August 2015: Deadline for Two-Factor Authentication in the European Union
In December 2014, the European Banking Authority released guidelines on securing online payments across the European Union (EU). One of those security requirements includes the use of ‘strong authentication,’ which the EBA defines as the use of multifactor authentication.
With a deadline of August 1, 2015, EU companies must start researching and deploying two-factor authentication solutions.
The EBA defines strong customer authentication as the use of two or more of:
- Something only the user knows (password)
- Something only the user possesses (smartphone or token)
- Something the user is (fingerprint)
According to the EBA, the guidelines are based on the technical recommendations issued in 2013 by the European Forum on the Security of Retail Payments (SecuRe Pay), which is comprised of a several central banks and supervisors of Payment Service Providers (PSPs).
Increasing EU Data Breaches
Why the focus on authentication security? In a report from the Center for Media, Data and Society, Data Breaches in Europe: Reported Breaches of Compromised Personal Records in Europe 2005-2014 (PDF), 57 percent of incidents involved theft, resulting 570 million records stolen over 10 years.
Another 42 percent of the data breach cases they analyzed involved external attacks by criminal hackers. Other security issues involve insider theft, lost or stolen hardware, and administrative errors; including some cases in which organizations mistakenly uploaded personal records online.
Fraud is also on the rise - online credit card payment fraud has caused €794 million of losses in 2012 (up by 21.2% from the previous year), a statistic noted by the EBA in December 2014; prompting the need for more prescriptive technical security guidance.
Data Breach Notification Laws
When it comes to breach notification legislation, the EU made personal data breach disclosures mandatory in August 2013 for telecom operators and Internet service providers, requiring reports within 24 hours of breach detection, or within three days of being alerted of the breach. While the U.K. upholds the same law, there is no requirement for other organizations to report data breaches.
Here in the U.S., White House administration has only recently proposed a blanket data breach notification law that requires a 30-day time period for companies to report data breaches, known as the The Personal Data Notification & Protection Act (PDF). Under the proposed act, state attorney generals can sue for up to $1,000 per day, per each affected individual, with a maximum $1 million per violation.
The legislation comes with a number of other proposals, including the BuySecure initiative that mandates the use of chip and PIN technology to help protect consumers from credit card fraud and identity theft - a move explained most aptly in 2014 being dubbed as the “Year of Mega Breaches” by the Ponemon Institute.
Strong Authentication for Banking Services and Online Payments
Likewise, an increase in online payment fraud has prompted the EBA to implement a more secure framework for conducting transactions on the Internet for the EU. In particular, Payment Service Providers (PSPs) are required to carry out strong customer authentication through banking services or internet card payments.
Specifically, one of the guidelines requires giving customers the option to sign up for two-factor authentication (‘strong authentication’). The rules also dictate certain security controls for strong authentication, including limiting the number of failed login attempts, after which access should be blocked.
To meet this requirement, Duo Security’s lockout and fraud feature lets you guard against brute-force (password guessing attacks).
The EBA guidelines also call for the monitoring of customer access devices, including the geolocation, in addition to monitoring transactions and watching out for suspicious high-value transactions.
To help with these requirements, Duo Security provides a Maps and Flags feature and Authentication Logging. With detailed authentication, administrator and telephony logs, you can track user activity and get fraud alerts to help your company proactively defend against breaches.
Our Maps and Flags feature shows you detailed information about all authentication attempts to your network, including their name, time, integration type, location, IP address, authentication method and the result (authentication success or failure).
The guidelines also suggest linking the authentication to a specific amount and payee, otherwise known as transaction-level authentication. That means specifying where exactly the two-factor challenge should occur, including before sending a high-value wire transfer, which both protects the transaction and logs information about the user trying to conduct the action.
Transaction authentication can also be used to prevent threats posed by insiders - banking, financial and e-commerce organizations can track who is viewing certain types of information, as well as when and how much, giving them the data they need to pinpoint potential threats.
Find out more about these guidelines and others in the EBA’s Final Guidelines on the Security of Internet Payments (PDF), applicable to all countries across the European Union. And, learn more about two-factor authentication solutions to meet the guidelines in Duo’s Two-Factor Authentication Evaluation Guide.