Implications of FFIEC Guidance on Authentication in Electronic Banking
Manish Gupta (State University of New York, Buffalo, USA), JinKyu Lee (Oklahoma State University, USA) and H. R. Rao (State University of New York, Buffalo, USA)
Copyright: © 2009
The Internet has emerged as the dominant medium in enabling banking transactions. Adoption of e-banking has witnessed an unprecedented increase over the last few years. In today’s online financial services environment, authentication is the bedrock of information security. Simple password authentication is the prevailing paradigm, but its weaknesses are all too evident in today’s context. In order to address the nature of similar vulnerabilities, in October 2005, the Federal Financial Institutions Examination Council (FFIEC)—which comprises the United States’ five federal banking regulators—published joint guidance entitled Authentication in an Internet Banking Environment, recommending that financial institutions deploy security measures to reliably authenticate their online banking customers. The analysis of FFIEC guidance presented in the article are with the view to equip the reader with a glimpse of the issues involved in understanding the guidance for specific banking organization that may help towards learned and better decisions regarding compliance and improved security. The chapter will allow Information Technology managers to understand information assurance issues in e-banking in a holistic manner, and help them make recommendations and actions to ensure security of e-banking components.
Internet Banking And Authentication
The actual and perceived threats to Internet-based banking define the need for a set of interrelated security services to provide protection to all parties that can benefit from Web banking in a secure environment (Gupta et al., 2004). The risks of doing business with unauthorized or incorrectly identified persons in an Internet banking environment can result in financial loss and reputation damage through fraud, disclosure of customer information, corruption of data, or unenforceable agreements.
Security for financial transactions is of vital importance to financial institutions providing or planning to provide service delivery to customers over the public Internet, as well as to suppliers of products, services, and solutions for Internet based e-commerce. With security incidents such as identity theft and account hijacking undermining customer confidence, slowing adoption rates and threatening profits, it is very evident that requirement to go beyond mere passwords for authentication is real and important. The recent FFIEC guidance on authentication in online banking reports “Account fraud and identity theft are frequently the result of single factor (e.g., ID/password) authentication exploitation” (FFIEC, 2005). In today’s online financial services environment, authentication is the bedrock of information security. Username/password authentication is the prevailing paradigm, but its weaknesses are all too evident on today’s Web. Password reuse, insecure passwords, and poor password management practices open a world of attacks by themselves (Jones, 2006). It is high time for financial institutions re-evaluate authentication strategy, in light of the fact that cyber attacks are only going to grow in sophistication and in impact.
Key Terms in this Chapter
Two-Factor Authentication: A system where two different authentication factors are used to authenticate. These two have to be from commonly accepted three factors: (1) “something you know” (such as a password or PIN), (2) “something you have” (such as a smart card or USB security token), and (3) “something you are” (such as a fingerprint, a retinal scan, or other biometric authentication).
The Federal Financial Institutions Examination Councile (FFIEC) Guidance for Authentication: The FFIEC—which comprises the United States’ five federal banking regulators—published joint guidance entitled Authentication in an Internet Banking Environment, recommending that financial institutions deploy security measures to reliably authenticate their online banking customers.
Smart Cards and Tokens: A credit card-sized device that contains an integrated chip that holds and protects information regarding the bearer that can be used for authentication. This is most common form of authentication factor for “something you have.”
Authentication Factor: A piece of information or process that is used to authenticate or verify an individual’s identity.
Biometric Authentication: The method for uniquely identifying individuals based on one or more intrinsic physiological or behavioral traits.
Technology Evaluation: Also called assessment, this is study and evaluation of new technologies to understand their relative benefits and costs in context of their proposed implementation. During evaluation, user interaction issues such as use of ease, use of deployment, security, invasiveness, and so on are also considered.
Electronic Banking: Also called Internet banking, this is a term used for performing banking transactions, payments, and other services over the Internet through a financial institutions’ secure Web site.
Complete Chapter List
Jatinder N. D. Gupta, Sushil Sharma
Jatinder N. D. Gupta, Sushil Sharma
Xin Luo, Qinyu Liao
Gaeil An, Joon S. Park
John D’Arcy, Anat Hovav
Udaya Kiran Tupakula
Wasim A. Al-Hamdani
Dalila Boughaci, Brahim Oubeka, Abdelkader Aissioui, Habiba Drias, Belaïd Benhamou
Doug White, Alan Rea
Li Yang, Raimund K. Ege, Lin Luo
Siraj Ahmed Shaikh
Rajeev R. Raje, Alex Crespi, Omkar J. Tilak, Andrew M. Olson
Manish Gupta, JinKyu Lee, H. R. Rao
William H. Friedman
Sushil K. Sharma, Jatinder N.D. Gupta
Sushil K. Sharma, Jatinder N.D. Gupta, Ajay K. Gupta
Erik Graham, Paul John Steinbart
Robert W. Proctor, E. Eugene Schultz, Kim-Phuong L. Vu
Wm. Arthur Conklin
Christopher M. Botelho, Joseph A. Cazier
Dwayne Stevens, David T. Green
Rebecca H. Rutherfoord
Rodolfo Villarroel, Eduardo Fernández-Medina, Juan Trujillo, Mario Piattini