Thursday, June 7, 2007

Is top banks' security any better after FFIEC?

CSO Magazine, for those of you who read it, has an interesting column by Sarah Scalet, named "Alarmed". This month, she takes a look at some of the biggest online banking institutions out there, namely Chase, Citi, and BofA, and gives a report card on how they're doing.

Given that you can't really call up a bank and ask them to give you their security measures, because that would be the biggest insecurity of all, it's fair to call a call center and see what the CSRs can tell you. Sarah called each of the banks call centers and asked about online security, and how she could be sure her account was secure and protected. The results are startling - but not really shocking to this writer - since I've been seeing much of this same type of attitute all over.
If you don't want to read the full article, here's a quick summary from
  • Citibank: Call-center rep did not seem to understand my questions and tried to refer me to the website for answers.
  • Chase: Call-center rep didn't offer clear explanations but kept trying to get me to sign up anyway.
  • Bank of America: Call-center rep understood my questions, explained customer-facing security mechanisms and offered advice about how I could protect myself.

I am looking for something deeper here though. Let me for one second talk about the FFIEC guideline, and what it really means. Allow me to take a stroll down FFIEC memory lane.

  • August 8th, 2001 - FFIEC releases guideline that says in a nutshell "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks." This would seem to indicate that banks are free to use their own risk-assessment models; but that overall, multi-factor authentication should be at the forefront of banks' security agencies. This was, after all, a general guideline released in 2001!
  • October 12, 2005 [large gap?] - FFIEC releasees second guideline on online banking authentication. This time, the report makes clear what it finds as inadqeuate - "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties."

So today is June 7th, 2007. Where are we, with these guidelines? If you read the article in CSO Magazine above, you'll see that we're not really there. Sure, many banks are using the RSA/Passmark system which profiles the machine, gives the user a pretty picture which they selected to "authenticate the site to the user", and we even have 3 challenge questions in case you go to a computer you've never used before. Let's review though - is this "multi-factor authentication" as the FFIEC states in their guideline? I would argue no.

Allow me to explain why I am saying that RSA/Passmark and other derivitives of that solution are not multi-factor authentication. Multi-factor or "strong authentication" is comprised of three things:

  • Something you have - for example - a token, a scratch card, anything you possess
  • Something you are - for example - your fingerprint, retinal image, or voiceprint, etc
  • Something you know - for example - a password, pin, or other "known" item

The technologies banks are employing today technically do involve at least 2 of these things, so that makes them multi-factor, right? What I'm saying is that we're just using an over-glorified multi-password system here. The whole premise of the current solutions hinges on the fact that your computer is "profiled" and a cookie or flash object or something is set there so that next time that you login, the system can say that you're coming to it from a known good source. Is this really true? I'll address that in a second, but first let me hit the idea of these multiple questions. If implemented properly, they are questions you can't google for - which is good. Except that you have to allow the user some degree of leniency - right? If you asked me my favorite ice cream flavor, and I initially typed in "Mint Chocolate Chip" and later when challenged I typed "chocolate chip" is that good enough? These "secret questions" combined with the local token on the machine make this a multi-factor solution but it can be broken.

Broken? How can I claim this? Well, how many trojan horse malware things have we heard of that steal cookies? And how easily can one adapt one of these malwares to steal just the right "token" from a computer so that BofA's site things I'm coming from a trusted source? The answer: simple code changes.

My point folks - what Banks have done is adhere to the letter of the law, and now the spirit. Are we any safer today than we were before Chase, Citi, and Bank of America implemented these solutions, when I used my username/password to get into their sites? Sadly the answer is no.

1 comment:

Heath said...

Good Post! I agree 100%. I would love to see actual multi-factor authentication enforced by the FFIEC and embraced by banks. On a positive note I have seen some banks that are issuing tokens for cash management customers, but these implementations have had large hiccups due to pushback from customers and poor procedures in place. I recently posted on something similar to this about multi-factor on website purchases.