Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

9/14/2006
08:20 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Banks Launch Authentication Project

The Financial Services Technology Consortium builds testbed for authenticating bank Websites and emails

Today there's no sure way for customers to know if they're on a legitimate bank site or a spoofed one -- which puts both customers and banks at risk.

So the Financial Services Technology Consortium (FSTC) is building a testbed at Columbia University to study emerging products and technologies for authenticating a financial institution. Called the Financial Institutions to Consumers project, the initiative includes key software vendors such as Microsoft, RSA Security, and VeriSign.

Financial industry regulators already require banks to provide multifactor authentication for their online banking customers, but the other half of the equation yet to be addressed is strong authentication on the bank's side of the transaction, financial executives say. This institution-side authentication would assure customers that they're actually dealing with their bank, rather than a phisher, and underscores the growing pressure to build mutual authentication into financial transactions.

Banks are already required by the Federal Financial Institutions Examination Council to offer customers multifactor authentication. (See Putting Security in the Bank.)

"In addition to the idea of stronger authentication with the FFIEC regulations, there's also the need for mutual authentication," says Dan Schutzer, executive director of the FSTC. "Without that you are vulnerable no matter how strong your authentication is."

That means a customer would be at risk of a man-in-the-middle attack, for instance, he says. "No good authentication takes places unless the two parties know who they are dealing with." Most banks today just have the digital certificates in their SSL sessions, Schutzer says. Those certs just secure the session itself.

The newer, so-called "high assurance" certificate technology may be promising for helping banks protect their customers as well as themselves from a rising tide of spam and phishing emails, too, he says.

Dan Rhodes, policy manager for payments and technology for the American Bankers Association, agrees. "Mutual authentication is going to be next," he said at the Cyber Security Executive Summit in New York yesterday.

FSTC's project so far involves 24 organizations, although Schutzer can't name the participating banks. It will test upcoming browsers from Microsoft and Opera, for instance, next-generation authentication software from RSA and VeriSign, as well as other products. "Using a case study scenario, we'll provide services to a 'customer' over the Web and through email," he says. "Then we'll assess how vulnerable or not the 'customer' is to various threats."

The project will determine how reliable the high assurance certificate-based products are, as well as help banks understand how to deploy them. It also may yield a process where banks go to the Department of Treasury or the American Bankers Association to get their "seal" that shows users they are on a legitimate Website, or that the email from their bank really is genuine, Schutzer says. The process may also include digital signatures as a way to certify emails, for instance.

"Can I do this so that page can't be hijacked? We want to make sure these solutions are done so they aren't subject to hacks," he says. "And how do I want to deploy them for online banking, and how will customers use them?"

The FSTC plans to issue a report on the testbed in six months. It will provide banks with recommendations on how to implement their authentication.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • RSA Security Inc. (Nasdaq: EMC)
  • VeriSign Inc. (Nasdaq: VRSN) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    Slideshows
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    Commentary
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-31755
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31756
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
    CVE-2021-31757
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31758
    PUBLISHED: 2021-05-07
    An issue was discovered on Tenda AC11 devices with firmware through 02.03.01.104_CN. A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.
    CVE-2021-31458
    PUBLISHED: 2021-05-07
    This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit Reader 10.1.1.37576. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handlin...