Multi-Factor Authentication ... or be Sued?
A bit of background: A man and woman in 2007 claim an intruder gained access to one of their accounts simply by replicating their username and password. They were banking with Citizens Financial Bank, a healthy $1B+ institution serving Indiana and Illinois. The intruder was able to advance $26,000+ to a bank in Austria, a move that went undetected for over a week.
Now, for the past couple years, breaches against payments processors and retailers have been all the rage. I can't go a day without hearing about Heartland Payment Systems, TJX, or Hannaford. And I can understand how financial institutions can be very aggravated, annoyed and upset for having to deal with the fallout from these types of major breaches. This story, though, is one of the first I've heard that deals with an average consumer/citizen bringing up a lawsuit against their institution.
I can picture a movie-like scene reminiscent of A Few Good Men where the prosecutor throws down the FFIEC handbook in front a nervous CISO and screams "Did you or did you not implement strong authentication?!"
What's really the most interesting to me though is that this couple actually knows what multi-factor authentication is. Their knowledge of proper authentication systems is at the heart of this lawsuit. Upon investigation, Citizens was using only single-factor authentication at the time (2007!) to log in Internet banking users to their accounts. At that point I suppose a simple dictionary attack could be used to gain access to many different accounts.
In addition, the couple threw in the 2005 FFIEC Strong Authentication security standard - nice! I can picture a movie-like scene reminiscent of A Few Good Men where the prosecutor throws down the FFIEC handbook in front a nervous CISO and screams "Did you or did you not implement strong authentication?!" (OK...perhaps their lawyer helped them out...).
Citizens tried playing the innocent bystander card by saying that it was at the mercy of its (very popular) Internet banking provider and that, in effect, the institution was kind of not responsible for the implemented security measures. Is there such a thing as vendor due-diligence? I'm baffled that such an established institution could be so lax on security standards, especially the FFIEC strong authentication guidance that was such a predominant compliance issue 3-5 years ago. It wasn't as if this happened a few days after the deadline to implement strong authentication -- the incident happened over a year later!
The upshot is that we now have ordinary consumers and citizens holding their financial institutions to minimum standard security practices. Security and risk management are no longer technology secrets that cannot be understood by everyday consumers. Consumers are increasingly asking "Are my financial assets protected?" And who can blame or stop them? Consumers don't care who your Internet banking provider is or how many employees are responsible for information security and risk management. They just want assurance and transparency that everything possible is being done to protect their financial assets.
I find the following takeaways from this story:
- Multi-factor authentication is the minimum standard for logging into Internet banking accounts.
- The more TJX, Hannaford, Heartland, and these types of stories gain mainstream attention, the more awareness they will bring to the security practices of financial institutions. I'm not condoning the release of sensitive company secrets; however, some transparency is needed when conveying security measures to consumers.
- Consumers, to a certain extent, will not be held responsible for many types of security breaches. Clearly, the bulk of responsibility lies with financial institutions.
What's your take on the lawsuit? Is this putting too much pressure on financial institutions to comply with security regulations? Or will lawsuits like this and general awareness help improve security within financial institutions?