Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:20 AM
Connect Directly

Banks Launch Authentication Project

The Financial Services Technology Consortium builds testbed for authenticating bank Websites and emails

Today there's no sure way for customers to know if they're on a legitimate bank site or a spoofed one -- which puts both customers and banks at risk.

So the Financial Services Technology Consortium (FSTC) is building a testbed at Columbia University to study emerging products and technologies for authenticating a financial institution. Called the Financial Institutions to Consumers project, the initiative includes key software vendors such as Microsoft, RSA Security, and VeriSign.

Financial industry regulators already require banks to provide multifactor authentication for their online banking customers, but the other half of the equation yet to be addressed is strong authentication on the bank's side of the transaction, financial executives say. This institution-side authentication would assure customers that they're actually dealing with their bank, rather than a phisher, and underscores the growing pressure to build mutual authentication into financial transactions.

Banks are already required by the Federal Financial Institutions Examination Council to offer customers multifactor authentication. (See Putting Security in the Bank.)

"In addition to the idea of stronger authentication with the FFIEC regulations, there's also the need for mutual authentication," says Dan Schutzer, executive director of the FSTC. "Without that you are vulnerable no matter how strong your authentication is."

That means a customer would be at risk of a man-in-the-middle attack, for instance, he says. "No good authentication takes places unless the two parties know who they are dealing with." Most banks today just have the digital certificates in their SSL sessions, Schutzer says. Those certs just secure the session itself.

The newer, so-called "high assurance" certificate technology may be promising for helping banks protect their customers as well as themselves from a rising tide of spam and phishing emails, too, he says.

Dan Rhodes, policy manager for payments and technology for the American Bankers Association, agrees. "Mutual authentication is going to be next," he said at the Cyber Security Executive Summit in New York yesterday.

FSTC's project so far involves 24 organizations, although Schutzer can't name the participating banks. It will test upcoming browsers from Microsoft and Opera, for instance, next-generation authentication software from RSA and VeriSign, as well as other products. "Using a case study scenario, we'll provide services to a 'customer' over the Web and through email," he says. "Then we'll assess how vulnerable or not the 'customer' is to various threats."

The project will determine how reliable the high assurance certificate-based products are, as well as help banks understand how to deploy them. It also may yield a process where banks go to the Department of Treasury or the American Bankers Association to get their "seal" that shows users they are on a legitimate Website, or that the email from their bank really is genuine, Schutzer says. The process may also include digital signatures as a way to certify emails, for instance.

"Can I do this so that page can't be hijacked? We want to make sure these solutions are done so they aren't subject to hacks," he says. "And how do I want to deploy them for online banking, and how will customers use them?"

The FSTC plans to issue a report on the testbed in six months. It will provide banks with recommendations on how to implement their authentication.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • RSA Security Inc. (Nasdaq: EMC)
  • VeriSign Inc. (Nasdaq: VRSN) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/10/2020
    Researcher Finds New Office Macro Attacks for MacOS
    Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
    Hacking It as a CISO: Advice for Security Leadership
    Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-13
    Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
    PUBLISHED: 2020-08-13
    Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
    PUBLISHED: 2020-08-13
    Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
    PUBLISHED: 2020-08-13
    Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
    PUBLISHED: 2020-08-13
    Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version may allow an authenticated user to potentially enable denial of service via local access.