Escolar Documentos
Profissional Documentos
Cultura Documentos
Get this
White Paper
Entrust Inc.
Reserved.
Entrust
Inc.All
AllRights
Rights
Reserved.
1 1
Contents
Introduction ................................................................................... 3
A Dynamic Threat Landscape ...................................................... 4
Understanding the FFIEC Recommendations ............................ 5
Drive Better Risk Assessment ............................................................................ 6
Adopt Strong Authentication Standards ............................................................. 7
Push Toward Layered Security .......................................................................... 8
Explore Advanced Authentication Techniques ................................................... 8
Enhance Customer Awareness & Education ..................................................... 9
2 2
Introduction
With every new data breach revealed or costly identity-theft case reported,
consumer confidence in the security of online banking erodes. This loss of
confidence in online services can have a direct impact on the ability of financial
institutions to reduce costs and increase efficiency through the online-banking
channel.
Today, financial institutions offering Internet-based and mobile-banking services
face increasing pressure to provide enhanced consumer protection against
phishing, sophisticated malware (e.g., man-in-the-browser attacks, ZeuS,
SpyEye, Ice IX) and other fraudulent activities.
First issued in 2005, the Federal Financial Institutions Examination Council's
(FFIEC) guidance for financial institutions took a strong stance in support of the
deployment of stronger authentication methods, as well as fraud detection
techniques, to protect customer identities and information during online-banking
transactions.
Updated in June 2011, the FFIECs Authentication in an Internet Banking
Environment" guidance recognizes the significant advances in criminal threats
both in sophistication and sheer frequency. The supplement provides
comprehensive guidelines to help stop advanced attacks that target the identities
and transactions of consumers and business-banking customers. This guidance
suggests that affected organizations:
financial institutions
3 3
Figure 1: Organized crime groups are innovative and fast-moving, developing advanced malware and fraud techniques that easily
defeat outdated or single-layer security schemes.
Enhanced SpyEye Trojan Poses New Threat, Mathew Schwartz, Information Week, February 8, 2011.
4 4
While there are many safeguards deployed within financial institutions, criminals
are evolving their techniques rapidly. Phishing, smishing and spear-phishing
attacks are now designed to deploy malware, which takes over users browsers
2
and mobile devices to execute malicious transactions. The malware also is
crafted to avoid detection by antivirus tools.
A spear-phishing attack is a highly targeted form of phishing, using specific messages and information tailored to a particular user or
small user group.
5 5
Customer Type
Information Sensitivity
Ease of Use
Transaction Volume
Mobile Landscape
Transaction Capability
6 6
The risk assessment should also review the possible impacts of a problem for
specific services by considering the potential damage to an institutions brand
and reputation, as well as the financial loss or liability of fraud attacks. The
unauthorized release of sensitive information and data, and the ramifications of
compliance failure, should be evaluated during the risk-assessment process.
Once completed, a risk assessment will outline the specific services and
products that have an increased likelihood of being compromised and will result
in a more severe impact if there are fraudulent activities. Potential impacts and
particular services can be mapped to specific security levels.
For example, a bank may determine that all services conducted with corporate
accounts have a higher potential impact and require strong/step-up
authentication, a fraud detection solution or a combination of several solutions as
part of a comprehensive layered security approach.
The report may identify circumstances where less security is acceptable (e.g.,
corporate customers can review transaction histories and account information
with single-factor authentication, but will need to use a higher level of security
when they want to initiate transactions).
Adopt Strong Authentication Standards
While the 2005 guidance stated that usernames and passwords werent enough,
todays threats require even stronger means of authentication, particularly for
high-risk transactions (e.g., ACH and wire transfers for commercial transactions).
Thats where strong authentication, deployed in layers, is effective against the
most advanced malware threats.
Financial institutions have known for some time that usernames and passwords
alone are insufficiently effective protection for user accounts. Numerous other
strong authentication techniques are available and address a wide range of
threats that are still relevant.
