solutions from two or more of the three categories of factors
Avondale, AZ (PRWEB) July 4, 2007
A study released last month by Sestus Data Company and BearingPoint Financial Services Information Security Group reports 96% of U.S. banks are failing to implement FFIEC-recommended multi-factor authentication, opting instead for authentication methods that solicit confidential information from consumers.
On August 15, 2006, the Federal Financial Institutions Examination Council (FFIEC) issued a Supplement in which it clarified what it considered to be true multi-factor authentication: "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute multifactor authentication."
The study evaluated a statistical sampling of 100 U.S. banks with published website statements asserting their belief in their compliance with FFIEC multi-factor authentication guidelines. The study analyzed the authentication methods employed by each bank to determine whether the sampled banks were, in fact, consistently employing "solutions from two or more of the three categories of factors", i.e. something the user knows, something the user has, or something the user is.
FINDINGS: WIDESPREAD NON-COMPLIANCE WITH REGULATORY GUIDELINES
According to the study, the U.S. banking industry appears to be ignoring or misinterpreting the FFIEC's multi-factor guidelines in favor of single-factor authentication methods that require consumers to divulge (previously undisclosed) confidential personal information in order to access their online accounts.
The study authors found, "1) overwhelming use of single-factor challenge/response, image-based, and other knowledge based authentication methods purporting to be multi-factor authentication, 2) numerous and varied mis-interpretations regarding the definition of "something the user has", and 3) a high probability for increasing online fraud and loss of consumer privacy as a result of widespread adoption of challenge/response and other knowledge-based systems."
According to the study:
64% of U.S. banks offer only single-factor authentication methods. Where they had previously solicited only logins and passwords, they now solicit additional information in the form of challenge questions. Apparently, these banks believe that by simply asking for MORE information, they are somehow meeting the regulatory definition of multi-factor authentication, a mistaken assumption which the FFIEC has already refuted.
26% of U.S. banks are adopting authentication methods which are "inconsistently multi-factor". These banks attempt to retrieve cookie file or other information in order to satisfy the "something the user has" authentication factor, however, when this information cannot be retrieved, these banks fall back on soliciting more of "something the user knows" in the form of challenge questions.
6% of U.S. banks do offer consistently multi-factor authentication methods as an option, but then permit their members to opt-out of using such methods. If the member chooses to opt-out, the bank employs only single-factor methods.
Only 4% of the sampled banks employed consistently multi-factor authentication methods.
STUDY PREDICTS LOSS OF CONSUMER PRIVACY WILL INCREASE
This study represents the first attempt to measure industry compliance with the FFIEC's multi-factor guidelines since their publication in 2005 and it presents a grim picture.
U.S. banks appear to be ignoring or misinterpreting the FFIEC's call for "true multi-factor authentication" in favor of authentication methods which will actually contribute to the loss of consumer privacy. The study warns, "The stage is being set for an online privacy crisis fueled by millions of pieces of previously-undisclosed personal information solicited by thousands of legitimate financial websites as well as by tens of thousands of fraudulent websites."
The study (PDF) may be downloaded here.
Sestus Data Company's PhishCops™ product is based on government-approved authentication methods and the U.S. government has recognized PhishCops™ for its breakthrough in multi-factor authentication, naming it a semi-finalist for both the 2005 and 2007 Homeland Security Award. PhishCops™ is also a recipient of the InfoWorld 100 Award, InfoWorld Magazine's highest honor for technical innovation. PhishCops™ enjoys an enviable reputation in the financial market with organizations and consumers. The company credits its positive reception to its patent-pending approach to authentication which never solicits personal information.
The BearingPoint Financial Services Information Security group provides information security services to large and midsized financial services companies. The group works with clients to protect their data, comply with federal and international laws and regulations, reduce operational and reputation risks, and imbed security into their next generation financial services products and services. BearingPoint is a leading management and technology consulting company serving the Forbes Global 2000 and many of the world's largest public services organizations. The company's 6,000 risk, compliance and security professionals are skilled in both strategy and execution. Operating in more than 40 countries, they are dedicated to providing tailored, effective strategy, process and technology solutions.