FFIEC & Tokens: Hardware Tokens Do Not Mitigate Phishing

Share Article

Financial institutions who are relying on hardware tokens alone to satisfy regulatory requirements are gambling their company’s fiscal future, and their customer’s security, on something which is inadequate to the task of mitigating phishing.

On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued a guidance letter for banks and financial institutions, which clarified its expectations for combating the growing problem of phishing and identity theft. In their letter, the FFIEC echoed earlier calls by the FDIC for financial institutions to implement stronger, multi-factor authentication and that such authentication be assessed "in light of new or changing risks such as phishing".

The FFIEC urged "where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks."

Financial institutions have been increasingly eyeing hardware tokens as one possible means of satisfying the FFIEC’s requirements. This consideration is being encouraged, in large part, by token vendors who see a windfall ahead in the form of millions of tokens sold to unsuspecting banks. Tokens are small hardware devices that generate unique numeric codes which have been widely used by European banks for over decade to implement multi-factor authentication. Following the release of the FFIEC’s guidance letter, token vendors began preparing to saddle millions of Americans with these annoying key chain additions.

However, the FFIEC issued a second recommendation in their Guidance Letter which financial institutions seem to have largely overlooked; "financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques." The FFIEC then clarifies that the failure of financial institutions to "authenticate their web sites" to customers is a root cause of the phishing problem, stating "Currently, most financial institutions do not authenticate their web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed web sites."

Tokens authenticate customers to a website. Tokens do NOT authenticate websites to customers. As a result, tokens are incapable of stopping phishing. By way of a recent example, Nordea Bank, an European bank with 4 million customers using similar 2-factor authentication methods, recently made headlines when phishers successfully launched a phishing attack against its customers.

Tokens may be sufficient to satisfy part of the FFIEC’s requirements, the need for stronger, multi-factor authentication, but when assessed "in light of new or changing risks such as phishing", they are insufficient to the task.

Financial institutions, however, appear to be turning a deaf ear to this FFIEC recommendation, risking future sanctions while they pursue outfitting their customers with hardware-based tokens which are incapable of authenticating websites. IT Security Expert Bruce Schneier perhaps stated it best during a recent interview, "I predict that banks and other financial institutions will spend millions fitting their users with two-factor authentication tokens. Early adopters of this technology may very well experience a significant drop in fraud for a while as attackers move to easier targets, but in the end there will be a negligible drop in the amount of fraud and identity theft."

PhishCops™ by Sestus Data Corporation satisfies both of the FFIEC’s recommendations using a "virtual", or hardware-free two-factor token processor, with invulnerable website authentication, in a single integrated solution.

PhishCops™ was designed from its inception in accordance with FDIC and FFIEC regulatory requirements and the U.S. government recently named PhishCops™ a semi-finalist for the 2005 Homeland Security Award.

PhishCops™ uses technology which is superior to that used by most hardware-based tokens. Indeed, the National Institute of Standards and Technology, a government standards body has recently called for all regulatory agencies and commercial security firms to migrate their technologies away from the aging SHA-1 OATH standard used by most hardware-based token vendors, to the newer SHA-256 standard, which is used by PhishCops™, by 2010.

A live demo, whitepaper, and additional information can be found on the PhishCops™ homepage: http://www.phishcops.com

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Media Contact
Sestus Data Corporation
866-621-3885
Email >