April 2, 2010 - Francois Lasnier
A change is happening in the security of online banking. In October 2005, the FFIEC provided guidance requiring the banking industry to provide stronger security controls to ensure the safety of online transactions. This set in motion a flurry of changes, but the effort has not been able to keep up with the ever-increasing sophistication of online threats. The time has come for stronger security, but the focus needs to be protecting end users -- not simply meeting compliance requirements.
One of the greatest threats to the implementation of strong security controls is "compliance think" -- the phenomenon of working to meet compliance requirements, rather focusing on action that meets the need identified by the guidance.
Online threats are evolving, and it is imperative that security solutions achieve the transaction safety that customers are demanding - not simply meet regulatory
The health of any economy can be roughly charted as an inverse relation to the number of bank robberies in a given area: bad economy, more robberies. With a global recession, we've seen a rise in the availability of software made to attack financial web sites, as well as highly organized crime groups, and so the number of "virtual" bank robberies continues to rise relatively unabated. It seems the applied security solutions in the United States today have done little to stop online theft and fraud.This demonstrates that "compliance think" has provided a pass mark on the compliance regulation, but not complied with the intention of regulation, which is the protection of online transactions.
Financial institutions of all sizes must now evaluate their current security solutions and gauge their effectiveness against the rapidly changing threat landscape. Phishing and other social engineering attacks will always be a threat and should be addressed with ongoing consumer/employee education. The solutions that will provide real protection and survive a security review are those that can defend against sophisticated, technology-based attacks that occur without the end user involvement.
To defend against Man-In-The-Middle (MITM) and Man-In-The-Browser (MITB) attacks, financial web sites must implement transaction-specific authentication in addition to user authentication. This is a move beyond the passive authentication used for most retail banking applications and many cash management applications, beyond one-time passwords (OTP), even beyond Challenge/Response (C/R) solutions. These solutions have provided security layers, but stop short of protecting online transactions from attack.
Transaction-specific authentication, also called transaction signing, is a method for verifying the integrity of the financial transaction. This ensures that online transactions received by the bank are exactly the transactions the customer intended to perform. In this model, the online customer would be provided with a token (i.e., smart card, USB stick, etc.) that provides the ability to verify the transaction with a PIN or passphrase. With this technology in place, additional capabilities such as secure document signing also can be implemented.
The typical end user does not fully comprehend the sophistication of new attacks. They trust their financial institutions to provide a safe online experience. Online threats are evolving, and it is imperative that security solutions achieve the transaction safety that customers are demanding - not simply meet regulatory requirements.
Source: Antiphishing Working Group (www.antiphishing.org).
Francois Lasnier is the Vice President and General Manager of the Security business in North America for Gemalto, the world leader in digital security. For Gemalto, Lasnier maintains a focus on identity security and data protection for both the government and enterprise sectors. He is equally committed to security education and advocacy through Gemalto's online resource www.JustAskGemalto.com, which provides answers to consumer questions about how to better enjoy the safety and conveniences of the digital world. Lasnier's history with Gemalto spans several years, beginning in the banking sector within the product development team; he managed the first smart card implementation to use Visa's Java-based Open Platform, now an industry standard. Previously, Lasnier worked in program management with smart card-based electronic toll collection systems and RFID-based vehicle identification systems in Tokyo. Lasnier received his master's degree in electrical engineering and computer science.