, is one of many financial institutions that have embraced fingerprint-based authentication.

    Vance Bjorn

    Vance Bjorn is chief technology officer and co-founder for Digital Persona Inc., Redwood City, Calif. Contact him at 877-378-2738.
     

    Copyright © 2008 - Credit Union National Association, Inc.