AuditLink Advisor – October 2009

Now is the Time to Implement PIB

Recently this headline on a popular security site grabbed my attention.  “US banking security could be set for major changes following a court ruling where fraud victims alleged their bank was to blame”.   Imagine the significance of a judge ruling in favor of plaintiffs who are suing their bank for being irresponsible.  While there is substantially more to the story, the allegations are clear.  The plaintiffs claim that their bank failed to institute new technology which would require two-factor authentication to access their accounts.  They are seeking $26 thousand dollars as settlement from the bank because their account was compromised.  The article goes on state that a US Judge refused to grant summary judgment on behalf of the bank, and cleared the path for this case to go to trial.

Reading this article was timely.  That same week I received a call from a client asking for assistance in setting up Personal Internet Branch (PIB) and implementing secondary authentication.  Having recently completed a CUMIS audit, this client was acting on infractions they were cited for during their examination.  At that time their members could access online banking and audio banking using the same four digit password.  The only requirement to log in was an account number and password.  At the client’s request the CU*BASE screens were reviewed and changes made in less than one hour.  As a result the CUMIS requirements are now satisfied.

Another circumstance that prompted this newsletter is the fact that the CU*Answers CUSO is experiencing an examination this week by the NCUA and OFIR.  These organizations are examining our products and determining the manner in which they can be configured by our clients.  They ask that we require our credit unions to use secondary authentication through PIB and further, make it mandatory through the software to use the “complex password” feature of the system.   Our motto has always been “We make the tools not the rules”.  However, the point of this article is to turn your focus to what you can expect coming down the pipe.  I believe your auditors, examiners, and bonding agent will require both secondary authentication and complex passwords in the future.   

CU*Answers created PIB for our clients as a means for them to mitigate risks associated with their members’ use of online banking.  PIB is our solution to the secondary authentication (multi-factor) requirements pushed by the NCUA, FFIEC, and the FDIC.   Each of these organizations has published numerous letters and risk assessment requirements on this specific delivery channel over the last three to four years.   This influx of information is evidence that regulatory bodies are very serious about security and the onus to institute attentive compliance practices falls on your credit union during the examination process.  

Secondary authentication utilizing PIB is not rocket science, and to some degree is a matter of interpretation.  Some credit unions have activated all PIB features, including the “complex password” requirement.  This also means their members are enabled to completely configure their online banking experience.  One factor of secondary authentication requires the member to configure security questions on the system as an added level of validation for online banking.  Secondary authentication is achieved when the PIB settings are set to require the member to answer one of those configured questions each time they log in to online banking; not just when they forget their password.  

Requiring complex passwords is strongly recommended and is not part of secondary authentication. Instead the use of complex passwords is viewed as a necessity by regulators, and is not a feature subject to interpretation for online banking applications. There are good reasons behind this requirement.  Hacking into an account is vastly more difficult when a complex password is in place.  Implementing a secondary authentication factor increases the level of account protection even more. 

This quote from the Microsoft Technet website will help you understand the implications of complex passwords:

Given enough encrypted data, time, and computing power, attackers can compromise almost any cryptographic system. You can prevent such attackers from succeeding by making the task of cracking the password as difficult as possible. Two key strategies to accomplish this are to require users to set complex passwords and to require users to change their passwords periodically, so that attackers do not have sufficient time to crack the complex encryption code.

Complex Passwords

You should set password policy to require complex passwords, which contain a combination of uppercase and lowercase letters, numbers, and symbols, and are typically a minimum of seven characters long or more for all accounts……………

So why is it that so many of our clients are reluctant to require complex passwords or implement PIB?  My belief is that they are concerned about their members rejecting the imposed change or worse yet, they would simply stop using online banking due to its complicated log in process.  If that’s the case, toughen up.  Read the article referenced in the first sentence of this newsletter.  Dan Raywood, of SC Magazine clearly points out that financial institutions will be challenged when accountholders feel they have been victims of inadequately protected systems.  We’ve attached the complete article, not to be used as a weapon, but as a point of common interest and advisement to reevaluate your decision on mandating complex passwords and implementing the PIB application.  At the present time our industry has NCUA, FFIEC, state regulatory bodies, bonding companies, and even the legal system dictating a strategy that requires a much higher level of authentication.  

