RE: Bankers on FFIEC

["John Katricak" <jkatricak () linuxmail org>]

Without re-reading the message, I would think that the persistent cookie or email passcode would meet the condition of 
being "multifactor."  At the very least, a thief would now have to do one of the following:

1. Learn the online banking user ID and password, AND learn the email account user ID and password.  Due to some 
obfuscated rules requiring so many letters and numbers in the online banking credentials, I doubt these will ever be 
the same.

2. Learn the online banking user ID and password, AND break into the person's house to use their computer.

Of course, #2 is thrown out the window if someone logs in at work and doesn't lock their screen while they're away.  
Both are moot if the customer uses a public terminal (library, computer lab, airport) and isn't careful about the 
cookies from online banking or their webmail.

In another strike against the security questions, wouldn't people be more likely to write down their questions and 
answers on the same sheet of paper where they wrote down their user ID and password?  That completely throws the 
two-step security out the window.  The passcodes are valid for only 60 minutes, so even if one was written down with 
the user ID and password, the odds are against it still being valid by the time someone steals and reads it.

John Katricak


> ----- Original Message -----
> From: "Ken Kousky" <kkousky () ip3inc com>
> To: "'John Katricak'" <jkatricak () linuxmail org>, security-basics () securityfocus com
> Subject: RE: Bankers on FFIEC
> Date: Thu, 15 Mar 2007 14:09:02 -0400
>
>
> Great hijack - do persistent cookies and additional questions meet the
> standard? What about risk consideration and stronger controls on wire
> transfers from business accounts?
>
> The guidance is a great document but it seems it isn't being taken as
> seriously as it should be - I've also been asked what's the risk of not
> meeting the requirements or doing a poor job of it? Maybe big dollar
> litigation rather than the rage from regulators.
>
> Anyway, here's the FFIEC doc for those who are interested:
> http://www.ffiec.gov/pdf/authentication_guidance.pdf
>
> KWK
>
> -----Original Message-----
> From: John Katricak [mailto:jkatricak () linuxmail org]
> Sent: Thursday, March 15, 2007 10:11 AM
> To: Ken Kousky; security-basics () securityfocus com
> Subject: Re: Bankers on FFIEC
>
> I suppose this is as good a time as any to make my first post to this list.
>
> I work closely with online banking at a small, local savings & loan.  We get
> our online banking product through an outside vendor, Digital Insight (now
> owned by Intuit).  As Digital Insight (DI) explained to us, there are three
> main factors of authentication:
> "Something you know"
> "Something you have"
> "Something you are"
>
> DI gave us two options to comply with the FFIEC guidlines.  For option one,
> the user could be asked an additional security question after logging in
> with their user ID in password.  Option two was to email the users a
> one-time-use passcode that they would have to enter after logging in with
> their user ID and password.  For both options, users also had the choice to
> add a browser cookie and Flash player cookie/shared object to computers they
> used frequently.  If our online banking site found the cookie on that user's
> computer, it would skip the security question or passcode step.  (The
> cookies are user-dependent, so if more than one user uses online banking on
> the same machine, they would each have to set up their own cookie.)
>
> User IDs and passwords are "something you know."  Passcodes (when sent by
> email) and cookies are "something you have."  But as Ken alludes to,
> security questions are also "something you know."  So it's not really
> another factor, it's "something you know, and something else you know."
>
> We chose the email passcode option, but it has not worked perfectly.  Some
> users do not have access to their email from everywhere (for example, they
> are not allowed to access their home email from work, and cannot access
> their work email from home), and some ISPs are rejecting the passcode emails
> as spam without any warning to us or the customers.  (Part of the reason for
> this, I suspect, is because the emails are coming from Digital Insight with
> a high priority setting and our email address as the return/reply-to
> address.)
>
> We were thinking of switching to the security questions option, but in light
> of Ken's email, I would love to see where this discussion goes.
>
> If Ken doesn't mind a minor thread hijack, I would also like to know if
> there are any banks who aren't requiring ANY additional security besides the
> user ID and password.  The FFIEC guidance is just that - guidance, and not a
> requirement.  Many users have used the "my other banks don't make me do
> this," and I'm curious to see how many of those claims are true.
>
> Thank you,
> John Katricak
>
> > ----- Original Message -----
> > From: "Ken Kousky" <kkousky () ip3inc com>
> > To: security-basics () securityfocus com
> > Subject: Bankers on FFIEC
> > Date: Wed, 14 Mar 2007 20:42:52 -0400
> >
> >
> > The FFIEC guidance on online banking calls for strong authentication,
> > applied based on appropriate risk analysis and they even spell out the
> three
> > factors of authentication and state that single factor password
> > authentication isn't adequate. Yet, I've found many banks adding addition
> > questions to the login sequence and thinking they've added another factor.
> >
> > Does anybody have experience with this situation and understand how banks
> > are getting around the Guidance for Online Banking requirements?
> >
> > KWK
>
> >
>
>
> =
> Search for products and services at:
> http://search.mail.com
>
> --
> Powered by Outblaze

>


=
Search for products and services at: 
http://search.mail.com

-- 
Powered by Outblaze