Financial Organizations Struggle with Out of Band Authentication

Many of our client financial organizations have been working on implementing out of band authentication (OOBA) mechanisms for specific kinds of money transfers such as ACH and wires.

 A few have even looked into performing OOBA for all home and mobile banking access. While this authentication method does add some security to the process, effectively raising the bar for credential theft by the bad guys, it does not come without its challenges.

For starters, the implementation and integration of some of the software designed for this purpose has been a little more difficult than expected by many of the teams working on the projects. We are hearing that in some cases, the vendors are having difficulty integrating into some of the site platforms, particularly those not using .NET. Other platforms have been successful, but over time (and many over budget), the lesson learned is this: communicate clearly about the platforms in use when discussing implementations with potential vendors.
 
Other problems we have been hearing about include: availability issues with the number of outbound phone connections during peak use periods, issues with cellular carriers “losing” SMS messages (particularly a few non-top tier carriers), and integrating solutions into VoIP networks and old-style traditional PBX systems.
 
In many cases, these telephonic and cellular issues have caused the systems to be withdrawn during pilot, even turned off for peak periods during use and other “fit and start” approaches as the rough patches were worked out. The lesson in this area seems to be to design for peak use as a consideration, or at least understand and communicate acceptable delays, outages or round-robin processes, and make sure that your systems properly communicate these parameters to the user.
 
In the long run, proper communication to the users will lower the impact of the onslaught some of these systems call to the customer support and help desk folks.
 
It is getting better though. Vendors are learning to more easily and effectively develop and implement these solutions. The impact on account theft has been strong so far and customers seem to have a rapid adjustment curve. In fact, a few of our clients have shared that they have received kudos from their members/customers for implementing these new tools when they were announced, documented, and explained properly to the user base.
 
If your organization is considering this technology and has struggled with it, or has emerged victorious in the mastery of it; please drop me a line on Twitter (@lbhuston) and let me know your thoughts. The more we share about these tools, the better we can all get at making the road less bumpy for the public.
 
As always, thanks for reading and stay safe out there!

4 thoughts on “Financial Organizations Struggle with Out of Band Authentication

  1. Just a couple of quick notes – 1. It should be “cause”, not “call to the customer support…” Sorry about that!

    2. After a lot of discussions on Twitter about the post, I wanted to make it clear that OOBA does have some risks, but many of the problems are solvable. It should still be considered, it just requires careful planning to integrate and deploy (like most things…). It just seems that some folks assume it is going to be easier than it is, or they downplay the risks. We need reasonable, rational and real world experiences to build on the public knowledge base. Thus, we encourage folks using, developing, supporting, considering or struggling with these technologies to share their experiences and lessons learned.

    Together, we can iron out the wrinkles and make deployments of OOBA easier and more effective.

    Thanks for reading and for the comments on Twitter. You all rock and have a great weekend!

  2. Pingback: Follow Up to Out of Band Authentication Post - MSI :: State of SecurityMSI :: State of Security

Leave a Reply