Polling Question
Briefly describe the #1 problem you have
encountered with implementing Multi-Factor
Authentication.
f Please type in your response.
f This poll will close promptly at 1:00 pm CDT
Getting the Facts on Multi-Factor Webinar
Donna Dodson
National Institute of Standards and Technology
(NIST)
Kimberly Cahill, NBE, CISA
Bank Information Technology Analyst
Comptroller of the Currency
Gary Greenwald
Managing Director, Cash Management
Capabilities and Information Products
Citigroup Corporate and Investment Bank
Getting the Facts on Multi-Factor Webinar
Donna Dodson
National Institute of Standards and Technology
(NIST)
E-Authentication Guidance
f OMB 04-04, E-Authentication Guidance for Federal
Agencies
ƒ
ƒ
Defines four levels of assurance in term of the consequences of
authentication errors and misuse of credentials
Risk assessment reviewing privacy, inconvenience, damage to
reputation, harm to agencies and programs, financial liability,
crime, safety
f NIST Special Publication 800-63, Electronic
Authentication Guideline
ƒ
ƒ
Establishes technical requirements to meet four levels of assurance
Identity proofing, tokens, credentials, protocols, assertions
Authentication Model
f Local or Remote
f Players
ƒ
ƒ
ƒ
ƒ
ƒ
ƒ
Claimants
Subscribers
Registration Authorities
Credential Service Provider
Verifiers
Relying Parties
Authentication Elements
f Token – something that the claimant possesses
and controls (typically a key or password) used
to authenticate the claimant’s identity
f Credential – An object that authoritatively
binds an identity to a token possessed and
controlled by a person
f Assertion - a statement from a verifier to a
relying party that contains identity information
about a subscriber
Authentication Factors
f Something you know
ƒ
Typically some kind of password
f Something you have
ƒ
ƒ
f
For local authentication typically an ID card
For remote authentication typically a cryptographic key
„ “hard” & “soft” tokens
Something you are
ƒ
A biometric
„ Problematic without supervision
„ Capture can deter fraud even if not checked in authentication
process
f The more factors, the stronger the authentication
Tokens
ƒ
Single-factor token – a token that utilizes one of the
three factors to achieve authentication. For
example, a password is something you know, and
can be used to authenticate the holder to a remote
system.
ƒ
Multi-factor token – a token that utilizes two or more
factors to achieve authentication. For example, a
private key on a smart card that is activated via PIN
is a multi-factor token. The PIN is something you
know and the smart card is something you have.
Common Types of Tokens
f
f
f
f
f
f
f
Memorized secret token
Pre-registered knowledge token
Look-Up secret token
Out of band token
One time password device
Software cryptographic token
Hardware cryptographic token
Token Selection Considerations
f Security considerations
ƒ
ƒ
ƒ
Single factor vs multifactor vs multitoken
Hardware vs software
Protocol Associations
f Costs
f Usability
f …
Polling Question
Have you fully implemented
a Multi-Factor Authentication program
per the FFIEC guideline?
f Yes
f No
Getting the Facts on Multi-Factor Webinar
Kimberly Cahill, NBE, CISA
Bank Information Technology Analyst
Comptroller of the Currency
[email protected]
Disclaimer
The views and opinions expressed are not
official positions of the FFIEC or the
Comptroller of the Currency.
Agenda
‰
What Prompted Guidance
‰
Guidance
‰
Other Considerations
What Prompted the Guidance?
f
“Cybercrime yielding more cash than
drugs”
f
TJX data breach info used to make fraudulent purchases.
f
In 2006, there were in excess of 315 publicized breaches
affecting nearly 20 million individuals.
f
Lost or stolen customer information cost surveyed companies as
much as $22million
Common Threats
f Losing
Data
f Hacking
f Phishing
f Pharming
f Spying
Disgruntled
Insiders
Criminals
Terrorists
Consumer Concern
f
f
f
f
67%
73%
25%
57%
are very concerned about identity theft.
