Galaxy Plus Credit Union System

Multi-Factor Authentication (MFA)

—Providing an extra layer of security and protection for your home banking system

Multi-Factor Authentication (MFA) provides extra protection for online data by offering several layers of security that are both visible and invisible to your members. MFA helps guard against fraudulent online activities like Phishing scams and identity theft.

Background

Additional information
for Credit Union Clients

Signiﬁcant increases in threats to the security of personal ﬁnancial information and funds when conducting business online continues to rise. The statistics are staggering:

Of more than 686,000 consumer complaints received by the Federal Trade Commission (FTC) in 2005, more than one-third involved identity theft;

Internet-related complaints accounted for 46% of all FTC consumer fraud complaints in 2005; and
From 2003 to 2005, the number of identity theft cases that involved electronic funds transfer more than tripled. To address this new reality, the Federal Financial Institutions Examination Council (FFIEC) stated that credit unions have until year-end 2006 to assess the risks of their online banking services and, if necessary, implement "effective methods of authentication" that are stronger than single-factor authentication methods, such as passwords.

Fiserv Galaxy and RSA Respond

In response to this need, Fiserv Galaxy is partnering with RSA Security to add Multi-Factor Authentication (MFA) to the Netbranch Plus Home Banking System. MFA provides extra protection for online data by offering several layers of security that are both visible and invisible to the member. Some of the primary beneﬁts include:

Ease of Deployment – no additional hardware or software required
Accessibility – uses common "ﬂash" technology
Convenience – no additional devices or passwords are required for members
Cost – inexpensive per-member pricing for credit unions

Authentication

Visible Authentication assures members they are securely logged onto their credit union’s genuine home banking system. With visible authentication, members see a secret image and phrase combination assigned to each time they log on to Netbranch Plus. Members are instructed to enter their password only after Netbranch Plus displays this secret image and phrase.

During registration, members select a personalized image and phrase that will be displayed on NetBranch Plus, letting them know they are logged onto the legitimate Home Banking site. This image and phrase combination becomes a "shared secret" between the member and credit union. A fraudulent web site would not display the image and phrase.

Invisible Authentication. Using a transparent system that stores the unique characteristics of a user’s PC, the system verifies the member’s computer to further validate that the member is genuine. Since members may want to log on from multiple locations, the system can recognize multiple computers for each member without requiring them to install new software or to carry a hardware device. If the system recognizes the individual’s computer, the member can proceed without interruption.

Supplemental Authentication.
For the small percent of instances where a new or unregistered computer is used, or a questionable logon attempt is detected, the member is prompted for an additional authentication credential to validate his or her identity. There are several methods available that allow members to authenticate themselves:

Secret Questions. During registration, a user is prompted to select a set of Secret Questions and to provide answers to those questions. In the event that activity exceeds the predetermined threshold (for example, signing in from a new or unregistered computer), the member will be presented with a Secret Question to answer in order to proceed.
E-Mail. Out-of-band Email Authentication relies on a separate digital mechanism for authenticating a user’s online activity. When an activity or transaction has been identified as suspicious, the member is asked to confirm a code or a word via a separate email address that is unconnected with the website. Once the authentication is complete, the member can proceed with the online activity.