Each depositor insured to at least $250,000 per insured bank



Home > Consumer Protection > Consumer Resources > Putting an End to Account-Hijacking Identity Theft




Putting an End to Account-Hijacking Identity Theft

Skip Left Navigation Links

0
Introduction
Background
Legislative And Regulatory Responses To Identity Theft
Industry Responses To Identity Theft
The Use Of Technology To Mitigate
Findings
References
Putting an End to Account-Hijacking Identity Theft Study Supplement
The Use of Technology to Mitigate Account-Hijacking Identity Theft
As discussed previously, account hijacking can be perpetrated in a number of ways. It can also be mitigated in a number of ways-that is, through the use of several different technologies.55 Computer security experts recommend a layered approach to computer security because no single security technique is foolproof or sufficient to prevent identity theft. This section examines three types of technologies that, implemented at various levels, could be used to mitigate the risk of identity theft generally and account hijacking specifically:
  • Scanning tools
  • E-mail authentication
  • User authentication.
Each technology is evaluated based upon ease of implementation, portability, effectiveness, and ease of customer use. A chart at the end of each section contains the ratings. All ratings are relative, comparing each technology only to others included in the study. The study does not attempt a cost comparison due to the fact that hardware and software costs vary greatly depending on the quantity purchased and other business relationships that may exist between the buyer and seller.

Scanning Tools
The scanning tools discussed here are scanning software and server-log analysis.56 These techniques are referred to as "presumptive forensics"-using investigative techniques to find potential problems.57
    Scanning Software
    Scanning software continuously scans millions of Internet Web sites looking for indications that the financial institution may be the target of a phishing attack.

    What is it and how does it work?
    Scanning software continuously scans the Internet for occurrences of the institution's name, brands, trademarks, and slogans. The software also surveys, on a daily basis, Internet domain name servers (DNS) for like names that match specific alert patterns. The scanning software then examines the home page of any identified Web site for text matching the specified alert patterns. It also searches the Internet for secure sockets layer (SSL) certificate common names. The scanning software reports back the names of the servers and the domain names that contain content similar to the financial institution's legitimate Web site.

    Effectiveness/Protection
    Scanning software helps financial institutions identify Web sites that may be pretending to be the financial institution or may be implying that the site has a legitimate relationship with the financial institution when in fact it does not.58 Although scanning software is not foolproof, it can alert users to potentially fraudulent Web sites that have been set up to perpetrate account-hijacking fraud.

    Ease of use and requirements
    A financial institution can purchase and run scanning software itself, or can outsource this service to an independent service provider. In many cases, smaller financial institutions may choose to outsource this service.

    Ratings for Scanning Software

    Implementation Portability Effectiveness Ease of Use-Customer
    Easy N/A Moderate N/A

    Server Log Analysis Software
    Server log analysis software is similar to the scanning software discussed above, except that it scans and analyzes the financial institution's own servers.

    What is it and how does it work?
    Server logs provide substantial information about the day-by-day activities of a computer network, and timely analysis of the logs can help an institution detect suspicious activity that may indicate that the institution is the victim of a phishing attack. However, server logs are voluminous, and reviewing them is time-consuming. Software can analyze web server logs in a matter of minutes and organize the information so a network administrator could detect a phishing scam before it went into effect.

    Effectiveness/Protection
    Server log analysis software may allow institutions not only to detect fraudsters as they plan their phishing attacks but also to alert the institutions' customers and even prevent an attack before it starts. The software can allow administrators to observe the development of the suspected phishing site, test hijacked accounts, and identify suspected phishers.

    Ease of use and requirements
    Those who review the reports produced by the log analysis software must be trained. Alternatively, the review may be outsourced. The software does not require complex implementation and can be installed as a stand-alone application. The software can easily be adjusted for any new pattern of attacks and for any type of server.

    Ratings for Log Analysis
    Implementation Portability Effectiveness Ease of Use- Customer
    Easy N/A High N/A

E-Mail Authentication (Sender ID)
As discussed above, deceptive e-mails that appear to be from the consumer's financial institution are often the first step in a phishing attack that can ultimately lead to account hijacking. These e-mails can be made to look as if they are from the customer's financial institution, or the institution's address can actually be forged by a technique called "domain spoofing." In either case, consumers are tricked into divulging confidential information to a fraudster, and the information is used to hijack the consumers' accounts. This deception is made possible by the fact that Internet e-mail was not originally designed to authenticate the identity of the sender. E-mail can be authenticated, but implementing this solution is beyond the capability of any one party. Rather, e-mail authentication (Sender ID) requires the cooperation of software vendors, ISPs, and the Internet Engineering Task Force (IETF).

Sender ID is a combination of Microsoft's proposal for caller ID for e-mail, the sender policy framework (SPF), and a third specification called the submitter optimization.59 The Sender ID technical specifications were recently submitted for review and approval, but the IETF rejected them on September 15, 2004. While it is unclear what effect this action will have, at least one large ISP has indicated that it is going to implement SPF and some software vendors have indicated they support Sender ID despite the IETF's decision.
    What is it and how does it work?
    Sender ID verifies that each e-mail message originates from the Internet domain from which it claims to come by comparing the claimed address to the sender's actual server Internet Protocol (IP) address. Sender ID has the potential to change the entire Internet e-mail distribution system. All e-mail distributors would have to adjust the way they process their e-mail. The following is a brief step-by-step description of how Sender ID works:
    • The sender sends an e-mail message to the recipient.
    • The recipient's inbound mail server receives the e-mail.
    • The recipient's server checks in the DNS record for the published SPF record of the sending domain.
    • The inbound e-mail server determines if the sending e-mail server's IP address matches the IP address that is published in the DNS record.
    • If the addresses match, the e-mail is forwarded to the recipient. If not, the e-mail is rejected and the intended recipient never receives it.
    This proposed standard would also be able to detect an attempt by a fraudster to register a domain name that closely resembled the name of a financial institution or other transactional Web site.

    Effectiveness/Protection
    Eliminating domain spoofing will help legitimate senders protect their domain names and reputations and will help recipients more effectively identify and filter out phishing e-mails (as well as other types of spam). In addition, once phishers and spammers are forced to buy their own domain names, it will be easier to track them down.

    Ease of use and requirements
    Sender ID will not require a change in the way users use e-mail. The filtering will be done by the ISP.

    Ratings for Sender ID
    Implementation Portability Effectiveness Ease of Use- Customer
    Easy YesHigh Easy
User Authentication
Authentication is the means of verifying the identity of a person or entity. It can also be used to verify that information received has not been altered. Closely associated and often confused with authentication is authorization, which determines the level of rights and privileges available to the authenticated user. Tying authentication and authorization together is referred to as identity management.

Generally the way to authenticate the user is to have the user present some sort of credential to prove his or her identity. A credential is generally one or more of the following:
  • Something a person knows-most commonly a password. If the user types in the correct password, access is granted.
  • Something a person has-most commonly a physical device referred to as a token. The user must physically connect the token to the computer in order to be granted access. Thus, tokens often require the user's computer to be outfitted with specific hardware to accept the token.
  • Something a person is-most commonly a physical characteristic, such as a fingerprint, voice pattern, hand geometry, or the pattern of veins in the user's eye. This type of authentication is referred to as biometrics and often requires the installation of specific hardware on the system to be accessed.
Single-factor authentication involves the use of one of the three authentication credentials listed above, most commonly a password. Single-factor authentication is very common and is the method used by the vast majority of financial institutions for granting customers access to Internet-banking applications and by the vast majority of businesses for granting employees access to computer networks. The main problem with single-factor authentication is that passwords, the most commonly used factor, are often easy to guess, steal, or crack, and once a password is compromised the thief has the same access rights as the legitimate user. In addition, the legitimate user may not even know that his or her password has been compromised, since usually no physical evidence of the compromise exists.

The initial section of this study has documented the monetary damage that can be inflicted when passwords are compromised. The rise in account hijacking suggests that traditional single-factor authentication may not be adequate in today's online world.

Two-factor authentication has the potential to eliminate, or significantly reduce, account hijacking. Two-factor authentication uses two of the three types of credentials mentioned above (something a person knows or has or is) for establishing the user's identity. Two-factor authentication is most widely used today in connection with ATMs. To withdraw money from an ATM, the user must present both an ATM card (something the person has) and a password or PIN (something the person knows). A fraudster who succeeds in stealing just one or the other will not be able to pose as the legitimate account owner and access the ATM. Two-factor authentication can also involve the combination of a password (something a person knows) and a biometric (something a person is). Biometric authenticators (as well as tokens, which are something you have) are unique and not easily duplicated and can be disabled, so their ability to serve as an authentication device can be quickly revoked.60 Two-factor authentication is significantly more secure than single-factor authentication because the compromise of one factor would not be enough to permit a fraudster to access the system and the additional factor (usually a token or biometric identifier) is extremely difficult to compromise. Almost all the phishing scams in use today could be thwarted by the use of two-factor authentication.

Most two-factor authentication systems use shared secrets, tokens (USB token devices, smart cards, or password-generating tokens), or biometrics.
    Shared Secrets
    Shared secrets are questions that are asked during the authentication process, the answers to which a fraudster would be unlikely to know (e.g., the exact amount of the user's monthly mortgage payment).61 The questions may also be obscure, such as "which of these addresses is familiar to you?" However, as more and more information is collected in diffuse databases, the reliability of this technique comes into question. One person's obscure knowledge may be another person's public information, in which case more or different questions are needed. Or the information may be so obscure that the legitimate user would not be able to enter the correct answer in the requisite amount of time.

    A newer shared-secret technique that may alleviate the problems of obscurity is being introduced into the market: a secret that is shared only between the institution and the user. This method would authenticate the site to the user by displaying the shared secret so that the user would know it was safe to enter his or her password.

    What is it and how does it work?
    A shared secret is a type of authentication that validates the Web site to the user by means of a shared secret that is unique to the user. At enrollment, the user selects an image from an image pool provided by the institution's Web site. Users can then change their shared secrets, just as they can change their passwords, by selecting a different one from the image pool or by uploading their own image. The image is displayed at the site before the user logs in. A fraudulent Web site would not display the pre-selected image, which is different for each user.

    Effectiveness/Protection
    Shared secrets can be an effective way to authenticate Web sites to users and can also be used to authenticate e-mails by embedding the shared-secret graphics in the e-mails themselves. The disadvantage of this method is that it is susceptible to man-in-the-middle attacks62, where the fraudster successfully impersonates the user and gains access to the shared secret.

    Ease of use and requirements
    Graphic shared secrets are simple to use, yet effective. Users need to be educated to understand that if their selected image does not appear, the Web site is a fake. This solution to the problem of user authentication requires no additional user hardware.

    Ratings for Shared Secrets
    Implementation Portability Effectiveness Ease of Use-Customer
    Easy Yes Moderate Easy

    Tokens
    Three types of tokens are discussed here: the USB token device, the smart card, and the password-generating token.

    USB Token Device: What is it and how does it work?
    The USB token device is the size of a house key. It plugs directly into a computer's USB port and therefore does not require the installation of any special hardware on the user's computer. A USB token usually contains a microprocessor and uses strong encryption to communicate with the various security applications on the user's computer. Once the USB token is recognized, the user is prompted to enter his or her password (the second authenticating factor) in order to gain access to the computer system.

    Effectiveness/Protection
    USB tokens are one-piece, injection molded devices. If a token is forced open in an attempt to compromise it, the microprocessor becomes useless. The device has the ability to store digital certificates in the secure flash memory area that can be used in a public key infrastructure (PKI) environment.

    Ease of Use and Requirements
    The USB token is extremely user-friendly. Its small size makes it easy for the user to carry and, as noted above, it plugs into an existing USB port; thus the need for additional hardware is eliminated.

    Ratings for USB Token Devices
    Implementation Portability Effectiveness Ease of Use-Customer
    Easy Yes HighEasy

    Smart Card: What is it and how does it work?
    A smart card is the size of a credit card, easy to carry, and hard to duplicate. Like a USB token, a smart card contains a microprocessor that enables it to store and process data. Inclusion of the microprocessor enables software developers to use more robust authentication schemes. To be used, a smart card must be inserted into a compatible reader attached to the user's computer. If the smart card is recognized as valid (first factor), the user is prompted to enter his or her password (second factor) to complete the authentication process.63

    Effectiveness/Protection
    Smart cards are hard to duplicate and tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and credentials.

    Ease of use and requirements
    Smart cards are easy to carry and easy to use. Their primary disadvantage as a consumer authentication device is that they require the installation of a hardware reader and associated software drivers on the consumer's home computer.

    Ratings for Smart Cards
    Implementation Portability Effectiveness Ease of Use-Customer
    ModerateNo High Easy

    Password-Generating Token: What is it and how does it work?
    A password-generating token produces a unique pass-code (also known as a one-time password [OTP]) each time it is used. The token eliminates the need to memorize passwords and ensures that the same password is never used twice, so stealing a password is useless. The OTP is displayed on a small screen on the token. The user first enters his or her user name and regular password (first factor), followed by the OTP generated by the token (second factor). The user is authenticated if (1) the regular passwords match and (2) the OTP generated by the token matches the password on the authentication server. A new OTP is typically generated every 60 seconds-in some systems, every 30 seconds. This very brief period is the life span of that password.64 OTP tokens generally last 4 to 5 years before they need to be replaced.65

    Effectiveness/Protection
    Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs prevent cyber thieves from using information gained from keyboard logging.

    Ease of use and requirements
    OTPs are user-friendly for the end user, but administering them may be cumbersome for the financial institution.

    Ratings for Password Generating Tokens
    Implementation Portability Effectiveness Ease of Use-Customer
    DifficultYes HighEasy

    Biometrics
    Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological or physical characteristic. Physiological characteristics are things like fingerprints, iris configuration, and facial structure. Physical characteristics include, for example, the rate and flow of movements, such as the pattern of data entry on a computer keyboard. The process of introducing people into a biometrics-based system is called "enrollment." In enrollment, samples of data are taken from one (or more) of our physiological or physical characteristics; the samples are converted into a mathematical model, or template; and the template is registered into a database on which a software application can perform analysis.

    Once enrolled, users interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the user. The results of a live scan, such as a fingerprint, are compared with the registered templates stored in the system. If there is a match, the user is authenticated and granted access.

    The National Institute of Standards and Technology (NIST) has developed standards to support biometric technologies. NIST has created a Common Biometric Exchange File Format (CBEFF) standard used to describe a set of data elements necessary to support biometric technologies. The CBEFF provides industry standards to:
    • Facilitate the interchange of biometric data between different system components or between systems
    • Promote the interoperability of biometric-based application programs and systems
    • Provide forward compatibility for technology improvements
    • Simplify the process of integrating software and hardware.

    The comparison of the authentication sample to the stored template does not yield results that are 100 percent accurate. Most biometric applications can be adjusted to achieve different levels of accuracy and error rates. There are two classes of errors that must be considered:
    • False Acceptance Rate (FAR): the probability that the system will accept a false biometric credential as legitimate.
    • False Reject Rate (FRR): the probability that the system will reject a valid biometric credential.

    The sensitivity of the data and the security environment in which biometric technologies will be implemented will dictate appropriate deviation standards, FRRs, and FARs. For instance, admittance to a Department of Defense classified database would require different security and authentication standards as compared to accessing a retail Web site. Biometric identifiers are generally not used as a single factor to authenticate individuals due to the difficulty of accurately tuning the system to avoid unreasonably high FARs or FRRs. They are more commonly used as part of a two-factor authentication system, being combined with a password (something a person knows) or a token (something a person has).

    Some of the most common biometric technologies include:
    • Fingerprint recognition
    • Face recognition
    • Voice recognition
    • Keystroke recognition.
    • Handwriting recognition
    • Finger and hand geometry
    • Retinal scan
    • Iris scan

    Biometric technologies should be considered and evaluated giving full consideration to the following characteristics:
    • Universality: Every person should have the characteristic. People who are mute or without a fingerprint will need to be accommodated in some way.
    • Uniqueness: Generally, no two people have identical characteristics. However, identical twins are hard to distinguish.
    • Permanence: The characteristics should not vary with time. A person's face, for example, may change with age.
    • Collectibility: The characteristics must be easily collectible and measurable.
    • Performance: The method must deliver accurate results under varied environmental circumstances.
    • Acceptability: The general public must accept the sample collection routines. Nonintrusive methods are more acceptable.
    • Circumvention: The technology should be difficult to deceive.

