Three Corporates Upgrade Security with New MFA System
Three corporate credit unions that use the Member$MART online application are midway through upgrading to a second-generation system that meets the latest Federal Financial Institutions Examination Council requirements.
All three corporates are members of the Corporate Synergies CUSO. Southeast Corporate has converted the bulk of its 2,600 users to the new system. In July users at VACORP were transitioning to the new platform. Georgia Central members are making the switch in August. Once the upgrade is complete, more than 4,000 members from 800 credit unions will be using the enhanced product.
Steve Jones, director of product support and implementation at Southeast Corporate, said NCUA and others have expressed concern about high-risk systems involving monetary transactions.
The latest system involves multi-factor authentication, an FFIEC requirement.
"[MFA] requires something that you know, and something that you have," Jones explained. "The multi-factor we were using was something that you know-a user ID-and something that you have, which was actually a certificate or a cookie downloaded to the computer."
The problem with a certificate or cookie on the computer, he continued, is that it could expire or become lost during an upgrade to that specific computer. The new generation system is not only more secure, but also more practical.
"During the registration process the user registers and answers questions, and labels an image with a phrase, which is typical of a security system making sure the user is going to the correct site by seeing the image and the phrase they created to go with that image," Jones said.
"Additionally they answer the challenge question, and finally they download a grid card. Once they have the grid card, that satisfies the 'something you have' requirement. So when they log in they use their user ID and their password, then they're presented with a challenge to respond from the grid card."
Jones acknowledged that the new security system can take some getting used to for a member. "Any time you introduce a change, and in this particular case the addition of two more pieces of information-a password and the grid card-there is a behavior modification that has to take place," he said. "It was important to communicate the reasons behind the change and emphasize the increased security and practicality."
As the first to roll out the new system, Southeast Corporate was able to share some lessons with the other two corporates and also provide materials such as reference guides to screen navigation. Based on its experience phasing into the system some 500 users a week, Southeast Corporate was able to identify common member questions.
Jones said collaboration among the three corporates involved finding commonalities in the system and applications they would be using as well as the unique functions each could serve. There was a certain degree of synergy, which meant each corporate did not have to learn for itself what another had already discovered.
Mary Anne Spiegel, chief operating officer of Corporate Synergies, added that the three corporates share ideas and split the costs on the applications the CUSO hosts. The costs are divided according to the number of users each corporate serves.
"With MFA we worked together to find the right solution," she said. "We have different groups of members (going on the system) each week. This spreads out the support provided by the CUSO. When they're registering it's a bit of a process, but after that it's pretty easy.
"We provided training to corporate users so they will be able to support their members once the implementation phase is complete. We've developed together the documentation and other information they've sent out to their members. It's pretty intuitive.
"There have been a lot of improvements in MFA since we first introduced it two or three years ago. The application we are putting in place now is much more secure."