About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« FFIEC Weighs In On Mobile Channel Risks | Main | The Personal Cost of Fraud »

August 8, 2016


When Fraud Hits Home: Questioning Today’s Authentication Methods

My wife was the recent victim of a vehicle burglary. Unfortunately, the bad guys got away with a wallet that included a driver's license along with several debit and credit cards. Since my wife is a cash-averse individual, I thought little harm, if any, would ensue since she reported the cards stolen within minutes of the crime taking place. What I thought could have been a simple stolen card scenario quickly escalated to a major assault on a demand deposit account (DDA) thanks, in large part, to authentication failures by the financial institutions involved.

Two days after the theft and with only a driver's license and a canceled debit card to identify the bank, the burglar, or an associate, was able to withdraw money from my wife's DDA by using a generic withdrawal slip found at most bank and credit union branches. They also cashed a counterfeit check drawn on another financial institution (FI) that, along with the bad check fee, was charged against my wife's account when the payor bank returned the check. While I am not sure whether the employees at the bank followed proper authentication protocols, there clearly was a breakdown as the thief was able to use the stolen driver's license to first obtain my wife's DDA number and then fraudulently withdraw funds.

While the breakdown in authentication is concerning, the FI's solution for improving authentication with my wife's new account is archaic—a password. The FI suggested that she open a new account and password-protect the account. When making an in-person transaction, she will be required to state the password before a transaction can be completed or account information revealed in addition to other authentication measures that were already in place.

My wife, not comfortable with the new proposed account set-up or with the failure in authentication on the old account, decided to seek a new FI relationship. Clearly she believed that a more technology-driven solution would have been substantially better from both a security and user standpoint than the proposed password solution. And this got me wondering. With all the efforts and investments in authentication technologies, why are passwords still being used for banking and payment transactions in 2016? What will it actually take to "kill the password," which we have been talking about for years? We are in the midst of a technology revolution, yet authentication methods from 2,000 years ago are still being suggested for use today as the primary means to protect money and assets.

In Singapore, the government has mandated two-factor authentication while allowing consumers to retain some choice in the authentication factor. In the United States, the Federal Financial Institutions Examination Council, or FFIEC, issued guidance in 2011 regarding the use of multi-factor authentication for Internet transactions. Is guidance concerning authentication enough? Without favoring any particular solution or technology, is it time to adopt better authentication methods in the United States? I am not advocating mandate like in Singapore, but my wife can give you more than 2,500 good reasons why it should be considered.

Photo of Douglas A. King By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

August 8, 2016 in authentication | Permalink

Comments

If I'm not mistaken, FFIEC issued its 2FA guidelines in 2005. In 2011 - or 2012 if I'm not mistaken - it only reissued them. Maybe America believes that, if heaven hasn't fallen in 11 years by not implementing 2FA while the rest of the world has, it won't fall anytime soon. Just saying...

Posted by: Ketharaman Swaminathan - GTM360 Marketing Solutions | August 10, 2016 at 03:47 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


May 2017


Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      

Archives


Categories


Powered by TypePad