    Each of the biometric technologies has inherent strengths and weaknesses. This study does not discuss finger and hand geometry, retinal scan, iris scan, or handwriting recognition because, in their current state of development, they are not practical for use by financial institution customers seeking to remotely log in to their institution's Internet-banking system. The four biometrics chosen for discussion are:
    • Fingerprint recognition
    • Face recognition
    • Voice recognition
    • Keystroke recognition.

    Fingerprint Recognition: What is it and how does it work?
    Fingerprint technologies analyze global pattern schemas on the fingerprint, along with small unique marks known as minutiae, which are the ridge endings and bifurcations or branches in the fingerprint ridges. The data that are extracted from fingerprints are extremely dense; the density explains why fingerprints are a very reliable means of identification. Fingerprint recognition systems store only data describing the exact fingerprint minutiae; images of actual fingerprints are not retained. Fingerprint scanners may be built into computer keyboards or pointing devices (mice), or may be stand-alone scanning devices attached to a computer. Below is an image of a fingerprint with characteristic labels.

    A fingerprint with characteristic labelsd

    Effectiveness/Protection
    Fingerprints are unique, and they are complex enough to provide a robust template for authentication. Using multiple fingerprints from the same individual affords a greater degree of accuracy. Fingerprint identification technologies are considered to be among the most mature and accurate of the various biometric methods of identification.

    Ease of use and requirements
    Although end users should have little trouble using a fingerprint scanning device, this special piece of hardware-in addition to certain application software-must be installed on the user's computer. Financial institution fingerprint implementation will vary according to vendor and degree of sophistication required. This technology is not portable since a scanning device needs to be installed on each participating user's computer. However, fingerprint biometrics is generally considered easier to install and use than other, more complex technologies, such as iris scanning.66 Enrollment can be performed either at the financial institution's customer service center or by the customer remotely after he or she has received setup instructions and passwords. According to fingerprint technology vendors, there are several scenarios for remote enrollment that provide adequate security, but for large-dollar transaction accounts, the institution may request that customers appear in person.

    Ratings for Fingerprint Recognition
    Implementation Portability Effectiveness Ease of Use-Customer
    ModerateNo HighEasy

    Face Recognition: What is it and how does it work?
    Most face recognition systems focus on specific features on the face and make a two-dimensional map of the face. Newer systems make three-dimensional maps. The systems capture facial images from video cameras and generate templates that are stored and used for comparisons. Face recognition is a fairly young technology compared with other biometrics like fingerprints.

    An image of a face with numbered labels.d

    One face recognition technology, referred to as local feature analysis, looks at specific parts of the face that do not change significantly over time, such as:
    • Upper sections of eye sockets
    • Area surrounding cheek bones
    • Sides of mouth
    • Distance between eyes.
    Data such as the distance between the eyes, the length of the nose, or the angle of the chin contribute collectively to the template.

    A second method of face recognition is called the eigenface method. It looks at the face as a whole. A collection of face images is used to generate a two-dimensional gray-scale image to produce the biometric template.

    Effectiveness/Protection
    Facial scans are only as good as the environment in which they are collected. The so-called mug-shot environment is ideal. The best scans are produced under controlled conditions with proper lighting and proper placement of the video device. As part of a highly sensitive security environment, there may be several cameras collecting image data from different angles, producing a more exact scan sample. Certain facial scanning applications also include tests for liveness, such as blinking eyes. Testing for liveness reduces the chance that the person requesting access is using a photograph of an authorized individual.

