With the number of identity theft incidents on the rise, credit unions and their members are becoming increasingly aware of the threat of falling victim to such an attack. According to the ITRC ( Identity Theft Resource Center), 19,178 people per day fall victim to identity theft—that translates to over 13 people per minute. To combat these threats leading credit unions are going a step beyond traditional identification requirements and increasingly adopting multi-factor authentication solutions including improved biometric identification techniques
While online identity thefts have recently attracted most of the media spotlight, in reality the majority of identity fraud still occurs in the off-line world. According to the Better Business Bureau only 11.6 percent of all known-cause identity fraud were computer related in 2004. While there is little doubt web fraud will continue to increase, the truth remains that fraud will still be a significant threat in all channels. In the recently published 2005 Credit Union Technology Survey over 95 percent of credit union survey respondents listed ‘Multi-factor Authentication/Biometrics’ as a budgeted technology priority for the fiscal year, the most frequently identified priority by respondents.
The potential benefits of biometrics are perhaps best recognized when comparing the different types of authentication methods available. Types of authentication are currently broken into three main categories. Something you know, something you have, and something you are.
Something You Know
The most common example of using “something you know” as a form of authentication is the traditional password, pin, or social security number. While requiring a password is a very important step, it is increasingly recognized by security experts as an inadequate stand-alone solution.
Today, financial institutions often ask for additional “out of wallet” information. Out of wallet questions ask for information that a member would easily know but would not typically be obtained by stealing the member’s wallet. “In wallet” information typically includes driver’s license number, date of birth, social security number, home address, credit card information, and the like. Examples of “out of wallet” information include a mother’s maiden name, place of birth, or even what make and year of car you last purchased.
This extra question helps prevent a password from being guessed but does not effectively protect against key-logging, Trojan horse, phishing, and other such attacks. These attacks are specifically crafted to get the necessary information from the user. For example, key loggers and Trojan horse programs can be set to monitor and copy the keystrokes a user makes, so an attacker could know what the user typed in response to the “something you know” question.
Something You Have
The next authentication category is “something you have.” Examples of this include simple ATM cards to advanced smart cards and security tokens. Security tokens typically generate a random numeric password at certain intervals (typically 30-60 seconds) that is only good for a single use. This prevents key-loggers and hackers from stealing the password without stealing the physical password token. However, it also can limit members’ ability to access their own accounts if the token or smart card is not in their possession at all times.
Something You Are
This form of security covers biometrics or the use of a person’s physical characteristics as a form of authentication. While biometric security research has been touted for several years, it has started to get more attention than ever before as new hardware and proven techniques slowly gain commercial acceptance. Some examples of biometrics include fingerprint scanning, retina pattern matching, voice recognition, and keystroke dynamics (verifying the user’s typing habits). Biometrics shows promise not only for authenticating members but also for employees logging into their work terminal at the credit union.
While biometrics helps prevent against successful attacks due to key-loggers, it is much harder to deploy to a large number of members in the online environment. However, some credit unions like Purdue Employees Federal Credit Union ($404M in West Lafayette, Ind.) have implemented biometric solutions at ATMs to help better authenticate members. This approach increases security without inconveniencing the member.
As a result of the increased awareness and attention, members are more likely to demand the reassurance of additional security at their financial institutions. Biometrics are helping leading credit unions address some of the key authentication challenges to better protect their members.