Financial Organizations Struggle with Out of Band Authentication

Wednesday, May 09, 2012

Brent Huston


Many of our client financial organizations have been working on implementing out of band authentication (OOBA) mechanisms for specific kinds of money transfers such as ACH and wires.

A few have even looked into performing OOBA for all home and mobile banking access. While this authentication method does add some security to the process, effectively raising the bar for credential theft by the bad guys, it does not come without its challenges.

For starters, the implementation and integration of some of the software designed for this purpose has been a little more difficult than expected by many of the teams working on the projects. We are hearing that in some cases, the vendors are having difficulty integrating into some of the site platforms, particularly those not using .NET.

Other platforms have been successful, but over time (and many over budget), the lesson learned is this: communicate clearly about the platforms in use when discussing implementations with potential vendors.  

Other problems we have been hearing about include: availability issues with the number of outbound phone connections during peak use periods, issues with cellular carriers “losing” SMS messages (particularly a few non-top tier carriers), and integrating solutions into VoIP networks and old-style traditional PBX systems.  

In many cases, these telephonic and cellular issues have caused the systems to be withdrawn during pilot, even turned off for peak periods during use and other “fit and start” approaches as the rough patches were worked out.

The lesson in this area seems to be to design for peak use as a consideration, or at least understand and communicate acceptable delays, outages or round-robin processes, and make sure that your systems properly communicate these parameters to the user.  

In the long run, proper communication to the users will lower the impact of the onslaught some of these systems call to the customer support and help desk folks.  

It is getting better though. Vendors are learning to more easily and effectively develop and implement these solutions. The impact on account theft has been strong so far and customers seem to have a rapid adjustment curve.

In fact, a few of our clients have shared that they have received kudos from their members/customers for implementing these new tools when they were announced, documented, and explained properly to the user base.  

If your organization is considering this technology and has struggled with it, or has emerged victorious in the mastery of it; please drop me a line on Twitter (@lbhuston) and let me know your thoughts.

The more we share about these tools, the better we can all get at making the road less bumpy for the public.  

As always, thanks for reading and stay safe out there!

Cross-posted from State of Security

Possibly Related Articles:
Network Access Control
Financial Services
Authentication VoIP Financial Integration PBX Communications vendors ACH OOBA
Post Rating I Like this!
John Zurawski Brent - I have worked on, very literally, hundreds of out-of-band authentication implementations over the last 10 years. Your post points out some less than obvious truths about phone-based out-of-band authentcation. The first - not all OOB solutions are created equal. Performance during peak periods should be detailed in an SLA with the providing vendor. Often, very low cost cloud telephony is not as robust as the good old fashioned PSTN, but you get what you pay for. The relationship between voice lines and parties being called, if voice is being used, is 1:1. If you know you have 1,000 simultaneous authentication requests at 9 a.m. on monday morning (and recall that 9 a.m. on Monday morning is a target that rolls through various time zones...) you or your vendor will need 1000 voice connections.

SMS messages getting lost is another issue. Across the globe there are thousands of message carriers managing the last mile of delivery. A deep understanding of what SMS can be counted on to do - and where, is another item anyone considering phone-based OOB must take into consideration.

Despite the challenges, there are few better ways to protect users of financial accounts from MITM/MITB attacks - or friend/family/insider fraud. Newer out-of-band approaches that employ apps have the potential to drive the cost low enough to cover a much broader spectrum of transactions as well.

I'm confident you'll hear from more users who have experienced and liked the phone based processes.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.