What are a call center's authentication options when seeking FFIEC compliance?

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

BROWSE BY TAG Identity Management and Access Control,   Secure VPN Setup and Configuration,   Enterprise Network Security,   SSL and TLS VPN Security,   Security Audit, Compliance and Standards,   FFIEC Regulations and Guidelines,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Does password sharing in international branches violate SOX? What are best practices for secure password distribution after a data breach? Is it possible to encrypt CDs and DVDs as well as SD cards? SSL and TLS VPN Security Creating an SSL connection between servers Can S/MIME, XML and IPsec operate in one protocol layer? Can secure USB devices prevent man-in-the middle attacks How to secure SSL following new man-in-the-middle SSL attacks SSLstrip hacking tool bypasses SSL to trick users, steal passwords What firewall controls should be placed on the VPN? What firewall features will best protect a LAN from Internet hack attacks and malware? IBM USB banking device stops keyloggers, malware Debian: A niche OS with a not-so-niche security flaw Google Chrome unlikely to attract security-minded users FFIEC Regulations and Guidelines Protecting data in a merger and acquisition This May Day, banks wave the Red Flags IT security pros face challenge during economic crisis Understanding multifactor authentication features in IAM suites Compliance drives credit union to catch online bill payment fraudsters The road to compliance At RSA, feds seek help to close widening cybersecurity gaps TJX should have had stronger Wi-Fi encryption, say Canadian officials Interview: FDIC director explains FFIEC standard Future authentication technologies: How to choose the right product

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Secure Shell  (SearchSecurity.com) Secure Sockets Layer  (SearchSecurity.com) server accelerator card  (SearchSecurity.com) SSL VPN  (SearchSecurity.com) Transport Layer Security  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

To satisfy your needs, you should consider using a software device that doesn't require any tokens, keys or other easily lost and hard-to-manage toys. Tokenless two-factor authentication would be appropriate, and there are three choices you should look into. Let's take a look at each one briefly.

For high-risk transactions, you could set up an SSL VPN on your network. Implementing one would allow your users to log on to your transaction applications through a secure tunnel -- also known as a VPN or virtual private network. An SSL VPN, though, is a Web application rather than a traditional VPN, and therefore would be directed through a specially configured and dedicated router. This can be costly, and could entail a lot of overhead. And, in addition, implementation can be overkill, as far as meeting the FFIEC guidelines.

If you choose not to set up an SSL VPN, consider using digital certificates (DC). These provide additional authentication for call center staff when a high-risk transaction occurs, but it requires the construction of a public key infrastructure (PKI) to create and manage the DCs -- which could be a costly and complicated venture.

However, your best bet might be PINsafe from Swivel Secure Ltd., a tokenless two-factor authentication system. It requires no hardware or tokens and can be used for logging on to either an ordinary workstation or a Web application. Companies have used PINsafe to eliminate both the hassle and cost of issuing and handling tokens.

PINsafe creates a random set of digits in an obfuscated image, and then displays it on the Web page or screen. Each time the user logs on, a new image with a new set of digits is displayed. The image is the software one-time password. When a user registers with the product, he or she creates a PIN. This PIN matches with the digits on the screen to create a new and random number that will then be entered with their normal user ID and password. This random number is the additional credential or second factor in the two-factor authentication system.

The image generated by PINsafe is similar to CAPTCHA technology. Yahoo and Google use CAPTCHA images to block spammers from using scripts and automatically sending email to random accounts. The CAPTCHA is an image with embedded characters that cannot be read by malicious scripts looking for ordinary text.

EMC Corp.'s RSA division has a similar tokenless system that uses technology from PassMark, a company it acquired earlier this year. The PassMark technology displays an image on the logon screen, and the user verifies that it was the one he or she had chosen during registration. Unlike PINsafe, the image is an ordinary photo or graphic, not text. Additionally this system is Web-based and will only work if the applications are on an Intranet.

Both RSA and PINsafe satisfy the FFIEC two-factor authentication guidelines, and each is an option you might consider for your call center.

More information: