Monday, October 24, 2005

U.S. banks urged to implement stronger security for online customers

NETWORK WORLD NEWSLETTER: DAVE KEARNS ON IDENTITY MANAGEMENT
10/24/05
Today's focus: U.S. banks urged to implement stronger security
for online customers

Dear security.world@gmail.com,

In this issue:

* Federal financial council releases guidelines for safeguarding
customer ID

* Links related to Identity Management
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by ProCurve Networking by HP
Network World Executive Guide: Compliance can be an opportunity
for Network Improvements

Federal regulations such as the Health Insurance Portability and
Accountability Act and the Sarbanes-Oxley Act are driving
increased corporate spending on key IT areas such as security,
authentication, access control and document management. Get
advice from experts. Read about real-world tactics. Learn about
the dark side of compliance: what happens when thing wrong.
And, how mandates are affecting IT budgets.
http://www.fattail.com/redir/redirect.asp?CID=118329
_______________________________________________________________
MANAGEMENT FRAMEWORKS ARE OUT - BUT WHAT'S IN?

Many vendors stopped using the term "frameworks" when they
became synonymous with endless deployment cycles. So, if
management frameworks are out, what is the alternative? Does a
series of multiple products from multiple vendors work? Will
Configuration Management Database (CMDB) emerge as the new
"framework" or "platform" for the enterprise? Click here for
more:
http://www.fattail.com/redir/redirect.asp?CID=118199
_______________________________________________________________

Today's focus: U.S. banks urged to implement stronger security
for online customers

By Dave Kearns

As Network World Senior Editor Ellen Messmer reported last week
<http://www.networkworld.com/news/2005/101805-banking.html?rl>,
the Federal Financial Institutions Examination Council (FFIEC)
has issued new guidance for how financial institutions should
plan to authenticate customers' online identities by the end of
next year.

This little-known federal watchdog describes itself
<http://www.ffiec.gov/> as "...a formal interagency body
empowered to prescribe uniform principles, standards, and report
forms for the federal examination of financial institutions by
the Board of Governors of the Federal Reserve System (FRB), the
Federal Deposit Insurance Corporation (FDIC), the National
Credit Union Administration (NCUA), the Office of the
Comptroller of the Currency (OCC), and the Office of Thrift
Supervision (OTS) ... to make recommendations to promote
uniformity in the supervision of financial institutions." As
such, its "guidelines" are normally read as mandates by the
financial community.

The rise in so-called " phishing
<http://www.networkworld.com/topics/spam.html> " as an identity
theft mechanism led directly to the FFIEC's release of these new
guidelines. The guidelines, entitled "Authentication in an
Internet Banking Environment" ( PDF
<http://www.ffiec.gov/pdf/authentication_guidance.pdf> ),
replace an earlier document - "Authentication in an Electronic
Banking Environment" - issued four years ago. The latest
document is explicit in stating that no particular
authentication method is being suggested, but goes on to
describe several (including digital certificates, smart cards,
one-time passwords, USB plug-ins and biometric identification
methods) as being more in line with the guidelines than the
simple username/password combinations currently in use.

Major security and identity vendors were quick to jump into the
discussion of how best to implement stronger authentication for
online financial transactions. Both RSA Security and archrival
Vasco Data Security were quick off the mark to try to get their
spin out, contacting me within minutes of when the story broke.

According to an RSA spokesperson, the company "is continuing to
1) hear acute pleas from consumers who want more protection and
2) see interest from banks in flexible, convenient security
solutions for their customers." RSA also provided the results of
a survey showing that European consumers have more confidence
online than their U.S. counterparts, and provided a listing of a
large number of banks around the world that have been purchasing
hundreds of thousands of RSA SecurID strong authentication
tokens for their customers. Less than a handful of those are
U.S. institutions (on the list were American Bank, Credit
Suisse, E*Trade Financial and Stonebridge Bank).

The Vasco spokesperson wanted to remind me, though, that the new
rules put the burden on banks to avoid the inflated claims by
some "not-completely-honest" authentication providers. According
to Vasco President Jan Valcke: "Every security officer needs to
know how to spot the false claims that could leave hidden gaps
in their security net."

