A great piece was written up by Kevin Funnell recapping an article in the American Banker the impact of banks meeting the FFIEC Multi-Factor Authentication deadline of January 1, 2007. Thankfully many organizations adopted these requirements prior to the hard deadline, and overall fraud rates have plunged. Key points to highlight in his writeup that jump at me are:
Great Success:
“fraud has decreased by 30% to 40% in the online channel in the U.S. from 2006 to 2007 specifically due to implementing the FFIEC-required authentication”
This highlights and supports that Multifactor authentication is beneficial and should provide immediate returns to the organization on a financial and public goodwill posture.
Escalation continues:
“increased incidents of branch and contact center fraud and criminals working the channels to get pieces of information”
An important fact that highlights that threats can come from different angles, but the target is STILL the data and we must do a great job at securing and monitoring those data stores.
What truly resonates with me is the amount of fraud reduced through a simple introduction of a control. The economics and technical feasibility of this control are very understandable and not complex. I feel there is a huge opportunity for online merchants, not banks that are subject to the FFIEC, to fully embrace this control and necessary technology. PCI DSS mandates under Section 8.3 that administrators, employees, and third parties use two-factor authentication when accessing data remotely - this does not apply (today) to consumers.
A good set of studies on multi-factor authentication usefulness and applicability can be found here, here, here, and here.
Updated: Great breakdown on Multi-Factor approaches and analysis by Karim Zerhouni Senior Manager for BearingPoint.
Fraud is an issue that impacts the business profit margins and disrupts the consumers lives. Reducing cost and improving a consumer experience is a best practice in any economy, nation, and industry.
Best,
James DeLuccia
