2012 could see mass adoption for commercial customers
Jorge Solis would like you to imagine three houses next to one another. One has a small dog bowl outside with the name “Fife,” the next has a regular sized bowl with “Max” on it and the last has a large dog bowl with the name “Killer” inscribed. Which house will a burglar try to rob?
This is the approach that First Midwest Bank is taking to protect its business customers from hackers. They want the “Killer” dog bowl in front, says Solis, senior vice president of security at the Itasca, Ill.-based financial institution.
First Midwest deployed technology from PhoneFactor to help secure its business customers. Other financial institutions are also adding extra identity security as federal regulators take a closer look at how these organizations are protecting customers.
In June the Federal Financial Institutions Examination Council released an update to 2005 guidance recommending a risk-based approach and telling institutions to provide periodic assessments in response to new threats. The supplement stresses the need for performing risk assessments, implementing effective strategies for mitigating identified risks and raising customer awareness of potential risks. But it does not endorse any specific technology.
The guidance, however, recognizes the emergence of malware and more sophisticated man-in-the-middle and man-in-the-browser attacks. The attacks can circumvent one-time pass code tokens and the report recommends anti-malware software, transaction monitoring, out-of-band authentication and secure USB devices.
Starting in January examiners will assess banks under the new guidance. Still there’s some question as to what penalties will be dealt to institutions lacking appropriate security.
“I compare the FFIEC guidance to mall cops or the old school British cops that had only clubs yelling ‘stop! Or I’ll yell stop again!’” explains Adam Dolby, eBanking manager for the Americas at Gemalto. “So what if you don’t? What it could do is add to penalties for other infractions, but nothing is specified. The absence of penalty also underscores what it is: guidance, not regulation–which has penalties spelled out.”
Since it’s other government agencies that do the reviews there are possible penalties, says Kevin Bocek, vice president of marketing at IronKey Inc. “The FFIEC doesn’t do the audits, so the ultimate penalty is for an examining body such as the FDIC to issue a cease and desist order for online banking,” he says. “The more likely penalties are more frequent examinations, probing questions and longer exams.”
Already seeing results
It was 2009 when First Midwest decided to move forward with stronger authentication for its commercial clients, Solis explains. After more than a year of reviewing different technologies the bank decided to go with one-time pass code tokens. But only a couple of weeks after issuance, one provider’s tokens were compromised and the bank opted to go another route.
Commercial, high-net worth and municipal clients are using the authentication technology from PhoneFactor to initiate wire transfers or automated clearinghouse transactions.
When a transfer or ACH is initiated, the system calls the user at the pre-registered phone number and requests their PIN. The unique ID number is entered into the phone, and if confirmed,the customer is allowed to proceed with the transaction.
To register customers, First Midwest worked with PhoneFactor on some communications material, Solis says. But overall the process was fairly simple. “We had more than 500 customers signed up in a couple of weeks,” he adds.
And it didn’t take long to see results. A couple of weeks after the deployment a customer was contacted asking for their PIN as a hacker was trying to transfer money out of their account, Solis says. The customer notified the bank and the theft was thwarted.
Other banks are also being proactive. Guaranty Bank and Trust Company deployed technology from IronKey to protect its corporate customers, says Mike Justice, senior vice president and manger of operations at the Denver-based financial institution.
In 2010 Justice was reading more and more about the various attacks against banks and their customers. In his research it seemed the most common problem was customers with infected computers. “Clients are very good at what they do but they don’t necessarily take care of their technology,” Justice says.
Previously the FBI recommended that businesses dedicate a computer solely for online banking, Justice says. This is an ideal situation, but the cost makes it less than realistic for many of Guaranty’s clients.
Guaranty started investigating different solutions in 2011 that would protect the browser and prevent man-in-the-middle attacks, Justice says. The bank’s online Web provider was integrating with one-time pass code tokens but Guaranty felt they could provide a more secure option.
A cold call from IronKey brought the two together, Justice says. That led to conference calls, demos and finally a rollout. The company provides a USB drive that stores an isolated Web browser used just for online banking. The USB device is essentially a computer used only for online banking as the FBI recommended.
Customers plug the keyfob into the computer and a secure Web browser is launched and the bank’s Web site automatically launches. User name and password are entered and the individual conducts desired transactions. When they’re done the drive is removed from the PC and the session closes. With IronKey’s technology everything is contained on the drive and it’s locked down so viruses and malware can’t attack it and access data.
Guaranty has rolled out 400 of the drives since November, Justice says. Depending on the customer the issuance was a different experience. “We have both small mom and pop shops that work out of their home and larger companies with several hundred employees so we had to approach them differently,” Justice explains.