When I asked RSA why so few U.S. financial institutions had
adopted strong authentication (such as RSA's SecureID
on-time-password application), the response was that the reasons
are twofold: convenience and cost. It's felt that U.S. consumers
would balk at the increase in fees needed to sustain the use of
tokens and would also resist the change from the easily
implemented username/password method.

That sounds bad: lazy, cheap American consumers who, according
to Vasco, are about to be duped by not-completely-honest
vendors. Could there be an upside to the foot-dragging by
American financial institutions? Well, consider this question:
What's worse, having weak security and knowing it or thinking
you have strong security when you don't? We'll try to answer
that next time.

The top 5: Today's most-read stories

1. School traps infected PCs in its web
<http://www.networkworld.com/nldsv9365>
2. Cartoon of the Week <http://www.networkworld.com/nldsv9366>

3. Cisco bets a billion dollars on India
<http://www.networkworld.com/nldsv9367>
4. Cisco finally brings security push to LAN
<http://www.networkworld.com/nldsv9218>
5. WiMAX just around the corner
<http://www.networkworld.com/nldsv9222>

_______________________________________________________________
To contact: Dave Kearns

Dave Kearns is a writer and consultant in Silicon Valley. He's
written a number of books including the (sadly) now out of print
"Peter Norton's Complete Guide to Networks." His musings can be
found at Virtual Quill <http://www.vquill.com/>.

Kearns is the author of three Network World Newsletters: Windows
Networking Tips, Novell NetWare Tips, and Identity Management.
Comments about these newsletters should be sent to him at these

respective addresses: <mailto:windows@vquill.com>,
<mailto:netware@vquill.com>, <mailto:identity@vquill.com>.

Kearns provides content services to network vendors: books,
manuals, white papers, lectures and seminars, marketing,
technical marketing and support documents. Virtual Quill
provides "words to sell by..." Find out more by e-mail at
<mailto:info@vquill.com>
_______________________________________________________________
This newsletter is sponsored by ProCurve Networking by HP
Network World Executive Guide: Compliance can be an opportunity
for Network Improvements

Federal regulations such as the Health Insurance Portability and
Accountability Act and the Sarbanes-Oxley Act are driving
increased corporate spending on key IT areas such as security,
authentication, access control and document management. Get
advice from experts. Read about real-world tactics. Learn about
the dark side of compliance: what happens when thing wrong.
And, how mandates are affecting IT budgets.
http://www.fattail.com/redir/redirect.asp?CID=118328
_______________________________________________________________
ARCHIVE LINKS

Archive of the Identity Management newsletter:
http://www.networkworld.com/newsletters/dir/index.html
_______________________________________________________________
Webcast - IT security without compromise

Explore proven leadership approaches to IT security as leading
experts from Cisco Systems and Microsolved discuss how to
implement a comprehensive, integrated security architecture.
Find out more, watch now.
http://www.fattail.com/redir/redirect.asp?CID=118291
_______________________________________________________________
FEATURED READER RESOURCE

Network World New Data Center: Spotlight on Advanced IP

Piecing Together the Next Generation IT Architecture. This 5th
installment in a 6 part series takes a look at at On-demand
services, automated management, and management technologies.
PLUS, see how two IT Execs are plotting their way to an all
IP-world. This NDC issue has it all, click here to read now:

<http://www.networkworld.com/supp/2005/ndc5/>
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.subscribenw.com/nl2

International subscribers click here:
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
<http://www.nwwsubscribe.com/Changes.aspx>

To change your e-mail address, go to:
<http://www.nwwsubscribe.com/ChangeMail.aspx>

Subscription questions? Contact Customer Service by replying to
this message.

This message was sent to: security.world@gmail.com
Please use this address when modifying your subscription.
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: <mailto:jcaruso@nww.com>

Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: <mailto:sponsorships@nwfusion.com>

Copyright Network World, Inc., 2005

No comments:

Post a Comment