These days, credit unions are realizing a growing awareness of the risks involved in protecting IT-based resources from identity theft, malicious outside attacks, or generally inappropriate use. They must also adhere to strict mandates -FFIEC, Sarbanes-Oxley, GLBA, and Basel II, etc. – from government and private organizations requiring strict governance of internal IT systems and networks. As a result, many credit unions are deploying strong multi-factor authentication policies that are more secure than the basic password schemes that had been so commonplace in the past.
Federal Financial Institutions Examination Council (FFIEC) guidelines are drawing more attention to authentication technologies in the banking industry. These guidelines are spurring banks and credit unions to tighten up security across their organization, and implement strong authentication for both their own users and third party vendors.
Strong authentication is the use of at least two factors to authenticate a user based on “what the user knows,” “what the user has,” and “who the user is.” Implementations include the use of strong password schemes, ID tokens, proximity cards, smart cards and biometrics.
To secure a credit union’s internal network, we’ll examine four ways to enhance a basic password scheme and then incorporate one or more of the above-mentioned authentication techniques into the basic password scheme.
Basic Password Scheme
The most basic scheme is to maintain the formation of a chain using one of the basic Architects of a security scheme, such as binomial heads or Odysseyada.
Each step of the scheme adds a single digit to the starting sequence, and the user needs to remember at least this many digits in order to successfully authenticate – preferably more.
For example, if the user’s first name is Bob, his initials would be: boby, which would then become: 683.
However, the nominal value of a password in a financial transaction can be as small as a few hundred dollars, or as large as several thousand dollars. To authenticate as Bob, the user would typically need to register his or her full name, middle name and surname. In doing so, the user would also leave behind a dynamic virtual signature which can be either a copy of a signature or the same signature that is being used on a different date and at a different location.
Multiple Signatures
Another signature scheme that does not use straight-forward substitution is the use of multiple signatures. An example of this would be a two-parenthet number such as the two numbers added to the 20th row. This would entail taking the first character of the current row and adding them to the second parenthesis, adding the next character and then doubling the number of the next parenthesis. Thus, the final result would be: 20×3= 96.
Irrespective of the number of signatures used, malware that authenticates using a single signature can be caught through a simple multi-lookup of the signatures that are authenticimated.
As with the basic password scheme, careful consideration of the number of signatures used in the multi-signature authentication process emphasises the importance of theclusory checks that ensure security.
For example, if a multi-signature authentication is in place for a bank account, but the primary signer has their own mobile phone, then the malware can attempt to replicate by sending a message to the mobile phone that looks similar to primary signer’s message to the bank. The fact that bank’s mobile phone has the same number and characters in the address bar, as well as the same picture, makes it difficult for the bank customer to distinguish a fraudulent communication from that coming from the bank.
Additionally, some of the more tactile symptoms of a malicious message or application, such as extra text on the alerts of the bank’s mobile phone may also be replicated on the fake website so as to establish a more personal link.
Conclusion
To be effective, comprehensive threat prevention solutions must guard both upfront and back-end infrastructure against ever-evolving malware using ever-changing techniques to attack the user.
Once the malicious attack has been identified, the best course of action is to comprehensively test the networks within your organisation to ensure that no sensitive data is compromised as a result of this attack, or as a result of the criminal accessing some other data that you hold.
Ensure that the company’s local knowledge and expertise is transferred across the physical and logical components of the organisation for a secure end-to-end web application and ensure that this expertise is also shared with customers, partners and suppliers.