AUSTIN -- With the Federal Financial Institutions Examination Committee's deadline for implementing multi-factor authentication (MFA) looming, a series of hacking efforts that have managed to use the MFA movement against itself has some in the industry asking: is MFA really the answer to security issues?
The answer, according to a variety of industry experts: probably not.
Authentication tools take a lot of time and money, yet do very little to solve the problem of online fraud, according to several industry experts.
"These multi-factor authentication solutions only handle portions of the problem," said Kelly Dowell, executive director at the Credit Union Information Security Professionals Association here.
Security compliance software provider TraceSecurity agreed: "Most multi-factor solutions can be subverted," said Jim Stickley, chief technology officer at the Baton Rouge, La.-based company.
"Most credit unions wouldn't have implemented multi-factor authentication, if they weren't required to, because it's very costly and not extremely effective," added Erik Petersen, vice president, professional services, SecureWorks, an Atlanta-based managed security services firm.
"You can even have an iris-scanning device, but what difference will it make if phishers send out an e-mail saying that the credit union's authentication system is down and members should provide ATM and PIN numbers?" Petersen said.
Multi-factor authentication is not mandated by NCUA guidance, yet credit unions were installing more MFA tools than any other new Internet application this year, according to Callahan and Associates 2006 Technology Survey.
The Plot Thickens
The plot thickened recently when phishers started using credit unions' new dual-authentication tools against them. Phishers are sending e-mails that lure members to websites that require them to enter their credentials into phony authentication platforms.
"We found it ironic that phishers are using the NCUA guidance as a means to conduct more effective phishing," said Petersen.
"This scheme will probably have a greater yield rate in harvesting credentials because it's unusual and it's plausible," he added. No SecureWorks clients were victims yet of the recent attacks, the company said.
"The phishers' timing is ripe," said Ed Wood, director, network services, at $550-million Clearview FCU in Moon Township, Penn.
Clearview this month opens its multi-factor authentication (MFA) platform to members in efforts to meet the NCUA's imminent deadline for stronger authentication.
"We're live with the MFA enrollment process, so (the new phishing scheme) is a concern," Wood said.
Clearview is currently sending e-mails to members inviting them to go to the CU website and enroll in the authentication platform, Wood said. However, if members receive a similar e-mail from fraudsters, they may inadvertently click through and enroll at a phishing site instead, he said.
When this report went to press, Wood said that he was not aware that Clearview had been subjected to phishing attacks related to dual authentication.
As MFA tools were weakened by the recent phishing ploys, application service providers were sure to be working on improvements, said Dowell.
"Due to the rush prompted by the regulations, and credit unions racing to put in the MFA tools, we will have to expect that vendors will provide upgrades to their products," he said.
What the upgrades will be is anyone's guess, said Dowell.
Vendors suggest that additional layers of security offered alongside some products, such as site verification tools built into browser toolbars, phishing detection and take-down services, and even biometrics, would help allay new threats.
Clearview plans to nip this latest phishing scheme in the bud with ongoing member education, said Wood.
"We will continue to communicate with our members to help them determine which e-mails are really coming from the credit union," he said. "Any security product is only as good as our member education."
The NCUA encourages credit unions to implement monitoring systems, fraud reporting, and member education programs, and, along with SecureWorks, said that risk assessment is critical.
"The information security program should include a re-evaluation of risk on a regular basis and take into account at least changes in technology, internal and external threats to information systems, changing business arrangements and changes to member information systems," said the NCUA.
Credit unions can identify threats using third-party testing, SAS70 Level II assessments, audit reports and communication from members, among other approaches, the NCUA added.
The NCUA said it will "come to agreement to implement stronger authentication methodology" with credit unions that fail to demonstrate sound practices during examinations.
A Stronger Program
A stronger anti-phishing program would include not only MFA, but intrusion prevention systems, firewalls, antivirus solutions and monitoring e-mails bounced to mail servers, said Petersen.
SecureWorks also recommends an early detection system and written plans on how to respond to incidents, he said.
The largest provider of MFA security to credit unions, Bedford, Mass.-based RSA Security, encourages credit unions to fight phishing using transaction monitoring systems within homebanking applications, telephone banking authentication, which is the "next target for fraudsters," and "constant monitoring," said Marc Gaffan, head of product marketing, RSA Consumer Solutions.
Reaching for stronger authentication beyond MFA should prove challenging for credit unions, said Dowell. "Historically, credit unions don't put enough resources into risk and security management because they are so low on resources. But MFA is, at least, a step forward."
(c) 2007 The Credit Union Journal and SourceMedia, Inc. All Rights Reserved. http://www.cujournal.com http://www.sourcemedia.com
Комментариев нет:
Отправить комментарий