    Facial recognition, like all biometrics, produces results based on probabilities. Once the live scan is performed and compared with the template database, positive identifications are produced according to the level of accuracy set in the system. If the system is set to accept only a match that is determined to be 100 percent accurate, with no margin of error, the rejection rate increases dramatically. As accuracy variables decrease below 100 percent, rejection rates decrease likewise. Facial recognition is generally subject to larger margins of error than more established biometrics, such as fingerprint recognition. Financial institutions considering the use of face recognition for customer authentication should carefully evaluate the adverse consequences of an unacceptably high FAR or FRR.

    Ease of use and requirements
    Facial scanning is considered one of the easiest biometrics to use. A portable web cam sitting on a desktop computer will suffice. The connecting system must be able to support the web cam and must be loaded with software to create the template and communicate with the authenticating system. The technique is nonintrusive, and user acceptance is typically high.

    Ratings for Face Recognition
    Implementation Portability Effectiveness Ease of Use-Customer
    ModerateNo ModerateEasy


    Voice Recognition: What is it and how does it work?
    Voice biometrics works by digitizing a profile of a person's speech to produce a stored model voice print, or template. Biometric technology reduces each spoken word to segments composed of several dominant frequencies called formants. Each segment has several tones that can be captured in a digital format. The tones collectively identify the speaker's unique voice print. Voice prints are stored in databases in a manner similar to the storing of fingerprints or other biometric data.

    To ensure a good-quality voice sample, a person usually recites some sort of text or pass phrase, which can be either a verbal phrase or a series of numbers. The phrase may be repeated several times before the sample is analyzed and accepted as a template in the database. When a person speaks the assigned pass phrase, certain words are extracted and compared with the stored template for that individual. When a user attempts to gain access to the system, his or her pass phrase is compared with the previously stored voice model.
    Some voice recognition systems do not rely on a fixed set of enrolled pass phrases to verify a person's identity. Instead, these systems are trained to recognize similarities between the voice patterns of individuals when the persons speak unfamiliar phrases and the stored templates.

    Effectiveness/Protection
    A person's speech is subject to change depending on health and emotional state. Matching a voice print requires that the person speak in the normal voice that was used when the template was created at enrollment. If the person suffers from a physical ailment, such as a cold, or is unusually excited or depressed, the voice sample submitted may be different from the template and will not match. Other factors also affect voice recognition results. Background noise and the quality of the input device (the microphone) can create additional challenges for voice recognition systems. If authentication is being attempted remotely over the telephone, the use of a cell phone instead of a landline can affect the accuracy of the results. Voice recognition systems may be vulnerable to replay attacks: if someone records the authorized user's phrase and replays it, that person may acquire the user's privileges. More sophisticated systems may use liveness testing to determine that a recording is not being used.

    Ease of use and requirements
    Consumer voice recognition systems are typically inexpensive and user-friendly. Most computer systems are equipped to support a microphone used to develop a voice template and later to collect the authentication request. Voice recognition is more often used in an environment in which voice is the only available biometric identifier, such as in telephony and call-center applications. Voice recognition systems have a high user acceptance rate because they are perceived as less intrusive and are one of the easiest biometric systems to use.

    Ratings for Voice Recognition

    Implementation Portability Effectiveness Ease of Use-Customer
    Easy No Moderate Easy

    Keystroke Recognition: What is it and how does it work?
    Keystroke recognition is the only biometric authentication technique discussed in this study that requires no additional hardware with which to read, scan, view, record, or otherwise interrogate the requesting user because every computer is equipped with a keyboard.67 To authenticate an individual, keystroke recognition relies solely on software, which can reside on the client or host system. To create an enrollment template, the individual must type his or her user name and password a number of times. Best results are obtained if enrollment occurs over a period of time rather than at one sitting: over a period of time, individual characteristics are identified more accurately. With keystroke recognition, a user must type without making any corrections. If keystroke errors are made, the system will prompt the user to start over.

    Some of the distinctive characteristics measured by keystroke recognition systems are:

    • The length of time each key is held down
    • The length of time between keystrokes
    • Typing speed
    • Tendencies to switch between a numeric keypad and keyboard numbers
    • The keystroke sequences involved in capitalization.

    Each individual characteristic is measured and stored as a unique template. Some systems authenticate only at sign-on, whereas others continue to monitor the user throughout the session. As in other biometrics, the user's keystroke sample is compared with the stored template, and access is granted if the submitted sample matches the template according to preestablished probabilities.

