New Privacy Laws Discouraging Banks from Using Challenge/Response Authentication

Share Article

With the recent widespread introduction of "challenge / response" authentication systems, financial institutions who had previously given little thought to their compliance with state and federal privacy laws are now finding themselves squarely in the cross-hairs of privacy groups, law firms, and regulators. Many financial institutions are now involved in multi-million dollar lawsuits over their use of solicited personal information. Others are abandoning their challenge / response authentication systems altogether in order to reduce their liability and improve their compliance with growing state and federal privacy laws.

Recently, numerous states have begun passing laws designed to limit the amount of information which a financial institution may solicit from consumers, as well as provide greater accountability when this information is sold to other companies. California, for example, recently passed the California Online Privacy Protection Act. It requires owners of web sites that collect personal information to conspicuously post a privacy policy explaining the types of information collected and the names of all parties with whom the information may be shared. Many other states are passing similar measures.

As a result of these new laws, financial institutions are now considering abandoning challenge / response authentication systems in order to reduce their liability and improve their compliance. Others are already dealing with the fallout in the form of multi-million dollar lawsuits and consumer privacy complaints.

WHAT ARE CHALLENGE / RESPONSE AUTHENTICATION SYSTEMS?
Challenge / response authentication systems are security systems that solicit personal information from consumers, usually as part of a login process. The consumer is asked to register and then later answer a challenge question, such as "What was the name of your childhood friend?", "Who is your favorite author?", or "Where did you spend your last vacation?" Despite significant consumer and regulatory objections to such privacy intrusions, many U.S. financial institutions have rushed to deploy such systems.

As personally identifiable information provided to the financial institution in order to obtain a financial product or service, the information falls under Title V of the Gramm-Leach-Bliley Act as well as most state privacy laws.

MAJOR CONSEQUENCES TO FINANCIAL INSTITUTIONS
With the introduction of challenge / response systems, financial institutions who had previously given little thought to their compliance with state and federal privacy laws are now finding themselves squarely in the cross-hairs of privacy groups, law firms, and regulators.

Take, for example, a credit union in San Francisco. Previously, the credit union's compliance with privacy laws was limited to their webmaster posting a small statement on the bottom of their home page. The credit union does not provide that many online services and those services it does provide did not require its members to disclose any personal information.

Simply by adding a challenge / response system to their login page, i.e, just by asking its member, "what is the name of your childhood friend?", the credit union must now comply with Title V of the Gramm-Leach-Bliley Act, the California Online Privacy Protection Act, and numerous other privacy laws. The credit union must also conspicuously display on their website a complete list of any companies with whom their member's information may be shared.

Failure to comply with these privacy laws places the credit union at risk for significant lawsuits, fines, and other consequences. More and more financial institutions are being subjected to lawsuits because of their alleged non-compliance with these laws. Bank of America recently settled one such case for $14 million dollars, Wells Fargo settled a case for $6.7 million dollars, and Fidelity Federal Bank & Trust settled a case for a whopping $50 million dollars with another $3.95 billion in settlements possible. Other banks involved in similar lawsuits in recent years include Citibank, U.S. Bancorp, Old National Bancorp, Union Planters Bank, and Chase Manhattan Bank.

REGULATORS: CHALLENGE / RESPONSE IS NOT MULTI-FACTOR
Most financial institutions implemented challenge / response authentication systems in response to FDIC and FFIEC regulatory recommendations to implement "multi-factor" authentication. Challenge / response systems, however, do not meet the regulatory definition of multi-factor authentication.

Regulators define multi-factor authentication this way: "Existing authentication methodologies involve three basic "factors": Something the user knows (e.g., password, PIN); Something the user has (e.g., ATM card, smart card); and Something the user is (e.g., biometric characteristic, such as a fingerprint)." (Source: FFIEC, "Guidance Letter" - October 12, 2005)

Consumers already supply the first authentication factor in the form of a login ID and password ("something the user knows"). Information supplied in response to a challenge question, however, simply represents more of "something the user knows". As such, it does not constitute a second factor.

On June 17, 2005, the FDIC issued regulatory guidance in which they repeatedly cautioned financial institutions regarding using personal information for authentication. The agency warned, "Limitations on the use of personal information and the existence of privacy safeguards are important elements of consumer acceptance." Despite these and other warnings, challenge / response systems were actively marketed over the next several years by vendors who failed to disclose the "single-factor" nature of their products.

Finally, on August 15, 2006, The FFIEC published supplemental guidance in which it settled the question once and for all. Said the FFIEC, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication". (Source: FFIEC "FAQ Supplement", August 15, 2006)

ALTERNATIVES
There are authentication solutions that meet the regulatory definition of true multi-factor authentication without resorting to soliciting personal information from consumers. Traditional hardware tokens, software certificates, and Sestus Data Company's "virtual tokens" (aka PhishCops®) are among those solutions that meet the regulatory definition of multi-factor authentication without resorting to solicited user information.

Of these, PhishCops® is the newest addition to the authentication market and the solution identified by the Credit Union Journal in a recent survey of U.S. credit unions as having the lowest support requirements and the greatest user acceptance.

When considering any authentication solution, financial institutions would do well to follow the FDIC's advice and simply limit the use of personal information. Avoiding challenge / response systems not only improves customer satisfaction, it also eases the organization's compliance burden with state and federal privacy laws.

###

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Media Contact

(800) 788-1927
Email >