e-Banking Security
With more than 250,000 reports last year, identity theft was the third most common complaint received by the U.S. Federal Trade Commission in 2005, and the number of victims is increasing every year.
That criminals are exploiting security vulnerabilities on the Internet to commit identity theft and other fraud has not gone unnoticed by the Federal Deposit Insurance Corp. (FDIC), the Federal Financial Institutions Examination Council (FFIEC) and other regulators concerned about e-banking. In 2005, FFIEC published Guidance on Authentication in an Internet Banking Environment, and, in 2006, updated it with a "Q&A" that made it clear that "its principles apply to all forms of electronic banking, including telephone banking systems."
This greatly affects speaker authentication (SA). "The FFIEC has turned everything around for SA in terms of visibility," says Mark Kovalsky of MEK Software, a supplier of speaker-authentication solutions. Market growth comes from the ability of SA solutions to satisfy critical security requirements, starting with direct authentication and extending to other techniques highlighted by the regulations.
Beyond Biometrics
The FDIC mandates multifactor authentication and the FFIEC Guidance highlights material information that matches information available from trusted third-party sources. Text-dependent SA is inherently two-factor (biometric and "shared secret") authentication and Nuance, among others, includes knowledge verification as a standard extension to its biometric SA.
"Fraudsters are becoming more adept at possessing all the correct information," warns Andy Rolfe of Authentify, an SA solutions provider. "Authentication techniques based solely on third-party verification are vulnerable to those who have acquired the correct information."
This is why FFIEC asks banks to "ensure that information provided is logically consistent (for example, do the telephone area code, zip code, and street address match?)." SA vendors implement this requirement in various ways. MEK Software does three-factor authentication, combining an RSA token, dynamic password, and biometric SA. Authentify, VoiceTrust, RSA, and other vendors verify, among other things, that the number from which the customer is calling matches one that he's used before.
Authentify, RSA, and other vendors also use extended pattern analysis to determine whether the person's activities are consistent with past behavior. "This is an approach that many financial institutions are familiar with because they score credit card transactions in this fashion," says Christopher Young, senior vice president and general manager of RSA's Consumer Solutions Business Unit.
Negative Verification
The FFIEC also advocates using negative verification to ensure that "information provided has not previously been associated with fraudulent activity." Vendors like Persay and NICE, with text-independent technology capable of operating on free-form speech, offer blacklists containing voice models of known fraudsters. Whenever a high-value transaction is requested, these systems compare the caller's voice with models in the blacklist.
Authentify and others employ behavioral information. RSA keeps samples of fraudster patterns within its eFraudNetwork and is starting to add new telephone numbers and other new kinds of data to it, according to Marc Gaffan, director of marketing for the Consumer Business Unit at RSA. "This means the information will be shared among our eFraudNetwork customers."
Out-of-Band Controls
FFIEC's Guidance discusses "out-of-band controls for risk mitigation." Authentify integrates authentication on multiple channels, such as a phone call to a telephone number known to belong to a legitimate accountholder, plus SA, to stem the migration of fraud from the newly-secured Web channel to the phone and other channels.
The next level involves plugging cross-channel vulnerabilities. "What the fraudsters will do is exploit inter-channel vulnerabilities," RSA's Gaffan says. "For example, did this person just change his or her address on the phone and then log into the online banking application and order a new credit card? If you have the ability on the backside to look at a single user across channels you can catch him."
All of this means that regulators and SA solutions providers recognize that security must be multi-factor and comprehensive. A single approach is no longer sufficient.
Judith Markowitz is the technology editor of Speech Technology magazineand is a leading independent analyst in the speech technology and voice biometric fields. She can be reached at (773) 769-9243 or jmarkowitz@pobox.com.