My Online Status
November 06, 2007
October 23, 2007
October 16, 2007
October 09, 2007
September 05, 2007
NYCE and Fair Isaac Apply Account-Profiling Technology to PIN-based Debits
NYCE, a U.S. debit card network, and Fair Isacc, a leading provider of analytics, will use account-profiling technology to determine the fraud risk associated with individual ATMs and point-of-sale terminals.
"Based on data from NYCE's extensive network of 280,000 ATMs and 1.5 million POS locations nationwide, the technology will identify typical, non-fraud transaction patterns for each terminal and create device profiles that enable detection of abnormal, potentially fraudulent transaction patterns.
Building upon Fair Isaac's powerful fraud analytic technology for account-profiling, custom Falcon™ neural network models for debit transaction data, and comprehensive case and rules management capabilities, the device-profiling technology will add a new dimension to the use of transaction data in detecting PIN-based fraud. NYCE participants will be able to detect and stop fraud in real time, during the authorization process and before a loss is incurred, by determining the risk associated with individual devices."
For the complete press release, click here.
August 30, 2007
Worth A Look: New Approach to Strong Authentication
For the complete press release, click here. Key points:
"With Keystone Authentication, images are used to create one-time passwords (OTP) that provide a simple, intuitive method for authenticating bank communication channels. Keystone Authentication provides token-equivalent security for a fraction of the cost for deployment and maintenance. The solution offers secure access and network validation from any computer or IP-networked ATM around the world, using a simple decoding device that can be conveniently stored in a mobile phone, PDA, or wallet.
The integration of Cronto Visual Signing solution with the Keystone Authentication engine enables a level of security beyond one-time passwords for website authentication and payment transactions. Cronto’s technology allows all important actions, such as authentication to online services or payment/beneficiary authorization, to be signed off by the users in an extremely intuitive and reliable way."
August 15, 2007
Comodo Introduces Out-of-Band One Time Passwords for Strong Authentication
Comodo, a provider of certificate-based solutions for two-factor authentication, has introduced an out-of-band one time password solution for two-factor authentication.
"Through the introduction of one-time passwords designed for use at public computers, Comodo TF is now as effective as token solutions for user authentication at remote locations but do not include the high cost or challenging customer deployment typically associated with these types of solutions.
These one-time passwords can be delivered through a variety of customer-selected options such as SMS messaging, email or telephone. The key benefit to end users is "anywhere, anytime" access to online banking accounts allowing optimum flexibility."
See related post from August 12, More Riders Jump on the Mobile Payments Bandwagon.
Commentary
Software certificate-based solutions for multi-factor authentication have been overshadowed by tokens here in the United States, at least for banking applications. They tend to create customer support headaches and often don't save much money over physical tokens.
With out-of-band one time passwords, the unfortunately named Comodo may be onto something. As indicated in my August 12 post, these could be a considerable improvement over physical tokens, at least from a customer service standpoint.
August 12, 2007
Key Idea: Multi-Factor Authentication
In 2005, the Federal Financial Institutions Examination Council (FFIEC), issued guidance for customer authentication in an Internet banking environment. The FFIEC updated this guidance with a FAQ in 2006. Nevertheless, there remains substantial misunderstanding in the marketplace about what constitutes "strong user authentication." Strong is a relative term, of course. What is strong authentication for one banking application may be inadequate for another.
When it comes to the highest risk transactions, however, the best practice has long been to require multi-factor authentication. For example, a commercial customer entering an on line wire transfer may be required to know a password and a PIN generated by a hardware token. (Wire transfers are high risk because of the large dollar amounts involved and the finality of the transaction) Some bankers and even some technology professionals mistakenly believe (and the latter should know better) that requiring the user to enter two or three pieces of information, such as a password and secret information like the name of a pet, constitutes multi-factor authentication. Unfortunately, if a hacker is capturing key strokes from the customer's computer, it really doesn't matter whether they enter one secret word or one hundred.
Multi-factor authentication is only achieved when the user must enter something they know (e.g. the password) as well as authenticating with something they hold (e.g. a hardware token or digital certificate) or something they are (e.g. biometric identification). Two of the three factors of authentication must be used for it to be multi-factor authentication.
Note: The FFIEC did not require multi-factor authentication for all transactions. It gave the banks discretion in identifying high risk transaction and implementing an appropriate authentication strategy. However, multi-factor authentication has a long history and acceptance in securing high risk commercial transactions.
August 07, 2007
AMEX Fined $65 Million for Failing to Detect Money Laundering
CNNMoney.com reported that American Express has agreed to pay a $65 million fine because its subsidiary, American Express Bank International (AEBI), had an inadequate transaction monitoring system and internal controls which failed to identify specific incidences of suspicious activity. AEBI is a Miami based bank specializing in private client services for Latin America.
For the full story, click here. For the Federal Reserve press release, click here.
July 25, 2007
Bank of the West Picks RSA to Protect Consumers
Bank of the West has picked RSA Adaptive Authentication and eFraudNetwork to protect consumers customers of its online banking products.
According to RSA:
"RSA Adaptive Authentication for Web is engineered to analyze all online banking activities in real-time and calculate a risk-score for each. Using the risk score, the solution is designed to automatically invoke additional strong authentication methods in a transparent manner, such as secret questions or an automated ‘out-of-band’ phone call, for high-risk activities or for users that could not be authenticated easily. The transparent authentication relies on identifying the user’s device and considering it in the context of additional risk factors such as the user’s location or details of the specific activity. With RSA’s site-to-user authentication, users select a unique image and phrase. The image is then displayed at login to verify the official bank Web site before a password is entered.
Bank of the West has also become a member of the RSA eFraudNetwork community, the world’s most effective collaborative online anti-fraud network. With more than 50 large financial institutions and a multitude of smaller ones on the network, Bank of the West can benefit from immediate protection based on real-time online fraud data from financial institutions around the world."
For the full press release, click here.
Categories
- Association
- ATM and PIN Debit
- B2B
- B2C
- Banking 2.0
- C2B
- C2C
- Credit and Collections
- Credit Card
- Deposits and Collection Networks
- Events
- G2B
- Imaging
- Innovation and Intellectual Property
- International Trade and Payments
- M & A
- Medical Banking
- Mobile Banking and Payments
- Money Service Businesses
- Online Banking
- Regulatory Updates
- Research and Advisory Services
- Security, Compliance, and Loss Prevention
- Stored Value
- Supply Chain Finance
- U.S. Payments