The overall message, however, was one of help. “We came to them and said, ‘it’s a nasty world out there and we want to help you protect yourself,’” Justice says.
Thus far the feedback has been good, Justice says. There have been come companies that don’t have USB drives on their machines so Ironkey’s software-based solution has been deployed.
Guaranty is also looking at possible revenue generating opportunities with the IronKey devices, Justice says. Since the bank controls the IronKey environment other sites could be added for secure access and the bank could charge for it.
While First Midwest and Guaranty have deployed solutions to help protect their commercials customers, they’re in the minority. “In our estimate 10% or less were truly compliant with the latest FFIEC recommendations at the start of 2012,” says Ironkey’s Bocek.
It’ll most likely be the second half of 2012 before a large number of banks roll out additional fraud protection systems, Bocek says. “Banks need multiple layers of security,” he explains. “They need secure browsing, out-of-band authentication and enhanced capabilities to analyze and protect from fraud.”
While it may seem like many banks have little Fife-size dog bowls in front now that will change as 2012 progresses and more institutions get bigger and badder dogs to watch the front door.
Gemalto rolls out FFIEC product
Gemalto has taken the traditional USB key used for secure browsing and tweaked it for secure online banking. The Ezio Plug and Sign is aimed at the corporate bank customer to tackle automated clearinghouse and wire transfer fraud.
The entire browsing experience is contained on the USB drive so it can’t be infected with malware, says Adam Dolby, Gemalto’s eBanking manager for the Americas. It integrates a smart card secure microprocessor and operating system that is built on Gemalto’s Ezio technology already used by more than 40 million bank customers worldwide.
The customer plugs the USB device into any computer, and Ezio launches a secure online portal enabling the customer to review, approve and sign a variety of banking transactions. The user enters a PIN when first logging on to the site and uses that same PIN to transfer funds. The drive itself will blink when a transfer is requested and the customer is required to push a button on the drive as a further authentication mechanism.
Other services can also be offered to extend the device’s versatility, including secure email, secure electronic bank account management and secure statement viewing.
Mastercard, visa reveal details on emv and nfc for u.s.
January was a busy month for Visa USA and MasterCard as both organizations revealed their individual visions for the future of payments.
Visa revealed details on the U.S. EMV rollout, which won’t be chip and PIN but instead a new technology that takes advantage of the online infrastructure available in the U.S., according to Stephanie Ericksen, head of Authentication Product Integration at Visa USA.
In the U.S. payment transactions are authorized in real time. In other countries this connectivity doesn’t exist which brings up the need for a PIN for further authorization.
“At the time EMV was created, the cost and complexity of connecting a merchant POS device to some telecommunication networks was prohibitive. The way around that was to introduce ‘floor limits’ and create a magnetic stripe alternative–EMV chip-and-PIN–as a counter to potential fraud,” writes Ericksen.
Going with a yet-to-be-defined ‘online-only EMV’ system should make deployment easier and less expensive.
MasterCard introduced a road map focused on advancing the U.S. electronic payments system. The map, which includes the path for migration from magnetic stripe to EMV technology available on chip cards, will serve as the foundation for the next generation of products and services.
As payments evolve to include new devices and new channels, such as mobile and eCommerce, the road map takes steps to address how consumers shop, providing them greater security and control in their payment choices and the potential to integrate loyalty programs and offers into the purchasing experience.
“We’re moving toward a world beyond plastic, where consumers will shop and pay in a way that best fits their needs and lifestyles with a simple tap, click or touch in-store, online or on a mobile device,” said Chris McWilton, president of U.S. Markets at MasterCard. “Our road map represents a transformational shift in the approach to payments and is not simply about EMV chip-and-PIN. We’re focused on readying the ecosystem to drive future innovation and provide new consumer experiences to enhance the value of electronic payments. ”
Elements of the MasterCard road map include:
- Solidify EMV as the foundation for the next generation of payments
- Work with acquirers to ensure infrastructure readiness by April 2013
- Encourage greater security and cardholder verification to reduce fraudulent transactions
- Provide financial benefits for merchant implementing EMV-compatible terminals
- Address all touch points where consumers interact with MasterCard, including ATMs, the physical point-of-sale, online and mobile commerce
As issuers evolve their offering and merchants upgrade their terminals, the payments system will become more secure as dynamic data is introduced into the payment transaction.
In its road map, MasterCard supports the need for the payments ecosystem to be aligned regarding the implementation of EMV standards in the U.S. The company has indicated it will support current industry timelines to minimize disruption and to maximize investments.