Authenticating E-Banking Customers
E-banking introduces the customer as a direct user of the institution's technology. Customers have to log on and use the institution's systems. Accordingly, the financial institution must control their access and educate them in their security responsibilities. While authentication controls play a significant role in the internal security of an organization, this section of the booklet discusses authentication only as it relates to the e-banking customer.FFIEC Guidance: Authentication in an Electronic Banking Environment (July 30, 2001). See the corresponding agency issuances in appendix C.
Authenticating New Customers
Verifying a customer's identity, especially that of a new customer, is an integral part of all financial services. Consistent with the USA PATRIOT Act, federal regulations require that by October 1, 2003, each financial institution must develop and implement a customer identification program (CIP) that is appropriate given the institution's size, location and type of business.See 68 Federal Register 25090 (May 9, 2003); 12 CFR Part 21 (OCC); 12 CFR Parts 208 and 211 (Board); 12 CFR Part 326 (FDIC); 12 CFR Part 563 (OTS), and 12 CFR 748 (NCUA). The CIP must be written, incorporated into the institution's Bank Secrecy Act/Anti-Money Laundering program, and approved by the institution's board of directors. The CIP must include risk-based procedures to verify the identity of customers (generally persons opening new accounts). Procedures in the program should describe how the bank will verify the identity of the customer using documents, nondocumentary methods, or a combination of both. The procedures should reflect the institution's account opening processes - whether face-to-face or remotely as part of the institution's e-banking services.
As part of its nondocumentary verification methods, a financial institutions may rely on third parties to verify the identity of an applicant or assist in the verification. The financial institution is responsible for ensuring that the third party uses the appropriate level of verification procedures to confirm the customer's identity. New account applications submitted on-line increase the difficulty of verifying the application information. Many institutions choose to require the customer to come into an office or branch to complete the account opening process. Institutions conducting the entire account opening process through the mail or on-line should consider using third-party databases to provide:
- Positive verification to ensure that material information provided by an applicant matches information available from third-party sources,
- Logical verification to ensure that information provided is logically consistent, and
- Negative verification to ensure that information provided has not previously been associated with fraudulent activity (e.g., an address previously associated with a fraudulent application ).
Authenticating Existing Customers
In addition to the initial verification of customer identities, the financial institution must also authenticate its customers' identities each time they attempt to access their confidential on-line information. The authentication method a financial institution chooses to use in a specific e-banking application should be appropriate and "commercially reasonable" in light of the risks in that application. Whether a method is a commercially reasonable system depends on an evaluation of the circumstances. Financial institutions should weigh the cost of the authentication method, including technology and procedures, against the level of protection it affords and the value or sensitivity of the transaction or data to both the institution and the customer. What constitutes a commercially reasonable system may change over time as technology and standards evolve.
Authentication methods involve confirming one or more of three factors:
- Something only the user should know, such as a password or PIN;
- Something the user possesses, such as an ATM card, smart card, or token; or
- Something the user is, such as a biometric characteristic like a fingerprint or iris pattern.
Authentication methods that depend on more than one factor are typically more difficult to compromise than single-factor systems therefore suggesting a higher reliability of authentication. For example, the use of a customer ID and password is considered single-factor authentication since both items are something the user knows. A common example of two-factor authentication is found in most ATM transactions where the customer is required to provide something the user possesses (i.e., the card) and something the user knows (i.e., the PIN). Single factor authentication alone may not be adequate for sensitive communications, high dollar value transactions, or privileged user access (i.e., network administrators). Multi-factor techniques may be necessary in those cases. Institutions should recognize that a single factor system may be "tiered" (e.g., require multiple passwords) to enhance security without the implementation of a true two-factor system.A "tiered" single factor authentication system would include the use of multiple levels of a single factor (e.g., the use of two or more passwords or PINs employed at different points in the authentication process). Tiering may not be as strong as two-factor authentication because the means used to steal the first password may be equally effective against the second password.
Despite the concerns regarding single-factor authentication, many e-banking services still rely on a customer ID and password to authenticate an existing customer. Some security professionals criticize passwords for a number of reasons including the need for passwords whose strength places the password beyond the user's ability to comply with other password policies such as not writing the password down. Password-cracking software and log-on scripts can frequently guess passwords regardless of the use of encryption. Popular acceptance of this form of authentication rests on its ease of use and its adaptability within existing infrastructures.
Financial institutions that allow customers to use passwords with short character length, readily identifiable words or dates, or widely used customer information (e.g., Social Security numbers) may be exposed to excessive risks in light of the security threats from hackers and fraudulent insider abuse. Stronger security in password structure and implementation can help mitigate these risks. Another way to mitigate the risk of scripted attacks is to make the user ID more random and not based on any easily determined format or commonly available information. There are three aspects of passwords that contribute to the security they provide: password secrecy, password length and composition, and administrative controls.
Password secrecy. The security provided by password-only systems depends on the secrecy of the password. If another party obtains the password, he or she can perform the same transactions as the intended user. Passwords can be compromised because of customer behavior or techniques that capture passwords as they travel over the Internet. Attackers can also use well-known weaknesses to gain access to a financial institution's (or its service provider's) Internet-connected systems and obtain password files. Because of these vulnerabilities, passwords and password files should be encrypted when stored or transmitted over open networks such as the Internet. The system should prohibit any user, including the system or security administrator, from printing or viewing unencrypted passwords. In addition, security administrators should ensure password files are protected and closely monitored for compromise because if stolen an attacker may be able to decrypt an encrypted password file.
Financial institutions need to emphasize to customers the importance of protecting the password's confidentiality. Customers should be encouraged to log off unattended computers that have been used to access on-line banking systems especially if they used public access terminals such as in a library, institution lobby, or Internet cafe.
Password length and composition. The appropriate password length and composition depends on the value or sensitivity of the data protected by the password and the ability of the user to maintain the password as a shared secret. Common identification items - for example, dictionary words, proper names, or social security numbers - should not be used as passwords. Password composition standards that require numbers or symbols in the sequence of a password, in conjunction with both upper and lower case alphabetic characters, provide a stronger defense against password-cracking programs. Selecting letters that do not create a common word but do create a mnemonic - for example the first letter of each word in a favorite phrase, poem, or song - can create a memorable password that is difficult to crack.
Systems linked to open networks, like the Internet, are subject to a greater number of individuals who may attempt to compromise the system. Attackers may use automated programs to systematically generate millions of alphanumeric combinations to learn a customer's password (i.e., "brute force" attack). A financial institution can reduce the risk of password compromise by communicating and enforcing prudent password selection, providing guidance to customers and employees, and careful protection of the password file.
Password administration controls. When evaluating password-based e-banking systems, management should consider whether the authentication system's control capabilities are consistent with the financial institution's security policy. This includes evaluating such areas as password length and composition requirements, incorrect log-on lockout, password expiration, repeat password usage, and encryption requirements, as well as the types of activity monitoring and exception reports in use.
Each financial institution must evaluate the risks associated with its authentication methods given the nature of the transactions and information accessed. Financial institutions that assess the risk and decide to rely on passwords, should implement strong password administration standards.
Information Security Controls