According to the information in the case, do you think the bank satisfied the requirement to two-factor authentication? Generally, Two-factor authentication requires two forms of authentication (Panky, 117). For example most of the online banking today requires you to login with surname/password and also identify security key or security image as additional key. According to the Federal Financial Institution Examination Council 2005 required bank to use at least two-factor authentication.Two-factor authentication utilizes two or more factors to verify customer identify and these two factors are usually (something the person has) and (something the person knows).
Simply using surname/password for identification were not enough for two-factor authentication according to EFFIE. It looks like in the given case the bank used account numbers and passwords and customer had to answer two challenge questions. Surname/Password is only one factor and hence bank did not satisfy the requirement of two-factor authentication. B).
According to the information in the case, do you think the bank was doing antiradar monitoring? I do not think the bank was doing antiradar monitoring. It is because bank knows Patch very well. Bank should know or should have known Patch regular transaction behavior. Bank should keep track of their customer behavior such as how often they withdraw money and in what rage. Bank should also keep track of their client how often they deposit money and in what range.
In the case study, Patch only withdrew money for payrolls on Fridays. Its previous largest single-day withdraw had been under $37,000.It is obvious that when $588, 000 had been drained on institutive transaction that it should have been caught by bank as suspicious activities. Bank did not monitor this abnormal transaction nor did notify Patch promptly. Hence, it is clear that Bank had not been doing antiradar monitoring. C).
According to the information in the case, do you think Ocean Bank was negligent? I definitely think Ocean Bank was negligent. First of all, it is seen that it is not following the two-factor authentication set by Federal Financial Institutions Examination Council at all.It is not even following the least requirement of two-factor authentication. Secondly, bank had not noticed that big withdrawal in consecutive days. Lastly, bank had noticed problem when thieves had entered one of the account number invalid but did not notify to Patch on time. They should have notified to Panky by email or by calling them directly.
D). According to the information in the case, if you were head of Ocean Bank, what would you do to prevent the reoccurring of this problem? First of all, I would review the existing security procedure.I would want to make sure that security should be taken as management issue not Just the genealogy issue. Security management should cover following areas; Planning, Authentication, Firewalls and Responding to the event. Security is not about having strong authentication mode or making stronger password.
It is about proper planning, appropriate risk analysis, and having proper policy and procedures in place especially how to handle safely and effectively after the certain incident occurs. Secondly, I would make sure the security procedures are following the Federal Financial Institutions Examination Council standards.