Two-Factor Authentication May Be Coming to a Bank Near You
Tuesday, March 3, 2015
Print Mail Download i

When I was at the SEC and online broker-dealers’ customers were the victims of hacking incidents, I used to wonder, why don’t the broker-dealers require multi-factor authentication to gain access to accounts? It was a silly question. I knew the answer. Multi-factor authentication is a pain and nobody likes it.

Do you know what it is? Here’s what Wikipedia says, so it must be true:

Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories:

knowledge factors (“things only the user knows”), such as passwords

possession factors (“things only the user has”), such as ATM cards

inherence factors (“things only the user is”), such as biometrics.

The idea is, hackers might figure out your password, but they won’t be able to figure out a number that changes every 30 seconds on a card you carry or on your cell phone. They won’t be able to replicate your fingerprint. That’s the idea, anyway. Brokers and banks have been loathe to require multi-factor authentication because it’s inconvenient and customers often hate it.

But here comes Ben Lawsky, the Superintendent of New York’s Department of Financial Services, who just unveiled a number of proposals to increase cybersecurity at banks under his jurisdiction. One of these is to require that banks use multi-factor authentication. This move could take a lot of the economic pressure off banks that would otherwise like to implement this control for its customers, but have been unwilling to do so for fear of losing those customers to rivals. If everybody has to do it, there’s not a lot of fear from imposing it unilaterally.

That’s not all Lawsky has in mind. His proposal also includes:

requiring senior bank executives to personally attest to the adequacy of their systems guarding against money laundering;

ensuring that banks receive warranties from third-party vendors that those providers have cybersecurity protections in place;

random audits of regulated firms’ transaction monitoring systems, meant to catch money laundering; and

incorporating targeted assessments of those institutions’ cybersecurity preparedness in its regular bank examinations.

Lawsky’s proposals could be a big deal. Stay tuned.

Copyright © 2024, Brooks, Pierce, McLendon, Humphrey & Leonard LLP

Current Legal Analysis

More from Brooks, Pierce, McLendon, Humphrey & Leonard, LLP

Law Firm Marketers: Consider Pilot Fish and the Shark
by: Edward C. Winslow III
Defending Former Employee On Non-Compete Or For Misappropriation Of Trade Secrets? Read This
by: Mack Sperling
Salman v. United States: The Insider Trading Cartoon Series, Vol. 16 [VIDEO]
by: David Smyth
North Carolina Business Court: What Is Intrusion Into Seclusion?
by: Mack Sperling
Mid Size Law Firms Doomed To Planning, Diligence
by: Edward C. Winslow III
The Insider Trading Cartoon Series, Vol. 13 -- The Barry Switzer Story [VIDEO]
by: David Smyth
Internal Affairs Doctrine Leads To Dismissal Of An Aiding And Abetting A Breach Of Fiduciary Duty Claim By NC Business Court
by: Mack Sperling
United States V. Newman (Part 2): Insider Trading Cartoon Series, Vol. 15
by: David Smyth
The Insider Trading Cartoon Series, Vol. 14-- United States v. Newman (Part 1) [VIDEO]
by: David Smyth
Five Things You Should Know About Discovery Under New North Carolina Business Court Rules
by: Mack Sperling

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins