Home page logo

basics logo Security Basics mailing list archives

RE: Bankers on FFIEC
From: "John Katricak" <jkatricak () linuxmail org>
Date: Mon, 19 Mar 2007 15:02:09 -0500

Without re-reading the message, I would think that the persistent cookie or email passcode would meet the condition of 
being "multifactor."  At the very least, a thief would now have to do one of the following:

1. Learn the online banking user ID and password, AND learn the email account user ID and password.  Due to some 
obfuscated rules requiring so many letters and numbers in the online banking credentials, I doubt these will ever be 
the same.

2. Learn the online banking user ID and password, AND break into the person's house to use their computer.

Of course, #2 is thrown out the window if someone logs in at work and doesn't lock their screen while they're away.  
Both are moot if the customer uses a public terminal (library, computer lab, airport) and isn't careful about the 
cookies from online banking or their webmail.

In another strike against the security questions, wouldn't people be more likely to write down their questions and 
answers on the same sheet of paper where they wrote down their user ID and password?  That completely throws the 
two-step security out the window.  The passcodes are valid for only 60 minutes, so even if one was written down with 
the user ID and password, the odds are against it still being valid by the time someone steals and reads it.

John Katricak

----- Original Message -----
From: "Ken Kousky" <kkousky () ip3inc com>
To: "'John Katricak'" <jkatricak () linuxmail org>, security-basics () securityfocus com
Subject: RE: Bankers on FFIEC
Date: Thu, 15 Mar 2007 14:09:02 -0400

Great hijack - do persistent cookies and additional questions meet the
standard? What about risk consideration and stronger controls on wire
transfers from business accounts?

The guidance is a great document but it seems it isn't being taken as
seriously as it should be - I've also been asked what's the risk of not
meeting the requirements or doing a poor job of it? Maybe big dollar
litigation rather than the rage from regulators.

Anyway, here's the FFIEC doc for those who are interested:


-----Original Message-----
From: John Katricak [mailto:jkatricak () linuxmail org]
Sent: Thursday, March 15, 2007 10:11 AM
To: Ken Kousky; security-basics () securityfocus com
Subject: Re: Bankers on FFIEC

I suppose this is as good a time as any to make my first post to this list.

I work closely with online banking at a small, local savings & loan.  We get
our online banking product through an outside vendor, Digital Insight (now
owned by Intuit).  As Digital Insight (DI) explained to us, there are three
main factors of authentication:
"Something you know"
"Something you have"
"Something you are"

DI gave us two options to comply with the FFIEC guidlines.  For option one,
the user could be asked an additional security question after logging in
with their user ID in password.  Option two was to email the users a
one-time-use passcode that they would have to enter after logging in with
their user ID and password.  For both options, users also had the choice to
add a browser cookie and Flash player cookie/shared object to computers they
used frequently.  If our online banking site found the cookie on that user's
computer, it would skip the security question or passcode step.  (The
cookies are user-dependent, so if more than one user uses online banking on
the same machine, they would each have to set up their own cookie.)

User IDs and passwords are "something you know."  Passcodes (when sent by
email) and cookies are "something you have."  But as Ken alludes to,
security questions are also "something you know."  So it's not really
another factor, it's "something you know, and something else you know."

We chose the email passcode option, but it has not worked perfectly.  Some
users do not have access to their email from everywhere (for example, they
are not allowed to access their home email from work, and cannot access
their work email from home), and some ISPs are rejecting the passcode emails
as spam without any warning to us or the customers.  (Part of the reason for
this, I suspect, is because the emails are coming from Digital Insight with
a high priority setting and our email address as the return/reply-to

We were thinking of switching to the security questions option, but in light
of Ken's email, I would love to see where this discussion goes.

If Ken doesn't mind a minor thread hijack, I would also like to know if
there are any banks who aren't requiring ANY additional security besides the
user ID and password.  The FFIEC guidance is just that - guidance, and not a
requirement.  Many users have used the "my other banks don't make me do
this," and I'm curious to see how many of those claims are true.

Thank you,
John Katricak

----- Original Message -----
From: "Ken Kousky" <kkousky () ip3inc com>
To: security-basics () securityfocus com
Subject: Bankers on FFIEC
Date: Wed, 14 Mar 2007 20:42:52 -0400

The FFIEC guidance on online banking calls for strong authentication,
applied based on appropriate risk analysis and they even spell out the
factors of authentication and state that single factor password
authentication isn't adequate. Yet, I've found many banks adding addition
questions to the login sequence and thinking they've added another factor.

Does anybody have experience with this situation and understand how banks
are getting around the Guidance for Online Banking requirements?


Search for products and services at:

Powered by Outblaze

Search for products and services at: 

Powered by Outblaze

  By Date           By Thread  

Current thread:
  • RE: Bankers on FFIEC John Katricak (Mar 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]