6 Biometrics for your Mobile Platform

By: Daon, the NAFCU Services preferred partner for Biometric Authentication

Daon. MobileBiometricPasswords simply don’t work. Every day brings fresh reports of stolen passwords and hacked accounts. Fortunately, the proliferation of mobile devices has provided an antidote to failing password security — mobile authentication.

Standard Authentication Limitations

Mobile authentication is moving to the mainstream. Consumers have become familiar with using their mobile devices to retrieve a text message consisting of a string of characters that must be retyped into a form on a website.

However, if you are trying to conduct a banking transaction on your phone, then a text message sent to that same phone is awkward to execute and provides limited protection. Furthermore, it doesn’t really prove your identity — it could just as easily be someone who found your phone at a restaurant trying to access your banking information.

Biometric Authentication

Enter biometrics, which authenticate you based on your unique physical characteristics — what makes you who you are — rather than simply assuming you own the device that you are carrying. Biometrics provide both high security and unparalleled convenience.

Instead of typing a string of characters, you simply read a displayed sentence out loud, look into the camera and blink, or swipe your finger across an embedded sensor.

There are six different types of biometrics that financial institutions can implement:

  1. Facial Recognition: involves looking into the device’s camera while the authentication software takes a photograph of you
  2. Voice Recognition: involves speaking into the device’s microphone
  3. Fingerprint Recognition: users either press their finger to the reader or swipe their finger across its surface
  4. Palm Line Recognition: involves taking a photo of the palm of your hand so that its major, easily visible lines can be captured and analyzed
  5. Iris Recognition: involves looking into the device’s camera, usually the front-facing one that allows you to see the image being captured
  6. Vein Recognition: involves taking a picture of a part of your body with a special camera that can capture the pattern of veins under the skin

For a complete comparison between these biometics’ strengths and weaknesses, download the full white paper.

How does it work?

iPhone_Face_2015_blackBiometric Authentication is done by having a person submit samples of their biometric characteristics when they enroll in a service that supports biometric authentication. Later, when they want to authenticate, they submit another sample for comparison. Such comparisons result in a calculated score representing the likelihood of the two samples belonging to the same person.

For Example: If you take a photo of yourself and this is compared with an earlier picture, you should get a very high score. In contrast, the stranger sitting next to you on the subway would get a low score if you tried to pass his picture off as your own.

Taking it a step further: Multi-Modal Biometrics

Multi-modal means collecting more than one biometric to authenticate someone. There are many advantages to a multi-modal system, most significantly an increase in both security and user convenience.

But which biometric is the best? Download the whitepaper, “Face, Fingerprint, Iris, Palm, Vein, Voice: Which biometric is the fairest of them all?” Take a look at each of these options to determine which is the best biometric for your mobile authentication.

daon-logo_a-zDaon is the NAFCU Services preferred partner for Biometric Authentication. Learn more at http://www.nafcu.org/daon/

Holiday Season Fraud Prevention Checklist

Produced By Ann Davidson, VP of Risk Consulting at Allied Solutions

Holiday FraudIt’s not if fraud exposure will happen this holiday season, it’s when! That’s why your credit union should help your staff and members prepare for what fraudsters have in store this holiday season.

Our gift to you this holiday is a checklist that you should provide to your credit union staff to ensure that your credit union and credit union’s members have a safe and fraud free holiday season.

Holiday Season Fraud Prevention Checklist:

Educate cardholders about the heightened risk of attacks and scams during the holiday season, such as: Phishing attacks (where the member is asked to pay the scammer money) and recruitment scams (where the member is asked to pay a bit of money up front to earn more money later on.)

Recommend to staff and members that they more closely and more frequently monitor ACH items, outgoing wires, and online transaction activity on all of their cards and accounts to look out for any unauthorized activity. Inform them to pay special attention to ACH items and outgoing wires.

☑ Utilize promotional and communication tools to increase the proliferation of information to your credit union staff and members about the increased likelihood of scams and attacks during the holiday season.

☑ Flag or block any unusual out-of-state card purchases. Inform members to alert you if they are traveling over the holidays, so that they are not affected by these preventative measures.

☑  Monitor any type of card fraud to help identify a card breach. Look for a common point of compromise and report it to the fraud department at the card association (i.e. Visa or MasterCard) immediately.

☑  Ensure that your credit union is receiving Visa alerts (CAMs) or MasterCard alerts regarding compromised cards and/or regarding information about the type of card data at risk (i.e. Track 1, Track 2, etc.).

☑  Determine if you will block and reissue or monitor compromised card numbers. In cases where the full unaltered magnetic stripe has been compromised, it is strongly recommended to block and reissue the card data.

☑  Contact cardholders to let them know when they are part of the compromised breach.

☑  Share a message on your website or phone system with any updates about the breach.

