> Regulation & Examinations
> Bank Examinations > Supervisory
Online Delivery of Banking Services: Making Consumers Feel Secure
Much media attention recently has been focused on identity theft. Some of this publicity may suggest the Internet has evolved from a trusted tool for conducting research and legitimate business transactions to a medium whereby consumers' sensitive personal information can be stolen and used for criminal purposes. Social Security and credit card numbers, as well as bank account access data (such as passwords), are examples of some of the most sought-after information, providing perpetrators of identify theft access to bank balances and credit lines.
Many insured financial institutions rely heavily on the Internet to reach their customers, offering a wide variety of online banking services. In some cases, this practice has allowed banks and thrifts to consider scaling back brick-and-mortar facilities and staff required to conduct face-to-face banking transactions. However, security and privacy issues loom large in the minds of Internet users (see Chart 1). If financial institutions are to retain existing customers and attract new ones, they must create an online banking experience in which customers feel secure and have confidence their assets and personal information will not be compromised.
Highlighting another area of concern to customers of financial institutions, the results of a survey conducted by the Gartner Group in June 20051 show "the number of phishing attack e-mail recipients grew 28 percent this year….These and other breaches are exacting a steep toll on consumer confidence and will inhibit three-year e-commerce growth rates by 1 percent to 3 percent."2 Issues concerning online users are highlighted in Chart 2, which emphasizes the level of concern about fraud and identity theft.
Concerns such as those identified in the Gartner Group survey and the high level of interest in preventing identity theft and safeguarding consumers' personal financial information prompted the FDIC to conduct its own study. The results of the study were released in mid-December 2004 in a publication entitled Putting an End to Account-Hijacking Identity Theft .3 The study has fostered debate among bankers, consumers, and regulators about how the risks posed by Internet-based financial services can be minimized. Following the publication of the study, the FDIC conducted several identity theft symposia featuring representatives from the banking industry, regulatory agencies, and consumer groups.4 Participants considered the implications of conducting business on the Internet and initiatives for enhancing Internet security. Discussion focused on the areas of consumer privacy and protections, maintaining trust in the financial services industry, and the potential burden on smaller insured institutions that rely on external Internet service providers.
The overarching sentiment expressed during the symposia is that the problem of identity theft is not going away anytime soon. Although consumer protections are becoming more effective, hackers are becoming more sophisticated as well. In addition, while consumers want tightened security, they often are not willing to pay for it either through increased fees or any loss of convenience.
Many symposia participants recognized the banking industry must do a better job of self-regulating, for example, strengthening standards requiring companies to notify consumers whose data may have been lost or stolen. Participants acknowledged banks must do everything possible to prevent high-profile security breaches, such as those at ChoicePoint, LexisNexis, and Bank of America. Should more of these incidents occur in the near term, the public may call for greater Federal government intervention, such as regulating where and how Social Security numbers are available on the Internet. Consumers also could be given the right to have their confidential information removed from computer systems of companies that have processed transactions for them or from systems maintained by data-brokering firms.
Another area of significant interest that emerged during the symposia relates to mitigating the level of risk inherent in conducting online transactions. Key questions posed during the symposia fall into four categories:
The following sections summarize the results of the FDIC study and key components of recently issued interagency guidance focusing on authentication5 in an Internet environment.
What Level of Authentication Is Appropriate?
The FDIC study finds that traditional passwords consumers use to access their bank accounts via the Internet are too easily compromised and no longer represent an effective means to authenticate users. Once an Internet thief steals a password through phishing e-mails or other techniques, the consumer's accounts and personal information are at risk.
The study suggests a risk-based approach to identifying specific weaknesses in an insured institution's Internet banking system. For example, if online customers can view only nonsensitive information and are unable to transfer funds, the risk of harm to the customer is lower and, consequently, a less robust authentication method would be appropriate. On the other hand, if customers can transfer funds to other parties, this higher-risk transaction requires strong authentication procedures.
Authentication is based on the use of one or more of the following:
The vast majority of Internet-based financial services rely on single-factor authentication, usually a password, for customers to access their accounts. If an institution relies only on single-factor authentication, transactions are relatively easily compromised and lack adequate protection for sensitive consumer information and funds. When a customer is tricked into disclosing a password, the thief could use the information to access the customer's accounts and potentially transfer funds.
A password combined with another form of authentication (i.e., two-factor authentication), such as an ATM card, provides much more reliable authentication. Multifactor authentication requires the user to supply at least one additional identification factor, such as a token-generated one-time password, USB token, smart card, or fingerprint.6 Without the additional factor(s), a thief would not possess all credentials required to gain access to a customer's account. Therefore, multifactor authentication provides a more secure defense against identity theft.
