With losses from identity-related fraud topping $52 billion, the need to
rein in identity thieves has been a pressing problem for financial
services firms.
But with banks and merchants still lost in the sea of costly new
technologies for authenticating legitimate financial transactions,
banking regulators last week fired yet another warning shot across the
industry’s collective bow, putting them on notice that it’s time to begin
making some hard — and expensive — choices.
Last Wednesday, the Federal Financial Institutions Examination Council
(FFIEC) issued its recommendation that
banks begin planning to introduce multi-factor authentication
technologies by the end of 2006.
Recognizing that the growth of online and other forms of electronic
banking have increased the opportunity for criminals to take advantage
those environments, the FFIEC has warned banks that there is no time to
waste in finding ways to reduce the risks for financial institutions and
their customers.
The guidance document does not endorse any particular technology, rather
it focuses on the need for risk-based assessment and customer awareness,
along with the need for financial institutions to implement appropriate
risk mitigation strategies, including security measures to reliably
authenticate customers accessing their financial institutions’
Internet-based services.
The FFIEC pronouncement comes just a few months after a similar report from the Federal Deposit Insurance Corporation (FDIC) noted that, ”the
widespread use of user ID and passwords for remote authentication should
be supplemented with a reliable form of multi-factor authentication or
other layered security so that the security and confidentiality of
customer accounts and sensitive customer information are adequately
protected.”
The pressure from regulators comes at a helpful time for an
authentication technology marketplace that is crowded with vendors, but
somewhat light on customers.
While one-time password tokens, biometric scanners, radio frequency ID
tags, and smart cards are becoming increasingly common for authentication
in the enterprise environment — such as logging into a corporate VPN —
many companies remain remarkably hesitant to attempt to deploy those
solutions to a mass consumer market.
Tallying the Costs
With a single incidence of credit card-based identity fraud costing the
card issuer an industry-wide average of $600, you would think banks would
be rushing to put tokens or smart cards in the hands of every customer.
But their hesitance makes a lot more sense when you consider a few of the
hurdles of deploying authentication.
First, the cost of deploying authentication on an enterprise level can be
quite significant. If you then extrapolate the initial infrastructure
costs, the price of putting an authentication device (some of which can
cost upwards of $20 apiece) in the hands of millions of users, and add in
the customer support costs for teaching every customer what to do — many
reasonable companies begin to question whether the cure is worse than the
disease.
Assuming a company decides to take the plunge and deploy one of the many
proprietary authentication solutions out on the market, if the FFIEC has
its way come 2006, it’s conceivable that every credit card, checking
account, debit card, and brokerage account, will come with its own
authentication gizmo.
Then think ahead to the day when the jerk ahead of you in the coffee shop
line — you know, the one ordering a double-shot, no foam, half-decaf,
soy milk, Grande latte? — has to stop mid-order and dash back to his
Prius because his one-time password token fell under the front seat.
As frightened of losing more and more money to identity fraud as
financial institutions and merchants may be, a future marked by customers
suffering ”token fatigue”, the annoyance and frustration that comes
from managing key chains, wallets, and purses overflowing with
authentication devices, is not much more appealing.
It follows naturally then that the Holy Grail of authentication would be
for the world to standardize on one form. But for as much as every vendor
in the space would love to be that standard, there are some pretty hefty
obstacles to reaching such a goal.
Even if there was a one-size-fits-all authentication scheme that both
consumers and corporations fell in love with, there will always be a
question: Is it even in the world’s best interest to make one or two
proprietary technologies into, quite literally, the keys to everything?
I cannot envision that since we’ve learned this lesson the hard way many
times before. As we recently saw with the scare about security holes in
the operating system for Cisco routers, a single flaw in one of the many
de facto standard technologies upon which we depend could be disastrous.
Indeed, the real ”Catch-22” of authentication is that banks and
merchants must deploy stronger authentication technologies to a mass
audience in order to make the world safer. But in doing so, if those
businesses demand compliance from the very consumers who have grown
accustomed to lackadaisical security procedures, they risk a huge
backlash that could set back the cause of stronger authentication for a
decade.
Unfortunately for everyone, as regulators get more and more agitated
about deploying authentication, they will continue driving companies
toward investing millions of dollars in technologies that could prove to
be the new Betamax — the old videotape format that, although it was
technologically superior, lost in the market to VHS.
Until authentication vendors come up with a simple and economical way to
put user-friendly and strong authentication in the hands of users, the
demands of the financial industry regulators may simply not be
attainable… which means everybody loses.