Banks face Web security deadline

Majority of banks are unprepared to meet Dec. 31 deadline for complying with guidelines

For some bank IT managers, last fall's release of federal guidelines on validating the identities of online users helped catalyze ongoing efforts to adopt so-called strong authentication measures.

But a majority of U.S. banks appear unprepared to meet the Dec. 31 deadline for complying with the guidelines, several analysts said last week. They placed much of the blame for the current lack of preparedness on the fact that the guide-lines aren't mandatory and don't specify what form of strong authentication banks should implement.

"Most banks haven't done much with [the guidelines] because there is still some confusion as to what needs to be done," said George Tubin, an analyst at TowerGroup in Needham, Mass.

That isn't the case at Zions Bancorporation in Salt Lake City. Preston Woods, the company's chief information security officer, said the release of the guidelines last October by the Federal Financial Institutions Examination Council gave a push to a strong authentication initiative that Zions had already started. "It validated what we were doing, and it gave us a deadline," he said.

Earlier this month, the company's Zions Bank unit added a multifactor authentication feature called SecurEntry for users of its online banking services. Woods said SecurEntry is based on technology from RSA Security and allows Zions Bank to better authenticate users to its Web site and ensure that they know they're connected to a legitimate site.

The technology works by profiling the devices that customers typically use to log into the bank's online systems. Whenever there are changes, such as when a customer logs in from a new location or using a different system, SecurEntry challenges the user with specific questions that only he should be able to answer, Woods said. He added that the bank views the process as being minimally disruptive to users.

Desert Schools Federal Credit Union in Phoenix is using a similar authentication approach based on technology from Santa Clara, Calif.-based Bharosa Inc. to meet the FFIEC's guidelines. And like Zions, the credit union was already working toward multifactor authentication when the guidelines were released.

"It kind of moved things up for us," CIO Ron Amstutz said, adding that he thought the FFIEC was quite clear on what it wants banks to do.

The FFIEC's decision to not specify the use of any authentication methods may have caused some confusion early on, said Eric Bangerter, director of Internet services at the University of Wisconsin Credit Union in Madison. But, he added, it has allowed banks to choose the technologies that are best suited to their needs.

"I think it's a good thing, because it gives you flexibility," Bangerter said. He also began investigating strong authentication approaches before the guidelines were issued. Now the credit union has deployed technology from Reston, Va.-based Corillian Corp. that lets it profile users' systems and their online behavior and then challenge them to provide extra credentials if there is a change from the norm.

Addressing audit angst

The FFIEC is an interagency body set up to develop standards for the auditing of financial institutions. Although the council isn't mandating compliance with the authentication guidelines, it has said that banks will be audited against them starting next year.

Gartner analyst Avivah Litan estimated that no more than 20 percent of U.S. banks are in compliance now. "Many banks didn't take this very seriously early on," she said. "The usual questions I was getting were, 'How serious is this?' and 'What do the regulators want?' "

Litan added, though, that much of the confusion appears to be dissipating as the deadline gets closer and more banks begin to complete their risk assessments and figure out what kinds of strengthened authentication approaches they should take.

Many banks have contacted federal regulators to make sure the strong authentication measures they plan to implement will meet the FFIEC's guidelines, said Chris Young, senior vice president of RSA's consumer solutions division. "I don't, at this point, see a lot of head-scratching around what the best approach needs to be," he added.

But Jonathan Eber, a senior product manager at P&H Solutions in Boston, said he's still seeing a spectrum of attitudes toward the FFIEC guidelines. P&H sells software and services for linking banks with corporate customers.

About 35 percent of the banks that the company works with have "a sense of urgency about this," Eber said. "There is a middle part of the bell curve where people say, 'I know I have to do it, but I'll be in compliance by Q1 or Q2 of next year.' And there are some who say, 'This doesn't apply to me at all.' "

This story, "Banks face Web security deadline" was originally published by Computerworld.