Purpose The need for additional security measures to reliably
authenticate consumer remotely accessing their financial
institutions Internet banking system. Updates and supplements the
2001 Guidance entitled Authentication in an Electronic Banking
Environment.
Slide 5
Authentication in an Electronic Banking Environment
Slide 6
Background Security Acts Gramm-Leach-Bliley Act (GLBA) Title V
requirement. The Fair and Accurate Credit Reporting Act of 2003
(FACTA) Identity Theft One of the fastest growing types of consumer
fraud Account takeover was identified as the fastest growing type
of identify theft. Account takeover represents a fundamental
compromise of the security protecting consumers primary asset
account maintained at insured depository institutions.
Slide 7
What is identity theft? Identify theft is defined as the
appropriation of credentials or private information belongs to
another individual to be used in the creation of new accounts or
new identities. Identify theft is defined as the appropriation of
credentials or private information belongs to another individual to
be used in the creation of new accounts or new identities.
Slide 8
Hackers Tools Phishing Spyware Malware Site Spoofing Trojan
Horse Social Engineering
Slide 9
Identity Theft Statistics According to FTC, During 2003, 10
million Americans were the victims of identity theft, with a total
cost to businesses and consumers approaching $50 billion According
to Gartner 2004, 2 million U.S. adult Internet users experienced
account takeover during the 12 months ending April 2004.
Slide 10
Continued - The Anti-Phishing Working Group noted a significant
increase in phishing activity over the past six months. There were
12,845 new unique phishing email messages reported to the APWG in
January 2005 alone.
Slide 11
FICUs e-Banking Services Increase (Growth since 2000) More than
half (58%) of FICUs have a website. This has Increase d by 39.5%.
Home banking via websites have grown significantly by 78.2%. Number
of interactive and transactional websites have grown by 93.4%.
Electronic loan payment has increased by 121%. Share draft ordering
has grown by 83.2%. Number of members using the transactional
worldwide website has increased by 230% (to 18.3 Million)
---------------------------------------------------------------- In
2004, among credit unions, the number of transactional websites
grew by 10%, to 3,673, while the number of members using
transactional sites grew 21% (to 18.3 million).
Slide 12
Continued - According to NAFCU, 48% FICUs responded that their
Credit unions incurred an increased level of identity theft last
year relative to 2003. With the fast growth of e-banking service
among FICUs and as scam artists become more sophisticated, identity
theft has become major risk for those FICUs offering e-banking
services.
Slide 13
Continued - In a 2005 study, 14 percent of online consumers
reported that they would stop using online banking due to concerns
about Phishing.
Slide 14
Risk-based Security Program Program should be Enterprise-wide
Perform a risk assessment oConsideration of controls to
authenticate those seeking access to customer information oTake
risk-based and layered approach As the risk to sensitive customer
information increases, the compensating controls contained within
the institutions security program must also increase
Slide 15
Enterprise-wide Authentication Adherence to corporate standards
and architecture Integration within overall information security
framework Within lines of business Central authority for oversight
and risk monitoring
Slide 16
Risk Assessment Type of the customer Institutions transactional
capabilities Sensitivity and value of the stored information Ease
of using the method Size and volume of transactions
Slide 17
Security Measures Risks can be measured by the likelihood of
harm and the impact of an occurrence. With respect to Internet
transaction processing, three primary risks exist: risk of monetary
losses potential loss of future business, and, risk of compromising
confidential customer information.
Slide 18
Continued - Implementation of security measures Risk matrix o
illustrate the type and likelihood of risk on one hand and
corresponding risk mitigation techniques on the other.
Slide 19
Risk Matrix illustration only
Slide 20
Three factors of Authentication methodologies Something the
user knows (password) (password) Something the user possesses
(Smart card) Something the user is (biometric characteristic, such
as fingerprint or retinal pattern)
Slide 21
Authentication Tools Password PINs Digital certification using
a PKI Physical devices Smart card Tokens Database comparison
Biometric identifiers
Slide 22
Conclusion To comply with GLBA, FACTA. conduct a risk
assessment to identify the types and level of risks associated with
e-banking application ID and password as the only control mechanism
is no longer adequate for controlling remote access to sensitive
info. Multi-factor authentication or other layered security is
recommended to mitigate those risks.
Slide 23
Part 748 Appendix B Response program Part 748 Appendix B
Response program
Slide 24
Part 748 Appendix B Response Program
Slide 25
Background Section 501(b) GLBA Part 748 Appendix A Increasing
Number of Security Breaches Revise Part 748 and Add Appendix B
Response Program
Slide 26
Response Program Take preventative measures to safeguard member
information Place access control Conduct employee background check
Implement a risk-based response program Appropriate to the size and
complexity of CU Appropriate to the nature and scope of the
activities Service provider o Address incidents o Notification of
the CU
Slide 27
Components of Response Program Assessment Notification of
Primary Regulator Notification of Law enforcement Authorities
Proactive Measures to Contain /Control Incident Monitoring,
freezing, or close affected accounts Member Notification
Slide 28
Content of Member Notice Description The incident in general
terms Type of member info was the subject of unauthorized access or
use What CU has done to protect the members info Telephone number
for further assistance Member should remain vigilant over the next
12 -24 months Promptly report incidents of suspected ID theft to
the CU
Slide 29
Continued - Review Account Statements and Report Suspicious
Activity To The CU Notify Credit Bureaus - Consumer Report Obtain
Credit Reports Credit Report Agency Get Federal Trade Commission
Assistance
Slide 30
Changes from Proposal Standard for notice to member More risk
based; less prescriptive Notice to regulator only if breach
involves sensitive member information
Slide 31
Continued - Notice to regulators delay to coordinate with law
enforcement authorities Flagging, monitoring, securing accounts
left to credit unions assessment of risk Content of notice likewise
risk based Fraud alerts less prescriptive discuss with member but
not mandatory
Slide 32
NCUA Expectations for Compliance Potential Questionnaire:
Incorporated into Overall Security Program Escalation Process /
Incident Response Review of Notices Attorney Review? Enterprise
Wide Approach Reporting to Senior Management Member Outreach /
Awareness Programs Employee Training Programs