|
In the first of his three-part series of articles, Julian Curmi assesses the information security issues that face the financial services industry.
In today's corporate environment, the need exists to ensure that only authorised individuals or customers gain access to critical devices or services offered. With the availability of ready to use "sniffers" and access code (password/PIN) cracking tools, the standard username/password or PIN combination may no longer be adequate to withstand the test of secure authentication.
Other means of discovering password/s or PIN/s are aided by bad habits. Many customers and users in general use easy-to-guess combinations, make infrequent changes, and often write their password or PIN down and leave it in conspicuous places, for example stuck to the computer monitor. Some customers not only never change their password or PIN, but also assign the same value to all their online access codes and even to their ATM cards.
Many organisations are depending on sophisticated and complex networks, which has become one of the most important channels to do business through. It is becoming an accepted fact that using a single factor authentication method may not be adequate to serve the growing high-risk e-business market place from a security point of view.
Authentication, however, cannot exist in a vacuum, it must be part of a security framework. The four security control objectives that address an adequate security framework are:
• Identification and authentication - to prove identity and allow access to assets;
• Integrity - ensure that data was changed by the authorised person and that no unauthorised changes have been made;
• Confidentiality - restricting data access to the people authorised to see it;
• Nonrepudiation - one may not deny his/her actions.
The scope of this article is to give an insight into strong user authentication in relation to electronic B2B (business to business) and B2C (business to customer).
What is strong user authentication?
Reliable customer authentication is imperative for financial institutions engaging in any form of electronic banking or commerce. An effective authentication system can help financial institutions reduce fraud and strengthen the security framework that underlies the application. Strong customer authentication practices are also necessary to enforce anti-money laundering measures and help financial institutions detect and reduce identity thefts.
Customer interaction with financial institutions is migrating from physical recognition and paper-based documentation to remote electronic access and transaction initiation. The risks of doing business with unauthorised or incorrectly identified individuals in an electronic banking environment could result in financial loss and reputation damage through fraud, disclosure of confidential information, corruption of data and agreements that the organisation may not be able to enforce.
Two-factor authentication and nonrepudiation
Accountability (nonrepudiation) is a key concern for organisations. It is important - and in many cases critical - to ensure that employees and customers are accountable for the electronic transactions they perform.
Token and smart cards, for example, help ensure this accountability because each employee or customer is expected to be in physical possession of his/her own token/smart card, and each should be the only person to know the PIN for accessing the services on that device. This is to a great extent a policy issue, but such devices help enforce that policy. Because the device is unique to the employee or customer, any transactions - such as system logon, transactions made on the system - performed with that device are reasonably certain to have been performed by the person to whom that device was issued. Such devices make it very hard, if not impossible, for employees or customers to successfully repudiate the transactions they have executed.
For a user to be able to access a resource, it must be determined if this individual is who he claims to be, if he has the necessary credentials, and if he has been given the necessary rights/privileges to perform the actions he is requesting. Identification and authentication describes a method of ensuring that the user is in fact who he claims to be. Once these steps are completed successfully, the user can access and use the system resources. However, it is necessary to track the user's activities and enforce accountability for his/her actions - detective controls through audit trail.
Choosing the appropriate identification and authentication tools depends on the channels through which an organisation wishes to provide its services, the flexibility that it wishes to provide its users and customers alike, and the perceived risks.
Specifically, there are three user authentication methods:
• Something you have - this can include a key to a door or a token card;
• Something you know - passwords or PINs may be classed in this category;
• Something you are - this area includes biometric authentication such as fingerprints, voice recognition, retina or iris scans.
Individually, any of the three concepts have problems. "Something you have" may be stolen. "Something you know" may be guessed, shared or lost. "Something you are" is the strongest, but generally the most costly, and may not always be appropriate for integration with some user applications.
Since these single-factor authentication problems exist, the next step is two-factor authentication. For example, ATMs use a combination of a plastic card (something you have) and a four-digit PIN number (something you know).
Requiring two factors significantly enhances security because one factor authentication by itself may not be sufficient to perform authentication that can be relied on. Furthermore, two-factor authentication ensures that any transactions carried out by the user cannot be denied and that the user can be held accountable for his actions on the system, be it an employee in the organisation or a customer of that organisation.
Authentication methods that depend on more than one factor typically are more difficult to compromise than single-factor authentication systems. Accordingly, properly designed and implemented multi-factor authentication methods are more reliable indicators of authentication and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (something the user knows); whereas, a transaction using an ATM typically requires two-factor authentication: something the user possesses (the card) combined with something the user knows (PIN).
In general, multi-factor authentication methods should be used on higher risks systems, for example remote access to networks or offering a service through the internet e.g. ebanking. A number of financial institutions have been offering their e-banking services dependent only on a PIN, however, many financial institutions are upgrading their systems to include two-factor authentication when offering their services through electronic means.
An effective authentication method should have customer acceptance, ease of use, reliable performance, scalability to accommodate growth, and interoperability with existing systems and strategic plans of the organisation.
No matter what type of two-factor authentication model is used, the organisation should be sensitive to the fact that proper implementation is key to the reliability and security of the system. For example, a poorly implemented two-factor system may be less secure than a properly implemented single-factor system because of weak organisational policy, procedures or standards. This is so, because the human element is the weakest link in any security application or system.
The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures and controls. On this, organisations may now adopt MSA ISO/IEC 17799:2001 - Information Technology - Code of Practice for information security management. Executive management should give their full support to ensure proper implementation and adherence to policy.
| |||||||||||||||||||
| |||||||||||||||||||
|
| About Us | Copyright | Privacy Policy | Terms of Use | Contact Us | Bookmark Us | Site Map | IP Locator |
| ||||||||||||
|
|
|
| |||||||||||
|
| |||||||||||||
|
|
|
| |||||||||||
