WEST PALM BEACH, Fla. – Convenience vs. security. That's the online grudge match CUs are fighting as they try to make their online services as convenient as possible for members, while maintaining a sufficient level of security. One area this battle is most evident is in authenticating members for online transactional services such as online banking with funds transfer and bill pay capabilities; brokerage services enabled for online trading; and instant online lending applications. Authenticating users for online transactions is something the regulatory agencies have their eye on. The Federal Financial Institutions Examination Council, the umbrella group that includes all five of the financial regulators, recently issued guidance on authenticating users, and at press time NCUA said it will soon be issuing a Letter to Credit Unions on this issue. "Authentication of a person boils down to three things, something they have, something they know, and something they are. Obviously if you can use all three you're ahead of the game, but in today's world you typically will only be able to do one or two of them," said Rick Fleming, vice president of security operations for security firm Digital Defense, San Antonio, Texas. Something a member "has" could be a smart card or other device they plug into their PC or hold up to a reader; something they "know" could be a PIN, password, member number, etc.; and something they "are" includes biometric features such as retina or fingerprint scans. Fleming said biometrics and physical devices are great tools for authenticating members, but they can be expensive, especially when the device has to be placed in the member's home, not at a CU branch or kiosk. The cost a CU is willing to spend for better security is best determined by how much the online service puts the CU at risk, said Fleming. "I would say inquiry type transactions of home banking, like balance inquires, can be sufficiently protected with a long password," said Fleming. The typical password or PIN sign-in process is what the FFIEC refers to as a single-factor authentication process. Fleming said because of costs and technology limitations, the reality is that most CUs are using single-factor authentication methods for their online services. A two-factor authentication process would include a smart card or other physical device (something they have), in addition to a PIN/password (something they know). There are things CUs can do to make single-factor authentication more secure. Fleming recommends a password of eight or more characters that isn't a person's name or a word that can be found in a dictionary. He said hackers can run dictionary programs to identify just about any name or word password. Fleming advises throwing some numbers or unique keyboard characters into the mix, to make cracking passwords a bit tougher. Getting physical When you move beyond basic home banking, and into bill pay; the ability to transfer among different accounts at the CU; and brokerage services, Fleming believes CUs need more than just passwords to authenticate their members. Digital certificates that can be placed on members' PCs is one way to ensure better protection, but ideally, he said CUs will some day be using some type of physical device, such as a smart card or "token" device that basically unlocks a member's computer to engage in transactions. "A device they can hold up to a reader is another level of security. They can get expensive, but if you have users doing a lot of online brokerage type transactions, it's something to look at," said Fleming. He said these devices could be given just to the members who engage in these types of transactions, while basic online banking can remain a PIN/password system. Despite cost issues, physical devices are not far off. Some credit unions are looking into them on their own and Net banking vendors are trying to identify which devices would be the most secure, yet cost effective. Internet solutions firm FundsXpress said it has been testing a two-factor authentication process for about three months now. Dave Rook, vice president of technical operations for FundsXpress said the No. 1 factor hurting the use of physical devices is cost. Another issue is vendors such as FundsXpress not wanting to hurt their reputations by putting undue burdens on their clients. "When you have an existing customer base, and a good reputation for customer service you don't want to put a dent in that. It has to be a seamless integration with minimal impact to the clients. You can't say `by the way this is going to create down time, or you need more upgrades,' " said Rook. FundsXpress is testing a rotating security token device, where the server will be looking for a different token code each time a member signs on. The code could be displayed on an LCD screen for a member to type in, along with their normal password and PIN. Rook said it's important for these devices to be small and convenient so that they can be hooked onto a key chain or wallet. Rook said authentication of end-users is getting so much more attention these days because the types of transactions CUs are involved in are getting more sophisticated. " When you're going into a space where lending and account aggregation are being fused, and add in a digital wallet, you have a whole new venue of possibilities and exposures," said Rook. Fleming and Rook both noted that some CUs, for reasons unknown to them, do not shut down an online account after numerous failed sign-in attempts. Rook said FundsXpress only allows three failed attempts before shutting off access to an online account, while the industry standard is closer to five attempts. Fleming said no more than three attempts should be allowed. Breaches on the rise CUNA Mutual Insurance Society is seeing online losses related to authentication of members. "Authenticating members hits right at the heart of where our (online) claims are coming in," said Roger Nettie, risk specialist in the CU protection division of CUNA Mutual Group. Nettie said CUNA Mutual has had a handful of claims this year, mostly in the $10,000 to $25,000 range, that have resulted in perpetrators being able to obtain access to a member's online account and transfer funds to another account or wire money to another financial. Interestingly, though the Web is a high-tech channel, the techniques these perpetrators use to get access are often low-tech, such as calling the CU and posing as a member, or requesting a change of address that directs a member's information to their address. Nettie said the number of claims is up this year so far over last. He said CUMIS is also seeing more defacement issues, where CU sites are being hit with graffiti, but those types of attacks aren't as dangerous as far as monetary losses. Nettie is concerned about a recent claim where a perpetrator requested a change of address to commit the authentication scam online. "I'm concerned because they started with the address change in writing that appeared to be organized crime letterhead by the way it was laid out. They got into the account and did some transfers out of a line of credit," said Nettie. He said the letterhead is similar to what CUMIS has seen in other well organized scams in years past. "Ultimately passwords are just something you know. We want to get to something you know and something you are. I think down the road there will be more biometric functions, and more digital certificates where the member goes through a registration process. Then there are physical elements like USB devices you can carry around and plug in," said Nettie. As a risk specialist, Nettie said the FFIEC's guidance on authenticating online users is a welcome tool for him, and he is also anxiously awaiting NCUA's own guidance on the issue. Nettie said thieves are always looking for new ways to make money online. Yet another type of online fraud he warned of is called "spoofing" where someone sets up a mock Web site that claims to be some organization or company that it isn't. According to an Internet World Magazine story there was a case this year involving a large credit union where someone set up a mock sign-in screen for a CU's Web site, and then sent out an e-mail to the SEG's employees advertising a big CU promo that required the members to log-in to see what it was, thus giving the perpetrator members' PINs to crack into their home banking accounts. Fleming said there is a lot CUs can do to make their services more secure, but members may feel inconvenienced by the extra measures. "Security is inversely proportional to convenience. If you stop and look at it, it's so true. It doesn't mean that I can't make a convenient, secure solution, but it won't be the most convenient if I make it secure," said Fleming. [email protected]