Traditional two-factor authentication solutions such as one-time-passcode
tokens, while continuing to be effective in layered scenarios, are no longer
effective against sophisticated man-in-the-browser attacks when used as a lone
security device.
Fortunately, a number of newer techniques provide effective protection against
man-in-the-browser attacks, either through the use of a separate communication
channel with the user, or by relying on advanced behavior-based fraud detection
engines that can automatically detect transaction or website navigation
anomalies in real-time.
7 7
George Tubin
But fighting online fraud isnt a checkmark fix. Its a continuously evolving
investment in technology, process, human resources and innovation. The
moment an organization becomes complacent with their security infrastructure,
they open themselves up for attack.
By exploring and investing in new and advanced authentication techniques,
financial institutions are able to better keep pace with the sophisticated fraud
schemes leveraged by well-funded criminal groups.
The more advanced authentication techniques include mobile out-of-band
transaction verification, advanced mobile authentication solutions and behavioral
fraud detection. The latter monitors transaction and session navigation attributes
in real-time to detect anomalies and stop transactions before they execute.
US Business Banking Cybercrime Wave: Is Commercially Reasonable Reasonable? George Tubin & Susan Feinberg, TowerGroup, August 9, 2010.
8 8
Cost-effectiveness
Adaptability
Integration
Security Expertise
9 9
Speed of Deployment
Comprehensiveness
Mobile Innovation
Selecting the appropriate technology vendor to provide any security method can
be daunting, especially if each is evaluated individually as a stand-alone system.
One key to assessing and selecting appropriate solutions is to examine security
holistically looking at all layers of security requirements as a single system
with different capabilities for various services.
Smartly choose a platform that will deliver a range of multifactor authentication
and fraud detection capabilities, as cornerstones to a comprehensive layered
security environment, which can respond and adapt to future changes.
10 10
11 11
the issue of user acceptance must remain in the forefront of all authentication
decisions. An effective strong authentication deployment must be easy to use
and have customer acceptance no matter how many or which factors are
used.
12 12
Authenticator
Description
Physical Tokens
Grid Cards
Security grid cards can provide strong second-factor protection using a grid
card issued to each user. Users enter characters from the grid at login.
Inexpensive to produce and deploy, and easy to use and support, these
highly intuitive cards have a very high success rate in banking environments.
Grid cards can be produced and distributed in a number of ways, including a
credit card-like format in thin plastic, paper or deployed digitally to
smartphones and mobile devices.
Soft Tokens
Digital Certificates
13 13
Authenticator
Description
Machine
Authentication/
Device Profiling
Knowledge-Based
Authentication
Out-of-Band
Authentication
IP-Geolocation
Authenticated users can register locations where they frequently access the
online-banking sites or services. During subsequent authentications, the
server compares their current location data, including country, region, city,
ISP, latitude and longitude, to those previously registered. Financial
institutions only need to step up authentication when the values dont
match.
Organizations can create blacklists of regions, countries or IPs based on
fraud histories. They can even leverage an open fraud intelligence network to
receive updated lists of known fraudulent IPs based on independent
professional analysis.
14 14
15 15
Description
Transaction Monitoring
Multi-user/Cross-Site Monitoring
16 16
Description
17 17
18 18
Figure 2: The award-wining Entrust IdentityGuard software authentication platform offers more authenticators than
any solution on the market and is a key component in a comprehensive framework proven to stop malware and
online fraud.
19 19
20 20
21 21
22 22
Company Facts
Website: www.entrust.com
Employees: 359
Customers: 5,000
Offices: 10 Globally
Headquarters
Three Lincoln Centre
5430 LBJ Freeway, Suite 1250
Dallas, Texas 75240
Sales
North America: 1-888-690-2424
EMEA: +44 (0) 118 953 3000
Email: entrust@entrust.com
24385/8-11
23 23