worried about fraudulent use
say stopped buying online
say switch banks for better security
Authentication Guidance
OCC Bulletin 2005-35
Guidance
“The level of authentication used by the FI should be
appropriate to the risks associated with those products and
services. FIs should conduct a risk assessment to identify the
types and levels of risk associated with their Internet banking
applications. Where risk assessments indicate that the use of
single-factor authentication is inadequate, FIs should implement
multifactor authentication, layered security, or other controls
reasonably calculated to mitigate those risks. The agencies
consider single-factor authentication, as the only control
mechanism, to be inadequate in case of high-risk transactions…”
Key Principals of the Guidance
f 4 Principles
ƒ
ƒ
ƒ
ƒ
Risk Based
Process Based
Not prescriptive
Technology neutral
Key Steps for Conformance
f Risk Assessment
f Implement Risk Mitigation
Strategy
f Customer Awareness
f Adjust the program
Risk Assessment
f Identify and rank “high risk”
Internet transactions
f Describe specific customer
information viewable during
Internet sessions
f Evaluate current
authentication procedures
f Identify any gaps
Acceptable Risk
Mitigation Techniques
f Where risk assessments indicate that the use of
single-factor authentication is inadequate,
financial institutions should implement:
ƒ
ƒ
ƒ
multifactor authentication,
layered security, or
other controls reasonably calculated to mitigate those
risks.
Authentication Selection
f Multifactor
ƒ
ƒ
ƒ
ƒ
Token
Biometrics
Smart cards
One-time passwords
f Layered Security
ƒ
ƒ
ƒ
ƒ
Transaction analysis
(Unusual Behavior)
IP Address
Challenge/Response questions
Out-of-band confirmations
Other Risk Controls
f Content
ƒ
Minimize (mask) confidential information
f Segregate access
ƒ
Separate basic info, bill payment, funds transfer
f Accessibility
ƒ
Encrypt confidential information
Monitoring and Reporting
f Audit Features - Behavior Patterns
f Service Provider’s Reports
f Independent Audit Review
f Report to Board
Customer Awareness
f Key defense, but New FTC Education Website
not a control
http://www.onguardonline.gov
f Continue efforts
f Track your efforts (Call center, clicks on alert and
disclosure links, type of marketing, trends in losses)
Acct Origination &
Verification
Reliable identity verification at
origination is critical for:
X Compliance w/ USA Patriot Act
X Relevance of subsequent
authentication practices
ƒ Negative confirmation
ƒ Positive confirmation
ƒ Out-of-wallet questions
Bottom-Line
X An acceptable solution today might not be acceptable
tomorrow….the bad guys are just as smart as the
good guys developing the solution
X Banks need an on-going risk assessment process!
Bank Supervision Policy
f
f
f
f
f
f
f
FFIEC Information Security Booklet
12 CFR 30, Appendix B
OCC 2005-35: Online Authentication
OCC 2005-24: Website Spoofing
OCC 2005-13: Customer Notification
OCC 2005-1: Disposal of Consumer Info
FAQs on Guidance
Polling Question
Implementing Multi-Factor Authentication
has met my expectations.
f
f
f
f
f
Strongly Agree
Agree
Agree Somewhat
Disagree
Strongly Disagree
Getting the Facts on Multi-Factor Webinar
Gary Greenwald
Managing Director, Cash Management
Capabilities and Information Products
Citigroup Corporate and Investment Bank
The Opportunity
f Look beyond website access control
f Paperless workflows
f Legally binding electronic signatures
f Document integrity and rights management
Case Study: Pharmaceutical
f Electronic submissions to the FDA
ƒ Costs are rising
ƒ Time to market is long
ƒ Paper intensive
f What are we providing?
ƒ Identity issuance
ƒ Compliance with strict FDA regulations
ƒ Operational infrastructure
Case Study:
Managing Corporate Bank Accounts
f Need for better process
ƒ Visibility
ƒ Control
ƒ Efficiency
f What are we providing?
ƒ Standard for account opening
and managing corporate bank
accounts, working with
industry groups
ƒ A single digital identity across
banks
ƒ End-user interface
Case Study: Corporate Payment Files
f Improved process for straight through
processing (STP) of payment files
f Driven by Industry move to STP and even
corporate SWIFT connectivity
f Issue: What individual has released the
payment file? Is he/she entitled?
f Use of digital signatures to confirm
identity of the senders, provide audit trail,
etc.
Role of Banks
f Sit above technology layer
f Focus on high assurance
ƒ Using multi factor tools for strong
authentication
ƒ Positions banks as leaders
f Focus on what banks do well
ƒ KYC
ƒ Trusted parties
ƒ Subject to regulatory oversight
ƒ Know and understand the importance of
strong policies and legal structures
ƒ Integral part of the global payment and trade
infrastructure
ƒ Extensions into public sector, consumers and
other verticals
Q&A
Using the CHAT Window on the right side
of your screen, send a text directly to ALL
PANELISTS