Problem solve Get help with specific problems with your technologies, process and projects.

What are a call center's authentication options when seeking FFIEC compliance?

There are many ways for a call center to employ two-factor authentication and meet FFIEC standards. In this expert Q&A, Joel Dubin reviews SSL VPNs and other options for compliance-seeking call centers.

The Federal Financial Institutions Examination Council recently stated that its requirement also extends to bank call centers if the caller requests "high risk transactions" such as any payments to third parties. What are multi-factor authentication options for call centers?
To satisfy your needs, you should consider using a software device that doesn't require any tokens, keys or other easily lost and hard-to-manage toys. Tokenless two-factor authentication would be appropriate, and there are three choices you should look into. Let's take a look at each one briefly.

For high-risk transactions, you could set up an SSL VPN on your network. Implementing one would allow your users...

to log on to your transaction applications through a secure tunnel -- also known as a VPN or virtual private network. An SSL VPN, though, is a Web application rather than a traditional VPN, and therefore would be directed through a specially configured and dedicated router. This can be costly, and could entail a lot of overhead. And, in addition, implementation can be overkill, as far as meeting the FFIEC guidelines.

If you choose not to set up an SSL VPN, consider using digital certificates (DC). These provide additional authentication for call center staff when a high-risk transaction occurs, but it requires the construction of a public key infrastructure (PKI) to create and manage the DCs -- which could be a costly and complicated venture.

However, your best bet might be PINsafe from Swivel Secure Ltd., a tokenless two-factor authentication system. It requires no hardware or tokens and can be used for logging on to either an ordinary workstation or a Web application. Companies have used PINsafe to eliminate both the hassle and cost of issuing and handling tokens.

PINsafe creates a random set of digits in an obfuscated image, and then displays it on the Web page or screen. Each time the user logs on, a new image with a new set of digits is displayed. The image is the software one-time password. When a user registers with the product, he or she creates a PIN. This PIN matches with the digits on the screen to create a new and random number that will then be entered with their normal user ID and password. This random number is the additional credential or second factor in the two-factor authentication system.

The image generated by PINsafe is similar to CAPTCHA technology. Yahoo and Google use CAPTCHA images to block spammers from using scripts and automatically sending email to random accounts. The CAPTCHA is an image with embedded characters that cannot be read by malicious scripts looking for ordinary text.

EMC Corp.'s RSA division has a similar tokenless system that uses technology from PassMark, a company it acquired earlier this year. The PassMark technology displays an image on the logon screen, and the user verifies that it was the one he or she had chosen during registration. Unlike PINsafe, the image is an ordinary photo or graphic, not text. Additionally this system is Web-based and will only work if the applications are on an Intranet.

Both RSA and PINsafe satisfy the FFIEC two-factor authentication guidelines, and each is an option you might consider for your call center.

More information:

  • Learn what two-factor authentication means for FFIEC compliance.
  • Estimate security risks involved in an SSL VPN implementation.
  • This was last published in December 2006

    Dig Deeper on VPN security