ppn Technology™
Application of ppn Technology
to the urgent need for
Multi-factor Online Access
Authentication
By
Dr. Glenn Gearhart
CEO
ACAP Security Inc.
August 2005
The FDIC
issued FIL-66-2005 directing banks to consider multi-factor authentication methods,
which would limit the ability of identity thieves to comprise customer
accounts, even when a thief has a customer’s ID, password and account
number. This FIL guidance is consistent
with FFIEC and the Interagency Examiner Guidelines issued by the Federal
Reserve System, “Standards for Safeguarding Customer Information,” which
implement sections of the Gramm-Leach-Bliley Act (GLBA). (1)(2)(3)
To comply
with FIL-66-2005 it is necessary for a bank’s online customer authentication
system to include at least one authentication factor which is separate and
apart from the customer’s ID, password and account number. Simply adding another secret item, such as a
customer’s zip code or phone number, to the existing online banking access
control procedure is helpful, but it does not create a multi-factor
authentication system.
One
solution is based upon the use of two unique sets of access information, both
of which are totally isolated as to data entry and data delivery to the
authorizing party. To be a true
multi-factor authentication method each unique set must be entered into an independent entry point and each must be
delivered to the authorization party via totally
independent and isolated data network.
No commingling of the sets can occur, or be possible of occurring, prior
to their independent delivery to the authorization party.
A
post-entry online banking example is a bank customer who enters a bank’s, SSL
secured, online banking access webpage and thereafter enters his ID and
password to enter his online bank account. This ID and password entry is the
first authentication set of a multi-factor authentication.
Upon entry
of this information the bank customer is given access to his bank account
information Web pages. At this level of
security, the bank customer can view account information but he can not make
online payments, transfer funds, or make instant payments. To complete the multi-factor authentication
the bank customer must enter another separate unique item over an isolated
entry device and communication system, than that used to enter his ID and
password.
An example
of a second authentication set would be a PIN, where the PIN entry and the
secure communication network does not use the Web, an Internet browser, or
SSL. In this post entry example, the
two unique sets of information are provided as totally independent and secure
data entry and delivery systems thereby creating a set-based, multi-factor
authentication system which is very effective, both from a security stand
point, and from a customer acceptance point of view.
In a
pre-entry example, the PIN is required as part of the online banking log-in
procedure. The PIN is requested and
entered following the completion of the entry of the first authentication set
(the customer ID and password).
It is
important to note that using the Web, an Internet browser, or SSL as an element
in the second authentication process, does not create a multi-factor
authentication, because the entry processes and the delivery networks are not
totally independent.
The
patent-pending personal private network technology, ppn Technology™ with PIN-SECURE™, is a true multi-factor
authentication system complaint with FIL-66-2005 and FFIEC requirements. It is an effective add-on to a bank’s
existing online banking service that requires no online banking customer
download and is compatible with existing computer systems. (4)
“No bank or financial institution should accept the
increased risk of online banking fraud when an effective, highly secure, and
affordable solution is immediately available to dramatically reduce the risks.” Dr. Glenn Gearhart, February 2005
With ppn
Technology™ all online banking customers can be secured with multi-factor
authentication. For more information on
multi-factor authentication, and the security compliance capabilities offered
by the new ppn Technology™, visit www.acapsecurity.com,
or contact an ACAP Security representative at 714-843-0099, or email
info@acapsecurity.com.
References:
(1) FDIC Financial Institution Letters (FIL-66-2005), Guidance on
Mitigating Risks from Spyware, July 22, 2005 http://www.fdic.gov/news/news/financial/2005/fil6605.html
(2)
Federal Reserve System, Division of Banking Supervision and Regulation,
Standards
for Safeguarding Customer Information, SR 01-15 (sup), 5-31-01.
http://www.ffiec.gov/ffiecinfobase/resources/info_sec/frb-sr-01-15-standards_safeguard_cus_info.pdf
(3)
Federal Reserve System, Division of Banking Supervision and Regulation, FFIEC
Guidance on Authentication, SR 01-20 (sup), 8-15-01.
http://www.ffiec.gov/ffiecinfobase/resources/info_sec/frb-sr-01-20-ffiec-guidance_authentication.pdf
(4) Web
address: http://www.acapsecurity.com/
select “Introduction” and “Bank Security Highlights,” and then follow the
arrows to view the presentation.
PIN-SECURE,
ppn Technology, and ACAP Security are trade marks of ACAP Security Inc.
By Glenn
Gearhart, CEO, ACAP Security Inc., a provider of higher level security solutions
to the financial industry. glenn@acapsecurity.com. Copyright 2005. ACAP Security Inc. all rights reserved.
White
Paper: 081005 ACAP Security Inc.