Information Security: Authentication In An Online Environment

Perhaps your financial institution is not currently allowing accounts to be opened over the Web, or loans to be applied for online, but it's only a matter of time before you do. When someone starts a transaction online, he wants to be able to finish it online. Customers get annoyed when they have to resort to off-line procedures to be able to engage in online transactions.

Your job is to determine how you can safely gain new customers electronically and minimize your risks in dealing with established customers in electronic transactions.

There are five different authentication tools and methodologies we can use to authenticate customers identity:

1. Passwords and personal identification numbers (PINS)
2. Digital certificates - These are used to verify that users sending a message are who they claim to be.
3. Public key infrastructure - A system of digital certificates, certificate authorities, and other registration processes used to verify and authenticate the validity of each party involved in an electronic transaction.
4. Tokens - Small physical devices that are usually used in conjunction with a password to gain entry to a computer system.
5. Biometrics - Authentication techniques that rely on measurable physical characteristics that can be automatically checked.

Examples include computer analysis of fingerprints or speech.

Risk Assessment
Assess the level of risk posed by a particular application.

• Do you offer data aggregation?
• Online banking?
• Electronic bill payment?
• Internet-originated wire transfers?
• Other forms of electronic banking?

The level of authentication used should be appropriate to the level of risk. In determining the level of risk, look at:

• whether the application is used by retail or commercial customers;
• the size and volume of transactions;
• the transactional capabilities; and
• the sensitivity and value of the stored information.

Take your cues from what is "commercially reasonable" in light of the reasonably foreseeable risks in the application, but keep in mind that what is considered commercially reasonable will change over time as technologies and threats evolve. You can't do your research initially, make a choice, then rest on your laurels. This is an area where someone in your shop must stay abreast of new risks and new technological offerings.

While so-called "single factor authentication tools" (like passwords and PINS) have been accepted in the past as commercially reasonable for certain retail ebanking activities, such as account inquiry, bill payment and aggregation - the increasing threat of hackers compromising more vulnerable single factor techniques may mean that it alone is not sufficient for high risk applications and transactions.

You may need either multi-factor techniques, or a tiered single factor authentication system that would include the use of multiple levels of a single factor. For instance, it could use two or more passwords or PINs used at different points in the authentication process.

Existing Customers
The goals of the authentication process with existing customers is to limit unauthorized access and to establish a foundation for enforcing electronic transactions and agreements - that is:
to validate the parties to the transaction and their agreement to the transaction's terms;
establish the authenticity of the records of the transaction;
establish the integrity of the records (i.e., that they have not been altered)

New Customers
Unlike a face-to-face situation where the person is sitting across the desk from you, an online account opening requires you to verify identity in a whole new way, whether it's a business customer or an individual. You cannot rely on observing and documenting traditional paper-based authentication. Reliable, alternative methods must be used.

There are three ways to verify personal information in the online environment:

1. Positive verification
2. Logical verification
3. Negative verification

These three should be supplemented with traditional methods. You'll still need to obtain copies of relevant identification documents, particularly under the requirements of the USA PATRIOT Act.

Positive Verification
You will attempt to ensure that important information provided to you by an applicant matches data from trusted third-party sources. For instance, by comparing the information given by the online applicant with information contained in a credit report or information in a third-party database designed specifically for positive verifications.

If you require a personal check to open the demand deposit or savings account, the check itself will provide you with information. If it is a starter kit check, for instance, it certainly would tip you off to some irregularity! The address on the check, the location of the drawee financial institution, the fact that you can verify the validity of the check itself will be of value. We still do not have the possible requirements for photo ID under the auspices of the Patriot Act, but they are apt to fall into the positive verification area.

Logical Verification
Your technique here would be to look for internal consistency. For example, does the zip code match the address that is given? Does the telephone number match the address? The Internet is the tool you want to use for logical verification.

Negative Verification
Use negative verification to compare the information being given with information associated with previous fraudulent activity. Is the address one that was associated with a fraud? Does the applicant's name raise any red flags due to association with prior fraud?

Mary Beth Guard, Esq. is Executive Editor of the web page, BankersOnline.com. She has spent close to 20 years teaching bankers and writing on banking laws and regulations. She is an Advisor and a regular columnist for the Bankers' Hotline.

Copyright © 2003 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 12, No. 10, 1/03