    Effectiveness/Protection
    If the keystroke recognition software is used as one factor in a two-factor authentication system, it can be an effective layer of security. Keystroke recognition is not considered an effective single-factor authentication technique because hand injuries, fatigue, variations in temperature that affect physical actions, arthritis, and other conditions can affect authentication effectiveness. Also, since keystroke recognition is a relatively new biometric technology, reliable information concerning its effectiveness is not as available as with fingerprint recognition.

    Ease of use and requirements
    Keystroke recognition biometrics is generally considered to be the easiest biometric technology to implement and use. No hardware is involved. Software may be installed on the client or host. Because authentication is based on normal keyboard entry, individuals need only type the prescribed text to be authenticated.

    Ratings for Keystroke Recognition
    Implementation Portability Effectiveness Ease of Use-Customer
    Easy Yes68 Moderate Easy
Summary
Over the past few years, it has become increasingly apparent that single-factor, password-based authentication methods may no longer be sufficiently secure for customer remote access to online banking systems. In the pre-Internet era, when access to financial institution computer systems was very limited and the institution exerted virtually complete control over the user population, single-factor authentication using passwords was sufficient. However, as customers and employees connect to sensitive banking systems remotely, control has been diluted and security is more easily compromised. Fraudsters are taking advantage of these circumstances to commit account hijacking. Two-factor authentication should be considered as a new security baseline for remote access to computer systems.

Choosing a technology to deliver an effective two-factor authentication system for financial institutions presents some unique challenges. Customers expect to have immediate and unobstructed access to their accounts regardless of where they happen to be or what time it is. Currently, as long as the customer remembers his password, this access is delivered reliably. Two-factor authentication must be capable of providing the same level of dependable access. Qualities such as portability, reliability, reasonable cost, and ease of implementation and use will determine what technologies meet this high level of service demanded by customers.

The improper denial of access to accounts has significant implications for both customers and the financial institutions. The challenge for financial institutions is to identify authentication technologies that are acceptable to customers and offer the reliability, security, and value required by the institution.



55 Consumer education continues to be an important strategy in preventing account hijacking (and identity theft in general), but it is not the focus of this section of the study.

56 In the course of preparing this study, FDIC staff researched the existence of fraud detection software specifically designed to detect account hijacking, similar to existing software used to detect credit card fraud. Staff found no such product in widespread use and concluded that development is in the early stages.

57 Swofford (2004).

58 Netcraft, Ltd. (2004).

59 Microsoft Corporation (2004).

60 Rainbow Technologies (2002).

61ING DIRECT uses this technique. See http://home.ingdirect.com/faqs/faqs_content.html.

62 In a man-in-the-middle attack, a fraudster intercepts messages between the institution and the customer, learns the shared secret, and then impersonates the institution going forward. The customer is unaware of the fact that he or she is now communicating with the fraudster instead of the institution.

63 Many federal agencies use smart cards for access to certain sensitive applications residing on their internal computer networks. The cards also functions as identification badges for entry into agency buildings.

64 FDIC staff are aware of at least one large U.S. bank that is in the process of beginning a pilot program to test the use of password-generating tokens by retail customers for remote access to the bank's Internet-banking system. At least one federal government agency uses this system for remote employee access to the agency's internal computer network.

65 A "low tech" version of the password-generating token, commonly referred to as a scratch card, has been used in Europe for some time. The card contains a series of passwords that customers use in sequence, scratching off each one as it is used. The scratch card is given or mailed to customers when they sign up for online banking.

66 The FDIC staff are aware of financial institutions, domestic and foreign, that use fingerprint recognition and other biometric technologies to authenticate ATM users, eliminating the need for an ATM card and the expense of replacing lost or stolen cards.

67 While some tablet PCs and personal digital assistants do not have keyboards, relying on handwriting recognition for information input, the overwhelming majority of computers in use today are equipped with keyboards.

68 Assuming that the software resides on the server as opposed to the client or user PC.


Last Updated 12/10/2004 webmaster@fdic.gov