1. Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA

2. Consumer Authentication in e-Banking e-Banking

3. Outline  Purpose  Background  Risk Assessment and Management –Risk-based assessment  Customer Awareness  Conclusion

4. Purpose  The need for additional security measures to reliably authenticate consumer remotely accessing their financial institution’s Internet banking system.  Updates and supplements the 2001 Guidance entitled Authentication in an Electronic Banking Environment.

5. Authentication in an Electronic Banking Environment

6. Background  Security Acts –Gramm-Leach-Bliley Act (GLBA) Title V requirement. –The Fair and Accurate Credit Reporting Act of 2003 (FACTA)  Identity Theft –One of the fastest growing types of consumer fraud –Account takeover was identified as the fastest growing type of identify theft. –Account takeover represents a fundamental compromise of the security protecting consumers’ primary asset account maintained at insured depository institutions.

7. What is identity theft? Identify theft is defined as the appropriation of credentials or private information belongs to another individual to be used in the creation of new accounts or new identities. Identify theft is defined as the appropriation of credentials or private information belongs to another individual to be used in the creation of new accounts or new identities.

8. Hacker’s Tools  Phishing  Spyware  Malware  Site Spoofing  Trojan Horse  Social Engineering

9. Identity Theft Statistics  According to FTC, During 2003, 10 million Americans were the victims of identity theft, with a total cost to businesses and consumers approaching $50 billion  According to Gartner 2004, 2 million U.S. adult Internet users experienced account takeover during the 12 months ending April 2004.

10. Continued -  The Anti-Phishing Working Group noted a significant increase in phishing activity over the past six months. There were 12,845 new unique phishing email messages reported to the APWG in January 2005 alone.

11. FICUs e-Banking Services Increase (Growth since 2000)  More than half (58%) of FICUs have a website. This has Increase d by 39.5%.  Home banking via websites have grown significantly by 78.2%.  Number of interactive and transactional websites have grown by 93.4%.  Electronic loan payment has increased by 121%. Share draft ordering has grown by 83.2%.  Number of members using the transactional worldwide website has increased by 230% (to 18.3 Million) ----------------------------------------------------------------  In 2004, among credit unions, the number of transactional websites grew by 10%, to 3,673, while the number of members using transactional sites grew 21% (to 18.3 million).

12. Continued -  According to NAFCU, 48% FICUs responded that their Credit unions incurred an increased level of identity theft last year relative to 2003.  With the fast growth of e-banking service among FICUs and as scam artists become more sophisticated, identity theft has become major risk for those FICUs offering e-banking services.

13. Continued -  In a 2005 study, 14 percent of online consumers reported that they would stop using online banking due to concerns about Phishing.

14. Risk-based Security Program  Program should be Enterprise-wide  Perform a risk assessment oConsideration of “controls to authenticate” those seeking access to customer information oTake risk-based and “layered” approach  As the risk to sensitive customer information increases, the compensating controls contained within the institution’s security program must also increase

15. Enterprise-wide Authentication  Adherence to corporate standards and architecture  Integration within overall information security framework  Within lines of business  Central authority for oversight and risk monitoring

16. Risk Assessment  Type of the customer  Institution’s transactional capabilities  Sensitivity and value of the stored information  Ease of using the method  Size and volume of transactions

17. Security Measures  Risks can be measured by the likelihood of harm and the impact of an occurrence.  With respect to Internet transaction processing, three primary risks exist: –risk of monetary losses –potential loss of future business, and, –risk of compromising confidential customer information.

18. Continued -  Implementation of security measures –Risk matrix o illustrate the type and likelihood of risk on one hand and corresponding risk mitigation techniques on the other.

19. Risk Matrix – illustration only

20. Three factors of Authentication methodologies  Something the user knows (password) (password)  Something the user possesses (Smart card)  Something the user is (biometric characteristic, such as fingerprint or retinal pattern)

21. Authentication Tools  Password  PINs  Digital certification using a PKI  Physical devices –Smart card –Tokens  Database comparison  Biometric identifiers

22. Conclusion  To comply with GLBA, FACTA. conduct a risk assessment to identify the types and level of risks associated with e-banking application  ID and password as the only control mechanism is no longer adequate for controlling remote access to sensitive info.  Multi-factor authentication or other layered security is recommended to mitigate those risks.

23. Part 748 – Appendix B Response program Part 748 – Appendix B Response program

24. Part 748 – Appendix B Response Program

25. Background  Section 501(b) GLBA  Part 748 – Appendix A  Increasing Number of Security Breaches  Revise Part 748 and Add Appendix B – Response Program

26. Response Program  Take preventative measures to safeguard member information –Place access control –Conduct employee background check  Implement a risk-based response program –Appropriate to the size and complexity of CU –Appropriate to the nature and scope of the activities –Service provider o Address incidents o Notification of the CU

27. Components of Response Program  Assessment  Notification of Primary Regulator  Notification of Law enforcement Authorities  Proactive Measures to Contain /Control Incident –Monitoring, freezing, or close affected accounts  Member Notification

28. Content of Member Notice  Description –The incident in general terms –Type of member info was the subject of unauthorized access or use –What CU has done to protect the member’s info –Telephone number for further assistance –Member should remain vigilant over the next 12 -24 months –Promptly report incidents of suspected ID theft to the CU

29. Continued -  Review Account Statements and Report Suspicious Activity To The CU  Notify Credit Bureaus - Consumer Report  Obtain Credit Reports – Credit Report Agency  Get Federal Trade Commission Assistance

30. Changes from Proposal  Standard for notice to member  More risk based; less prescriptive  Notice to regulator – only if breach involves sensitive member information

31. Continued -  Notice to regulators – delay to coordinate with law enforcement authorities  Flagging, monitoring, securing accounts – left to credit union’s assessment of risk  Content of notice – likewise risk based  Fraud alerts – less prescriptive – discuss with member but not mandatory

32. NCUA Expectations for Compliance  Potential Questionnaire: –Incorporated into Overall Security Program –Escalation Process / Incident Response –Review of Notices – Attorney Review? –Enterprise Wide Approach –Reporting to Senior Management –Member Outreach / Awareness Programs –Employee Training Programs

33. Part 748 – Appendix B Response Program

34. Question & Answer