The study describes one-time-password tokens, USB tokens, device authentication, geo-location, biometrics, and several other authentication technologies. The study also sheds light on how institutions may decide what technologies are right for them. Certain technologies present unique challenges. For example, the use of biometrics may not be appropriate for large, geographically dispersed customer bases. Biometrics (e.g., finger prints, iris structure, and facial features) are better suited to a captive audience, such as employees of a business housed in a single building. Insured financial institutions considering an authentication strategy should assess portability, ease of customer use, cost, effectiveness, ease of implementation, and the maturity of the technology.
In addition to discussing the shortcomings of traditional password authentication, the study concludes that financial institutions should
Regulators Work Together to Issue Guidance
Building on the results of the study and issues highlighted during the identity theft symposia, the Federal Financial Institutions Examination Council7 (FFIEC) agencies issued guidance on October 12, 2005, entitled Authentication in an Internet Banking Environment .8 This guidance adopts the findings of the FDIC study relating to what constitutes effective customer authentication and recommends banks and thrifts offering Internet-based products and services use reliable and effective methods to authenticate customers' identities. The authentication techniques explored should be appropriate to the risks associated with the products and services. As discussed previously, single-factor password based authentication is inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. In these instances, insured institutions should use multifactor authentication, layered security,9 or other appropriate controls.10 Examiners may criticize institutions that have not properly mitigated risks identified in the assessment.
As insured financial institutions begin to assess their risks as outlined in the interagency authentication guidance, they should consider each type of transaction consumers can initiate online. The types of transactions may include the following:
The above transactions are ranked by level of risk (beginning with the lowest level) they represent to the institution and the customer. The first transaction allows access only to general bank information; customer information or bank accounts cannot be accessed. This transaction is considered relatively low risk and would not require strong access controls.
However, the last transaction, which allows an online customer to wire or transfer money to another party, should require more than a password to initiate. In this case the bank should require the customer to supply authentication credentials such as a one-time password token. This layered approach to authentication matches low-risk transactions with less robust solutions and higher-risk transactions with stronger solutions. Risks falling in the middle would be addressed according to the potential for compromise of sensitive data or assets.
Insured financial institutions must comply with the interagency authentication guidance by December 31, 2006. To do so, they should begin performing risk assessments as soon as possible and, based on the results of these assessments, implement stronger authentication strategies by year-end 2006.
The FDIC and the other bank regulatory agencies are aware of the time and effort required to comply with the new authentication guidance. However, compliance with this guidance will help ensure that customers continue using an Internet delivery channel in which many banks and thrifts have invested a significant amount of capital.
Robert D. Lee
During the past couple of years, a number of banks and technology service providers have implemented multifactor authentication products for Internet-based financial services. For example, E-bank, a large thrift, piloted a one-time password token program for its commercial customers during 2004 and has now made the tokens available to all its Internet banking customers. Bank of America recently implemented new software-based authentication technologies that provide its 13 million Internet banking customers with another authentication factor.11 Multifactor authentication represents an effective strategy for protecting customers' funds and sensitive information, in addition to promoting confidence in Internet-based financial services.
Consumer education also is an effective deterrent to Internet theft and fraud. Many financial institutions disseminate brochures offering tips about avoiding scams and suggesting steps customers should take if they believe they have become victims. Consumers also are urged to use regularly updated antivirus software, firewalls, anti-spyware, and other tools to avoid having their personal information compromised.
2 The common phishing scenario is sending a fake e-mail (e-mail spoofing) purporting to come from a legitimate source and requesting information (such as a bank account number and password) or directing the victim to a fake Internet site where this information can be captured.
3 Federal Deposit Insurance Corporation, Putting an End to Account-Hijacking Identity Theft (December 14, 2004). A supplement to the study was released in June 2005. For purposes of this article, the results of the study and the supplement will be discussed as the results of the "study."
5 The process of identifying an individual traditionally based on a username and password. In security systems, authentication is distinct from authorization, the process of giving individuals access to system objects based on their identity. Authentication merely ensures the individual is who he or she claims to be, but says nothing about the individual's access rights.
6 Tokens are small portable devices attached to a key ring carried by bank customers. One-time-password (OTP) tokens contain a small screen displaying several numbers. The token generates a random number every minute or so, which the customer enters into the online banking application. The financial institution receives the entered number and compares it with its records. A correctly entered number authenticates the customer and allows access. USB (universal serial bus) tokens, which can be plugged into the USB port of a bank customer's computer, contain unique identifying information that authenticates the customer.
7 The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the Federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the FDIC, the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) and to make recommendations to promote uniformity in the supervision of financial institutions.
8 See FIL-103-2005 : Financial Institution Letter "Authentication in an Internet Banking Environment" (October 12, 2005).
9 Layered security refers to the layers of risk, from low to high, as well as the layers of authentication implemented, from weak to strong. Layers of authentication processes are matched with corresponding layers of risk.
10 See "Industry Initiatives" at the end of this article for examples of industry initiatives targeted at deterring Internet theft and fraud, including the implementation of multifactor authentication procedures.
|Last Updated 12/06/2005||SupervisoryJournal@fdic.gov|