 What should you do now if you have not activated PIB?   Prepare for change.  Get your staff on board through education and knowledge exchange.  Help them communicate to your members what to expect throughout the new service rollout.  In the coming weeks CU*Answers will be assisting our credit unions who are not using PIB at this time.  Our goal is to have 100% participation with PIB activated for all clients.  Through this major initiative we will all have a deeper understanding of the PIB product itself, and benefit from the experience of a higher degree of security overall.  Included in this push will be:

Contact every credit union which has not yet activated PIB and the secondary authentication features.

  1. CU*”Answers’ Marketing Department, in concert with Xtend will develop a marketing and member communication tool set.  Included in the package will be member e-mail and online banking scripts and routines as well as sample newsletter articles.
  2. Scheduling laboratory style CU*Answers University web conferences to assist you in configuring the screens and making necessary decisions through the process.
  3. Producing a plug-and-play simple project plan that you can use to implement the process and communicate the why and how to your Board of Directors.

What should you do if you already have PIB turned on?   Congratulate yourself! Then schedule an annual review of the configuration screens. Be sure to document your reasons for configuring as you have this year.  This will be a serviceable document when reviewing features and enhancements in the future.  What other features of PIB would you would like to activate?  Watch for a future edition of the AuditLink Advisor where the merits of PIB will be discussed.  Plan to attend and be a contributing participant of PIB focus groups which will assemble in 2010.  Knowledge gained then can be applied immediately, setting your direction for altering the PIB service and online banking going forward.  While reviewing the configurations complete your review of the risk assessment of this delivery channel.   Remember CU*Answers has a template for completing your home banking risk assessment at .  When it comes to your member’s online banking experience, you want it to be secure and increasingly build their confidence in your credit union and self-service systems.


SC Magazine, September 21, 2009, Dan Raywood

The banking sector could face a major shake-up after a court in the US ruled that a bank failed to protect a user’s account against fraudulent access.

In a recent case, a US judge allowed Marsha and Michael Shames-Yeakel to bring a case against Citizens Financial Bank, who alleged that the bank failed to implement state-of-the-art security technology, as they were the victims of fraud perpetrated through their online bank account to the tune of $26,500.

The US District Judge refused to grant summary judgment in favour of the financial institution, clearing the way for the court case to take place. In her judgment, Rebecca Pallmeyer stated: “In light of citizens’ apparent delay in complying with FFIEC security standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access.”

Rik Ferguson, senior security advisor at Trend Micro, claimed that the case could have important ramifications across the US. He highlighted a 2005 FFIEC report entitled ‘Authentication in an internet banking environment’, that stated: “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.”

Ferguson said: “The sheer volume of personal banking data and the ease with which it can be accessed is staggering. Don’t for a moment think that cost or lack of skill is a barrier to entry into the shady world of ‘carding’ and online financial fraud.

“Logon details for online banking are usually sold priced as a percentage of the available balance on the account. Today, bank accounts are available online for as little as three per cent including personal, business and offshore accounts.”

He claimed that online banking in the US still tends to rely on simple username and password combinations, and in the rare cases where a confirmation number is required, this is often sent to the customer’s email account, which is also easy for a criminal to compromise.

The US has used single factor authentication, based purely on something you know, in this case, your password, while in Europe, two-factor authentication has been common for years involving a username and password, the something you know and an additional piece of information, often based on something you have.

Ferguson said: “The deployment of these kinds of technologies in Europe, along with the language issues, means that the US is considered ‘low-hanging fruit’ for online banking fraud, and until financial institutions invest in the necessary deterrent technology, it will remain so.

“That being said though, two-factor authentication technology may not be familiar to even some European banking customers, because (as was the case with chip and PIN cards) certain European countries have also been guilty of tardiness in deploying security technologies for online banking. So, if your bank doesn’t require this additional security, you can bet that cybercriminals know this and that your bank and your account will be targets.”

He further claimed that it is worth remembering that you should not always rely on the goodwill of your financial institution to reimburse you for losses to cybercrime.

“An argument I have heard time and again from friends and acquaintances is ‘Why should I worry when the bank always reimburse any losses?’ If the losses to cybercrime ever become too much for UK banks for example, they can fall back on the provisions of their Banking Code which states ‘If you act without reasonable care, and this causes losses, you may be responsible for them’,” said Ferguson.

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>