Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:20 AM
Connect Directly

Banks Launch Authentication Project

The Financial Services Technology Consortium builds testbed for authenticating bank Websites and emails

Today there's no sure way for customers to know if they're on a legitimate bank site or a spoofed one -- which puts both customers and banks at risk.

So the Financial Services Technology Consortium (FSTC) is building a testbed at Columbia University to study emerging products and technologies for authenticating a financial institution. Called the Financial Institutions to Consumers project, the initiative includes key software vendors such as Microsoft, RSA Security, and VeriSign.

Financial industry regulators already require banks to provide multifactor authentication for their online banking customers, but the other half of the equation yet to be addressed is strong authentication on the bank's side of the transaction, financial executives say. This institution-side authentication would assure customers that they're actually dealing with their bank, rather than a phisher, and underscores the growing pressure to build mutual authentication into financial transactions.

Banks are already required by the Federal Financial Institutions Examination Council to offer customers multifactor authentication. (See Putting Security in the Bank.)

"In addition to the idea of stronger authentication with the FFIEC regulations, there's also the need for mutual authentication," says Dan Schutzer, executive director of the FSTC. "Without that you are vulnerable no matter how strong your authentication is."

That means a customer would be at risk of a man-in-the-middle attack, for instance, he says. "No good authentication takes places unless the two parties know who they are dealing with." Most banks today just have the digital certificates in their SSL sessions, Schutzer says. Those certs just secure the session itself.

The newer, so-called "high assurance" certificate technology may be promising for helping banks protect their customers as well as themselves from a rising tide of spam and phishing emails, too, he says.

Dan Rhodes, policy manager for payments and technology for the American Bankers Association, agrees. "Mutual authentication is going to be next," he said at the Cyber Security Executive Summit in New York yesterday.

FSTC's project so far involves 24 organizations, although Schutzer can't name the participating banks. It will test upcoming browsers from Microsoft and Opera, for instance, next-generation authentication software from RSA and VeriSign, as well as other products. "Using a case study scenario, we'll provide services to a 'customer' over the Web and through email," he says. "Then we'll assess how vulnerable or not the 'customer' is to various threats."

The project will determine how reliable the high assurance certificate-based products are, as well as help banks understand how to deploy them. It also may yield a process where banks go to the Department of Treasury or the American Bankers Association to get their "seal" that shows users they are on a legitimate Website, or that the email from their bank really is genuine, Schutzer says. The process may also include digital signatures as a way to certify emails, for instance.

"Can I do this so that page can't be hijacked? We want to make sure these solutions are done so they aren't subject to hacks," he says. "And how do I want to deploy them for online banking, and how will customers use them?"

The FSTC plans to issue a report on the testbed in six months. It will provide banks with recommendations on how to implement their authentication.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • RSA Security Inc. (Nasdaq: EMC)
  • VeriSign Inc. (Nasdaq: VRSN) Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
    Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
    Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
    Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
    Cybercrime Groups More Prolific, Focus on Healthcare in 2020
    Robert Lemos, Contributing Writer,  2/22/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Building the SOC of the Future
    Building the SOC of the Future
    Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-03-03
    An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to gain write access to unauthorized repositories via specifically crafted pull requests and REST API requests. An attacker would need to be able to fork the targeted ...
    PUBLISHED: 2021-03-03
    An improper access control vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user with the ability to fork a repository to disclose Actions secrets for the parent repository of the fork. This vulnerability existed due to a flaw that allowed the base reference of ...
    PUBLISHED: 2021-03-03
    An improper access control vulnerability was identified in the GitHub Enterprise Server GraphQL API that allowed authenticated users of the instance to modify the maintainer collaboration permission of a pull request without proper authorization. By exploiting this vulnerability, an attacker would b...
    PUBLISHED: 2021-03-03
    A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the Gi...
    PUBLISHED: 2021-03-03
    Pug is an npm package which is a high-performance template engine. In pug before version 3.0.1, if a remote attacker was able to control the `pretty` option of the pug compiler, e.g. if you spread a user provided object such as the query parameters of a request into the pug template inputs, it was p...