Q: What are banks doing to address identity management challenges?
Gaur, DiamondCluster: Banks must take a holistic view of security and identity solutions to provide preventative, detective and corrective measures over all channels. As a detective measure, banks use sophisticated behavior and risk-based fraud detection solutions to verify suspicious transactions. As a preventative measure, some large banks are developing multichannel authentication strategies for their customers. As a corrective measure, banks have devised policies to rehabilitate their customers after an impact.
Carlson, BITS: Many of our member companies are participating in the Identity Theft Assistance Center, an organization that helps customers affected by identity theft deal with other financial institutions, credit bureaus and others in order to mitigate losses and restore the individual's good name. There are some efforts going on within the industry to share information about phishing attacks and as a means to refer information to law enforcement on the sources of those attacks.
Nussbacher, Viisage: Banks must adopt a multilayered approach to identity risk management as no one tool or technology is sufficient on its own. For example, in the branch, identity verification solutions that use public consumer records to test identity information should be combined with technologies that quickly establish the authenticity of identity documents. Only by using both technologies will banks adequately and consistently mitigate identity risk and prevent identity fraud.
Hunt, VASCO: More and more U.S. banks turn toward strong authentication (two-factor) products to protect against fraud. There is a definitive need for the banks to understand the impact that these solutions have on their customer. After all, there are three pieces to the puzzle: security vendor, bank and, ultimately, the customer. Therefore, the banks need to keep the customer in mind at all times throughout their decision and educate them on security.
Q: How are banks responding to the FFIEC's guidelines for multifactor authentication?
Carlson, BITS: Right now, there's a focus on looking at the authentication practices currently in place, and on analyzing the risks of those authentication systems today and what the risks may be in the future. The industry also is focused on examining what customers will find acceptable, since many of the current multifactor authentication practices are not particularly convenient. We also see an industry focus on dialog with third-party vendors to help identify those systems that strike the right balance in terms of increased security, cost and, most important, convenience.
Nussbacher, Viisage: Banks would be remiss to focus their efforts on the online channel alone or separately from other channels. Truly reducing fraud exposure requires a holistic, cross-channel approach. Two-factor authentication, for example, while securing online transacting, does not fully help with screening prospective customers online. This is because most authenticators are nothing more than access keys, and how can banks be certain about the holder of these keys to begin with? Collecting biometrics at the branch as part of customer identification programs is one example in which offline identity risk mitigation can facilitate the secure use of biometrics as strong factors of authentication in online banking.
Q: How do information security challenges for large banks and small banks differ?