Purpose The need for additional security measures to reliably authenticate consumer remotely accessing their financial institution’s Internet banking system. Updates and supplements the 2001 Guidance entitled Authentication in an Electronic Banking Environment.
Authentication in an Electronic Banking Environment
Background Security Acts –Gramm-Leach-Bliley Act (GLBA) Title V requirement. –The Fair and Accurate Credit Reporting Act of 2003 (FACTA) Identity Theft –One of the fastest growing types of consumer fraud –Account takeover was identified as the fastest growing type of identify theft. –Account takeover represents a fundamental compromise of the security protecting consumers’ primary asset account maintained at insured depository institutions.
What is identity theft? Identify theft is defined as the appropriation of credentials or private information belongs to another individual to be used in the creation of new accounts or new identities. Identify theft is defined as the appropriation of credentials or private information belongs to another individual to be used in the creation of new accounts or new identities.
Hacker’s Tools Phishing Spyware Malware Site Spoofing Trojan Horse Social Engineering
Identity Theft Statistics According to FTC, During 2003, 10 million Americans were the victims of identity theft, with a total cost to businesses and consumers approaching $50 billion According to Gartner 2004, 2 million U.S. adult Internet users experienced account takeover during the 12 months ending April 2004.
Continued - The Anti-Phishing Working Group noted a significant increase in phishing activity over the past six months. There were 12,845 new unique phishing email messages reported to the APWG in January 2005 alone.
FICUs e-Banking Services Increase (Growth since 2000) More than half (58%) of FICUs have a website. This has Increase d by 39.5%. Home banking via websites have grown significantly by 78.2%. Number of interactive and transactional websites have grown by 93.4%. Electronic loan payment has increased by 121%. Share draft ordering has grown by 83.2%. Number of members using the transactional worldwide website has increased by 230% (to 18.3 Million) ---------------------------------------------------------------- In 2004, among credit unions, the number of transactional websites grew by 10%, to 3,673, while the number of members using transactional sites grew 21% (to 18.3 million).
Continued - According to NAFCU, 48% FICUs responded that their Credit unions incurred an increased level of identity theft last year relative to 2003. With the fast growth of e-banking service among FICUs and as scam artists become more sophisticated, identity theft has become major risk for those FICUs offering e-banking services.
Continued - In a 2005 study, 14 percent of online consumers reported that they would stop using online banking due to concerns about Phishing.
Risk-based Security Program Program should be Enterprise-wide Perform a risk assessment oConsideration of “controls to authenticate” those seeking access to customer information oTake risk-based and “layered” approach As the risk to sensitive customer information increases, the compensating controls contained within the institution’s security program must also increase
Enterprise-wide Authentication Adherence to corporate standards and architecture Integration within overall information security framework Within lines of business Central authority for oversight and risk monitoring
Risk Assessment Type of the customer Institution’s transactional capabilities Sensitivity and value of the stored information Ease of using the method Size and volume of transactions
Security Measures Risks can be measured by the likelihood of harm and the impact of an occurrence. With respect to Internet transaction processing, three primary risks exist: –risk of monetary losses –potential loss of future business, and, –risk of compromising confidential customer information.
Continued - Implementation of security measures –Risk matrix o illustrate the type and likelihood of risk on one hand and corresponding risk mitigation techniques on the other.
Three factors of Authentication methodologies Something the user knows (password) (password) Something the user possesses (Smart card) Something the user is (biometric characteristic, such as fingerprint or retinal pattern)
Authentication Tools Password PINs Digital certification using a PKI Physical devices –Smart card –Tokens Database comparison Biometric identifiers
Conclusion To comply with GLBA, FACTA. conduct a risk assessment to identify the types and level of risks associated with e-banking application ID and password as the only control mechanism is no longer adequate for controlling remote access to sensitive info. Multi-factor authentication or other layered security is recommended to mitigate those risks.
Part 748 – Appendix B Response program Part 748 – Appendix B Response program
Background Section 501(b) GLBA Part 748 – Appendix A Increasing Number of Security Breaches Revise Part 748 and Add Appendix B – Response Program
Response Program Take preventative measures to safeguard member information –Place access control –Conduct employee background check Implement a risk-based response program –Appropriate to the size and complexity of CU –Appropriate to the nature and scope of the activities –Service provider o Address incidents o Notification of the CU
Components of Response Program Assessment Notification of Primary Regulator Notification of Law enforcement Authorities Proactive Measures to Contain /Control Incident –Monitoring, freezing, or close affected accounts Member Notification
Content of Member Notice Description –The incident in general terms –Type of member info was the subject of unauthorized access or use –What CU has done to protect the member’s info –Telephone number for further assistance –Member should remain vigilant over the next 12 -24 months –Promptly report incidents of suspected ID theft to the CU
Continued - Review Account Statements and Report Suspicious Activity To The CU Notify Credit Bureaus - Consumer Report Obtain Credit Reports – Credit Report Agency Get Federal Trade Commission Assistance
Changes from Proposal Standard for notice to member More risk based; less prescriptive Notice to regulator – only if breach involves sensitive member information
Continued - Notice to regulators – delay to coordinate with law enforcement authorities Flagging, monitoring, securing accounts – left to credit union’s assessment of risk Content of notice – likewise risk based Fraud alerts – less prescriptive – discuss with member but not mandatory
NCUA Expectations for Compliance Potential Questionnaire: –Incorporated into Overall Security Program –Escalation Process / Incident Response –Review of Notices – Attorney Review? –Enterprise Wide Approach –Reporting to Senior Management –Member Outreach / Awareness Programs –Employee Training Programs