PrivacyAuthentication☑  Utilize multiple layers of authentication when validating and sending out ACH and wire transactions both online and in-person to help prevent any unauthorized withdrawals of members’ funds.

☑  Monitor PIN change activity. The criminal may make multiple attempts to perform a PIN change in order to obtain card data.

☑  Utilize an anti-skimming device on your ATMs to help prevent skimming.

☑ Review daily dollar limits for signature, internet, and PIN transactions and offer members the option to lower their daily card limits over the holiday season.

☑  Watch for multiple payments on the same day or within days of each other on credit card accounts and do not provide availability of a payment to the credit card holder until other payments clear.

☑  Watch for increased cash disbursements (advances) being performed on non-credit union issued cards at the teller counter.

☑  Perform a review of your fraud risk tools and programs to assess their effectiveness.

☑  Continue to enhance your fraud protection strategies and your fraud management systems to help prevent card exposure.

For more information, watch the “Holiday Fraud Prevention 101” webinar recording.  Ann Davidson with Allied Solutions, LLC will explain what type of risks increase during the holidays and introduce steps that you, your staff, and your members can take to help ensure you all have a safe and fraud free holiday season.

Allied Solutions Logo

Allied Solutions is the NAFCU Services Preferred Partner for Insurance – Bond, Creditor Placed (CPI), Guaranteed Asset Protection (GAP), and Mechanical Breakdown (MBP); and rateGenius.  More educational resources and contact information are available at www.nafcu.org/allied

 

Cyber Security Awareness Month: Third Party Cyber Risk Management

By: Jacob Olcott, VP of Business Development, BitSight Technologies

How not to become a “Target”
Thirdparty_cyberrisk_woman
October is cyber security awareness month, and there are few things more haunting to financial or retail institutions than the security breach that affected Target stores a few years back. The attack resulted in more than $40 million in debit and credit card numbers being stolen, and more than likely affected at least some of your members.

The scariest part of the security breach may be where it originated: its HVAC supplier. The attack highlights how important it is for financial organizations to have a well thought-out program to mitigate third party cyber risk.

Regulators are taking a closer look at third party risk management so the importance of employing best practices is not just practical, but legal as well.

Five Key Steps to Develop a Third Party Risk Management Program

Developing a risk management program doesn’t have to be difficult. There are five key points to consider for a plan, and several vendors and services that can help you to do so.

  1. Organize Internally. This means bringing together all teams that have an impact on, or are impacted by your cybersecurity or dealings with third party vendors. This would most likely include your legal, compliance, IT, and procurement teams.
  2. Identify and Prioritize Key Parties. It is important for credit unions to consider any third BitSight_identify_critical_vendorsparty that has either direct network connections to your organization or has access to sensitive data. This would include, but is not limited to, looking at your primary payment processor, largest software vendor, law firms, consulting firms, and benefits administrator. When prioritizing vendors, approach this from the position of your most sensitive data, likely your members’ financial data, and the level of access a third party has to that data.
  3. Evaluate your vendors’ security. This is traditionally done a number of ways such as using questionnaires, vulnerability scans, and audits. If you are not sure where to start, Shared Assessments is a good source that charges a fee for common questionnaires to send your partners regarding their cyber security efforts. If you are interested in developing your own questionnaire, the NIST cybersecurity framework is a good place to start. You can also do your own audits of your partners, but often companies will share their own documentation of audits they have done.
  4. Communicate. The importance of clearly communicating your expectations to your partners should not be overlooked. This should be done not only in writing in forms such as contracts, but verbally as well. It is important to develop a strong dialogue regarding your security concerns that is not just once, when you launch a partnership, but ongoing. The cybersecurity landscape changes on a daily basis so it is important for you and your partners to discuss where you are headed and how to stay ahead of the curve.
  5. Continuously Monitor Vendor Performance. This is another point not to be overlooked. Questionnaires and audits can only give you snapshots of a company’s security profile at one point in time. Actual security is much more fluid than that. NAFCU has partnered with BitSight Technologies as a preferred provider of monitoring services. BitSight essentially works like credit rating service for cybersecurity. They provide a number that indicates how strong a company’s security practices are on a continuous basis. BitSight calculates Security Ratings using a continuous process that gathers, processes, and assigns security data to arrive at the top-level security ratings.

For more dBitSightLogoetailed information on developing a third party cyber risk management plan you can check out NAFCU’s webinar with BitSight Technologies here or  download BitSight’s white paper on the topic.

What Biometrics Can Do for Your Credit Union’s Security Strategy

Woman with fingerprint scanningIf you feel like there is always another security measure you need to consider, you’re right and this reality is actually a very good thing. The security landscape is indeed continuously changing and evolving.

You must constantly evaluate and revaluate your security processes because one single solution to satisfy all of your security concerns and needs does not exist.  Consequently, it’s wise to employ a multi-factor security (MFA) strategy.

