Putting an End to Account-Hijacking Identity Theft Study Supplement
Part 1: Public Comments and the FDIC's Response to Them
The FDIC received a total of 70 comments on the Study: 10 from financial institutions, 8 from financial institution trade associations, 32 from technology providers, 9 from independent consultants, 2 from electronic payment system providers, 2 from other types of associations, 6 from individuals, and 1 from a consumer organization. The comments made many useful suggestions that the FDIC has taken into account in this Supplement.
The FDIC received comments from ten insured depository institutions, mostly in the small to medium asset size range. Although the comments varied considerably, there were some common themes. Five comments noted that additional consumer education is an effective way to combat identity theft in general and account hijacking by means of phishing in particular. Three comments expressed the opinion that mutual e-mail authentication has the potential to eliminate phishing, and two noted that more secure software, particularly computer operating systems, is necessary to help mitigate the risk of phishing.
Two comments agreed with the FDIC's position that concerns about phishing may slow the growth of online banking. One of those comments went further to add that the Corporation's findings are not strong enough and that section 501(b) of the Gramm-Leach-Bliley Act should be amended to require the use of better authentication technologies. That same comment expressed the opinion that software solutions are, by their very nature, insecure and should not be relied upon.
Three comments disagreed generally with many of the ratings the FDIC assigned to certain technologies. Specifically, three other comments disagreed among themselves about the effectiveness of the scanning software discussed, with two of the comments asserting that such software is available and effective, and one stating that it is not effective as a technique for mitigating account hijacking due to phishing.
Lastly, two comments noted that any action taken by regulators should allow the industry flexibility in implementing a solution, and one of those comments expressed the opinion that the adoption of two-factor authentication will decrease consumers' use of online banking. Three comments took the position that any form of two-factor authentication involving the use or installation of hardware by the consumer will be too costly and will meet with considerable consumer resistance. One comment asked the FDIC to permit additional comment on any proposed guidance before it is issued.
Financial Institution Trade Associations
Of the eight financial institution trade associations that submitted comments, the majority opposed any sort of regulation or guidance in this area, holding that regulation or guidance would be premature. Six of the comments expressed concern that the FDIC may mandate the use of a specific technology by insured depository institutions, and argued that a more flexible, risk-based approach will be preferable. Two comments pointed out that the use of a technology such as two-factor authentication to mitigate account hijacking should be part of a layered approach to information security1. However, one association stated that the industry may benefit from the issuance of some form of nonmandatory guidance or best practices.
One-half of the associations objected to the FDIC's use of the term "account hijacking" as too highly charged or inaccurate or both. These comments suggested that the FDIC use the term "account takeover," "account fraud," or "unauthorized electronic access."
With regard to the FDIC's first finding--supporting the use of two-factor authentication--six of the associations took the position that two-factor authentication is not a "panacea" for preventing account hijacking and that many of the technologies discussed in the Study are not mature enough to be extensively deployed. In addition, seven of the associations expressed concern that consumers will resist the introduction of two-factor authentication techniques that involve installing hardware, software, or both on the consumers' PCs. Similarly, four of the associations were of the opinion that a cost-benefit analysis will not support the implementation of two-factor authentication in an effort to mitigate the problem of account hijacking. Two associations criticized the FDIC for not discussing the cost of these technologies in the Study. Three of the associations said the rating charts included in the final section of the Study are not helpful and may even be misleading.
With regard to the FDIC's second finding--supporting the use of scanning software to identify and defend against phishing attacks--two comments noted that such software has been found to be effective and that some financial institutions are already using it. However, one comment noted that such software is not effective.
Five comments urged the FDIC to examine other security techniques that are not discussed in the Study. For example, four comments stressed the importance of mutual authentication as a method of mitigating account hijacking in particular and identity theft in general, and one suggested several specific authentication techniques that the FDIC should investigate, such as out-of-band authentication and device authentication.
The largest group of comments-32-was submitted by technology providers (TPs), companies that develop and sell computer security products. Eleven TP comments were supportive of the FDIC's Study and findings. However, 3 other comments disagreed with some of the ratings assigned to certain technologies in the final section of the Study. Three other comments stated that the FDIC should avoid prescriptive, one-size-fits-all solutions to the problem.
The comments disagreed among themselves about the effectiveness of consumer education and scanning software. Although three comments expressed the opinion that further consumer education will help to mitigate account hijacking, one comment took the position that consumer education is not effective. Two comments rated scanning software effective in combating account hijacking, whereas one comment stated that such technology is not effective. One comment suggested that the implementation of mutual authentication would be very effective in mitigating the risk of account hijacking. One comment pointed out that, contrary to a statement in the Study, hardware tokens do not always have to be physically connected to a PC.
Most of the TP comments (as well as comments from some of the other groups) discussed seven classes or types of authentication technologies that are not included in the Study. These technologies are listed here and discussed in some detail in Part 3 of this Supplement:
- Internet Protocol Address (IPA) location/geo-location
- Mutual authentication
- Device authentication
- Non-hardware-based one-time passwords/scratch cards
- Trusted Platform Module (TPM) chip
- User-based software to detect phishing and fraudulent Web sites
- Out-of-band authentication.
The nine comments received from independent consultants are quite varied. For example, two suggested that the industry and government should focus much more than they do on shutting down phishing Web sites as a way to reduce the incidence of identity theft. Two others stressed the need for mutual authentication so that consumers will know that the financial institution Web sites they are visiting are legitimate.
One comment expressed the opinion that biometric technologies and hardware tokens are impractical for consumer use. That same comment suggested that software tokens are arguably just as effective as hardware tokens and may be more practical to implement as a method for two-factor authentication. This comment also stressed the importance of layered authentication techniques.
One comment took the position that identity theft can be mitigated if "credit freezes" are instituted-that is, if access to credit reports requires the consumer's explicit approval. Since lenders usually refer to credit reports before issuing new credit cards or extending loans, consumers will be alerted to the potential for certain forms of identity theft before the identity theft happens. However, this strategy does not appear to mitigate the risk of account hijacking.
Lastly, one comment noted that a newly released survey indicated that identity theft is no longer the fastest-growing crime and that the proliferation of electronic commerce is not the primary cause of identity theft.
Electronic Payment System Providers
The FDIC received comments from two electronic payment system providers. Both of them urged the FDIC to implement a flexible, nonprescriptive approach to mitigating account hijacking. One comment took the position that the use of two-factor authentication will meet with considerable consumer resistance, that consumer education is important, and that both types of scanning software discussed in the FDIC Study are effective and useful. The other comment disagreed with some of the FDIC's ratings and stated that the Study should have discussed the cost of the various technologies.
The FDIC received comments from two nonprofit associations. Although both were supportive of the Study and the finding supporting the use of two-factor authentication, one took the position that two-factor authentication technologies are ready for deployment, whereas the other said such deployment may be premature. Both comments supported the findings concerning the use of scanning software, consumer education, and information sharing. One comment took the position that mutual authentication is a valuable technique in mitigating phishing attacks.
The six comments from consumers were quite varied. Two of them strongly urged government authorities in general to increase the prosecution of identity thieves and impose more substantial sentences. One supported the importance of mutual authentication and the use of USB tokens as the more practical way to implement two-factor authentication. One stated that regulators need to curb access to sensitive personal information via the Internet and supported the value of consumer education. One disagreed with the FDIC's ratings of several technologies.
The FDIC received one comment from a national consumer organization. The comment was supportive of the Study but expressed the opinion that it does not adequately address privacy concerns raised by the use of authentication technologies, particularly the privacy implications of biometrics and e-mail authentication. This comment recommended that the FDIC focus on "smart authentication," that is, authentication technologies that are the least privacy-intrusive inasmuch as they are used for the limited purpose of authenticating the parties in a particular transaction. The comment supported the use of scanning software and consumer education as ways to effectively combat account hijacking.
The proper and accurate use of terminology is important for understanding and communicating about identity theft. Many financial institution trade associations took issue with the FDIC's use of the term "account hijacking" as being inaccurate and too highly charged. The FDIC has determined that a variety of terms are used interchangeably to describe this particular form of identity theft. It is the FDIC's view that the term account hijacking is neither inaccurate nor highly charged. Accordingly, the Supplement will continue to use the term account hijacking.
Many comments stated that the Study does not discuss a variety of technologies that can be used to make remote customer access to online banking systems more secure. The FDIC agrees, and one purpose of this Supplement is to examine technologies that the FDIC did not consider in the Study (see Part 3 below).
A significant number of comments disagreed with the FDIC's ratings of particular technologies. In certain cases, however, comments contradicted one another in their ratings of one or another technology. The FDIC understands from the comments that the technology ratings included in the Study are not helpful to readers and may have fostered more confusion. Ratings have therefore been omitted from this Supplement.
A substantial percentage of comments agreed with the FDIC's finding that consumer education is an effective way to mitigate the risks of account hijacking. Therefore, commencing in the second quarter of 2005 the FDIC is hosting three public symposia on identity theft; the locations are Atlanta (May 13), Los Angeles (June 17), and Chicago (September 22). During the same period the FDIC will consider conducting consumer focus groups on identity theft.
