|
I was looking for a new banking institution (due to Charter One playing games with fees). During my investigation of Credit Unions I found that most (if not all) use outside companies to handle their on-line banking solutions. One of these companies is R.C. Olmstead.
Looking into R.C. Olmstead I discovered they claim to have multi-factor authentication for their on-line banking solution. As I've never heard of any bank in the U.S. having this, I dug in further. I first contacted R.C. Olmstead, and received the following (in part) from Tom Leib: "RCO offers their Credit Union clients two options for multi-factor authentication."
The two options he is referring to are Passfaces and Digital Resolve. However neither of these constitute multi-factor authentication. As far as I can tell this is outright fraud. Their online banking site makes several references to 'second factor', confirming that that are making claims that are not true. According to the FFIEC: "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication." (see http://www.ffiec.gov/pdf/authentication_faq.pdf) The industry recognized (and FFIEC specified) factors are: - Something the user knows (e.g., password, PIN);
- Something the user has (e.g., ATM card, smart card); and
- Something the user is (e.g., biometric characteristic, such as a fingerprint).
As an example. Requiring a password and selection of images constitutes one factor; something the user knows. Using your ATM card at an ATM and entering a pin number constitute two-factor authentication (Something the user has and something the user knows). The bottom line is that R.C. Olmstead is lying about having multi-factor authentication, these claims are seen at various locations on their online banking websites. For example in the login help they claim a 'second factor', as well as the page when you fail to login.As I am involved in security (credit card payment systems and PCI compliance mostly) I find these claims to do harm in more ways than one, as well as doing the community a huge disservice. Leading people to believe wrongly that having to enter multiple items of a single factor constitutes multi-factor authentication provides a false sense of security. This in turn leads to lax handling of passwords and user names, and is a primary attack vector for a vast number of system and account compromises. |