Chris Amador, Product Owner with Q2, talked about the balancing act that your credit union faces when implementing biometrics solutions, in our recent webinar, “Biometrics: Enhancing Member Experience & Security.” He spoke about the challenges your credit union faces with providing secured online and mobile channels that guarantee compliance with regulations and deliver a satisfying experience for your members.

Watch Biometrics: Enhancing Member Experience & Security


We’re sharing some key highlights from the webinar and encourage you to watch the complete presentation where Chris shares timely insights on:

  • The different types of biometric solutions currently used within the financial services industry
  • What true multi-factor authentication (MFA) means and why the “third factor” is difficult to solve
  • The preferred biometric solution for online use among consumers
  • Barriers you need to consider when implementing biometrics features
  • How to evaluate whether or not your membership is ready to accept this technology

What is a True Multi-Factor Security Strategy?

A true multi-factor authentication (MFA) security strategy should include three key factors:

  • Something I “have” (e.g., your member’s laptop or mobile device like a tablet or a smartphone)
  • Something I “know” (e.g., your member’s user ID and password, pin, account number, or knowledge based questions)
  • Something I “am” (e.g., your member’s biometric data, a physical or behavioral attribute unique to your individual member)

You and your members are familiar with the “something I have” and “something I know” categories,  but those two factors alone have limitations in today’s complex security environment.

The physical devices your members use, whether it’s a laptop, a tablet, or a smartphone were considered as an integral layer of security, but this is no longer thought to be true because these devices can be stolen. And, due to the rise of social media, your members may post all sorts of information that can be used by fraudsters to determine the correct answers to security questions. As an example, online quizzes on social media (e.g., Buzz Feed) can be used as tools for fraudsters to phish for information.

The “something I have” category is only available through the implementation of biometrics. Biometrics are an effective third-factor in a MFA security offering for your members because they utilize something fraudsters can’t duplicate, the unique personal and physical identifiers of your members.

It’s important to consider and assess to what degree your members will be comfortable and willing to adopt biometric security measures. Continue advancing your knowledge about these options and the biometrics landscape, by watching “Biometrics: Enhancing Member Experience & Security.

Q2 Online and Mobile Banking

Q2 is the NAFCU Services Preferred Partner for a single platform virtual banking solution, including online and mobile. Learn more about Q2 by visiting www.nafcu.org/Q2.

Best of NAFCU’s 48th Annual Conference and Solutions Expo (Video and Educational Highlights)

Credit union leaders from around the country gathered to network and discuss the most pressing issues impacting the industry during NAFCU’s 48th Annual Conference and Solutions Expo in Montreal, Canada. The conference was NAFCU’s largest event in nearly a decade.

Here’s a quick video of some highlights from this year’s conference:


During the conference, attendees heard from NAFCU management and leading industry professionals that included keynote conference speakers such as TrendHunter.com Founder and CEO Jeremy Gutsche, and MasterCard’s General Counsel and Chief Franchise Officer Tim Murphy.

Solutions Expo at the NAFCU 48th Annual ConferenceThis year’s conference included the annual Solutions Expo, spotlighting the latest technologies, applications, and resources available to help improve credit union operations.

Our Preferred Partners exhibited during the conference and shared their thought leadership, innovations, and solutions during educational sessions throughout the conference.

The complete list of sessions and available presentation slides are available on www.nafcu-annual.org. Here’s a quick listing of key topics presented during the conference to help your credit union grow, retain members, manage risks, protect members, and improve overall operations:

Topic Category Presentation Title Preferred Partner
Growth & Retention Building A Strong Payments Strategy Vantiv
Health Savings Accounts, IRAs and Millennials: A New Generation Presents New Opportunities  Ascensus
Using Credit Scores to Grow and Engage Membership VantageScore
Why Your Credit Union Should Offer Wealth Management Services to All Members Money Concepts
Risk & Security A Deep Dive Into EMV Implementation MasterCard
Cybersecurity Risk Mitigation: Protect Your Member Data Knowledge Consulting Group (KCG)
Top Ten Fraud Risks That Impact Your Financial Institution Allied Solutions
Uncovering the Faces of Fraud Q2
Using Moneyball Tactics and Risk Rating Assessment Models Wolters Kluwer Financial Services
Financial & Insurance Trends in the Retirement Plan Industry Pentegra Retirement Services

Thanks again to the 2015 Annual Conference signature sponsor MasterCard, our 5-star preferred partner sponsors Allied Solutions and Vantiv, and all of our partner sponsors, exhibitors, and speakers.

We’re looking forward to seeing you all at NAFCU’s 49th Annual Conference and Solutions Expo in Nashville (Music City) next year! Get more information, sign-up for updates on the latest conference details, and register by visiting www.nafcu-annual.org.