Earlier in 2005, two other symposia were held. One, on identity theft, was sponsored by the FDIC; it was conducted on February 11 in Washington, D.C. The other, on consumer authentication in an Internet environment, was sponsored by the Federal Financial Institutions Examination Council (FFIEC) and was conducted on March 14-25, also in Washington.
The half-day FDIC symposium consisted of a regulatory/government panel, a financial services industry panel, and a consumer panel, in addition to a keynote address and a wrap-up analysis. The consumer panel, in particular, underscored the rapid rise in identity theft over the past several years, consumers' increasing concerns about this fraud, and the ways in which identity theft affects consumers' conduct in the marketplace. Industry representatives described their efforts to stop identity theft and, more specifically, the ways in which two-factor authentication is being used to mitigate this risk. A pilot program involving the use of one-time password-generating hardware tokens was said to have been extremely successful in terms of customer acceptance.
The FFIEC symposium, too, examined the problem of identity theft and account hijacking. Industry representatives made presentations to representatives from the federal banking agencies, describing how phishing and other schemes are being used in increasingly complex ways to commit identity theft. Industry representatives also described their successful efforts to use stronger authentication techniques to mitigate this risk.
Two-Factor Authentication as a Panacea
Many comments stated that two-factor authentication-a term that can encompass a wide variety of specific technologies-should not be considered a panacea for the problem of account hijacking and that a one-size-fits-all solution will not work. The FDIC agrees. The Study suggested that two-factor authentication will reduce the risk of account hijacking, not that it will solve the account-hijacking problem; nor did the Study suggest that two-factor authentication cannot be circumvented in certain circumstances. The FDIC Study stated only that two-factor authentication can have a substantial positive effect in reducing the incidence of account hijacking.
Several comments the FDIC received call attention to the fact that certain authentication technologies, including some reviewed in the Study, may be vulnerable to Man-in-the-Middle (MiM) attacks. But most of the ID theft and fraud addressed in the Study and in this Supplement is not perpetrated by fraudsters using MiM schemes. Due to the dynamic threat environment, it is unlikely that any single authentication technology will remain completely immune to all forms of compromise.
Creating a successful MiM attack in a 128-bit Secure Socket Layer (SSL) encrypted session-the kind of session that is typical in Internet banking-is at best, very difficult. In typical Internet-based fraud schemes, the victim's credentials are first collected using automated systems, and then used at a later time to access the victim's accounts. In the collection stage of the attack, fraudsters steal users' credentials by using malicious software such as keystroke loggers or other trojans; sending users to an illegitimate collection Web site using phishing e-mails or pharming techniques; or attacking the communication link using proxy servers or other MiM methods. The account access stage usually requires manual examination of the account. While MiM attacks can easily collect victim's credentials, using the credentials in an automated fashion to access the victim's account is difficult. Accessing the victim's account in real-time is even more difficult to engineer. The divide between data collection and account access stages means that authentication that uses non-collectable methods (token, one-time-passwords, client certificate, etc.) is an effective means for reducing fraudulent account access.
In the FDIC's view, it may be unreasonable to reject an authentication technology because it is vulnerable to a particular attack that accounts for a small percentage of the fraud being perpetrated. The basis for an effective risk-assessment program and information security policy is to implement a comprehensive, layered solution whose pieces deal collectively with the variety of potential threats.
Guidance That Is Flexible and Risk Based
In the press release and financial institution letter (FIL) that accompanied publication of the Study, the FDIC stated that it is considering issuing guidance on this topic later in the year. The FDIC is still considering this option and is in the process of consulting with the other federal banking regulators. However, the Corporation's intention is that any guidance issued will be flexible and risk based, consistent with the Interagency Guidelines Establishing Standards for Information Security (12 CFR part 364, Appendix B).
Public Comment on Future Guidance
A number of comments made the point that any proposed guidance should be published for public comment before being issued in final form. It is premature for the Corporation to commit to publishing for public comment any guidance that may be issued in the future.
Consumer Resistance to Two-Factor Authentication and Possible Adverse Consequences Many comments, primarily from financial institutions and their trade associations, asserted that consumers will resist the implementation of two-factor authentication and that such a requirement can slow the growth of online banking. While financial institutions must be concerned about losing customers, none of the comments that advanced this argument cited any survey or study supporting that position. Although consumers are certainly interested in convenience, they are also very concerned about the security of their accounts and sensitive personal information. As discussed in the next part of this Supplement, there is evidence that consumers are expecting financial institutions to address the problem of account hijacking and that they will feel more comfortable banking online if they are provided with additional security measures such as two-factor authentication. Several of the seven technologies discussed in Part 3 of this Supplement are more transparent to the customer than the solutions discussed in the Study.