Meeting FFIEC Guidance for Increased Authentication Security
The FFIEC has issued guidance to financial institutions requiring stronger authentication for certain transactions by the end of 2006. While there is a good bit of flexibility in the guidelines, it should be clear that the government intends to aggressively combat online fraud. Banks and financial institutions must move quickly, but they should also plan ahead and choose authentication systems that will ultimately result in secure online banking. Just meeting guidelines today will leave you exposed in the future.
WiKID Solutions for online banking
WiKID Systems, Inc. built the WiKID Authentication System to address the problems inherent in existing authentication solutions. We have created a better solution by focusing on reducing costs, increasing ease of use for both administrators and end users and by providing an extensible platform for our customers. WiKID provides the highest levels of security in the most flexible, adaptable and cost-effective package. WiKID uses a software token and public-key cryptography to securely deliver one-time passcodes upon receipt of validly encrypted PIN.
Initial validation must be automated
WiKID makes the complex tasks of setting up thousands of users effortless. Because WiKID uses a public-key based architecture, users can set themselves up using existing credentials in a simple four step process. Users get the client, select Create New Domain, enter their desired PIN and provide the bank with the resulting registration code. Users can set up multiple WiKID Token Clients using passcodes from the first token client.
User experience must be consistent
Inconsistent user experiences create attack angles for fraudsters. If an authentication system falls back to a less-secure question and answer session, phishers will create man-in-the-middle attacks to take advantage of that. WiKID provides a consistent, understandable user experience.
Time bound one-time passcodes
The recent attack on Nordea Bank’s scratch pad one-time password system proves that OTPs must be time bound. But 60 seconds is too short for many users. With WiKID, the passcode lifetime is configurable. Set it for as long as desired.
Attackers will target the weak link in the system, which might be an ISP’s DNS system. Numerous studies have shown that even highly technical users never validate an SSL certificate. While presenting the user with a unique image might help, that is only an authentication enhancement, not a cryptographically secure mutual authentication system. WiKID uses an ‘out-of-band’ SSL certificate verification system, leveraging your investment in certificates. The WiKID server stores a update-able hash of the website certificate. When the user gets the OTP for that domain, they also get the hash. The token client fetches the website certificate, hashes it and compares the two. If they match, the token client presents the URL as Validated and launches the default browser to the validated site. Attackers must now target either the private key of your server or the WiKID server, but secured in you environment.
A key benefit with any OTP system is simple integration with your web-based application. A system that requires complex integration or a change in the user interface for every user can back fire. What if half the users want hardware tokens and half want software? By standardizing on a protocol such as Radius or LDAP, it will be simple to manage multiple authentication technologies. Redesigning your online banking application for a system that users might reject reduces your choices and ability to react.
Transaction Authentication & Validation
Session hijacking trojans do an end-around to all your mutual authentication and session security measures. While users need to be responsible for the security of their computers, secure transaction authentication would make it extremely difficult for attackers to successfully remove money from an account. In order to be secure, however, the transaction authentication mechanism must be separate from the session authentication mechanism. Otherwise, the man-in-the-middle can just send the user a fake “Connection lost, please re-authenticate” message and perform the transaction. WiKID’s support for multiple domains allows the financial institution to have one domain for sessions and one for transactions, each with different public-private key pairs.
Customers don’t want to wait in line at a branch nor do they want to wait for a page to load. Any authentication system that decreases page load times could turn away users or worse – create a DOS attack vector. The WiKID Strong Authentication System is highly scalable. On a low-end server, WiKID can handle 50 authentications per second.
Banks are reticent to require software to do online banking. But that is exactly what is required to do it securely. The choice is between hidden software in cookies that a user is likely to delete or known software the user appreciates.
Financial institutions are in a quandry. They are under attacks from determined and creative opponents. Regulators require stronger authentication mechanisms by the end of 2006. This will create an explosion in authentication offerings. As with any market, there will be winners and losers. But how do you know what systems will win? You don’t. The best strategy for a financial institution is to choose the solution that offers the most protection for the lowest investment while maintaining flexibility.
To learn more, contact WiKID now!