predicts

What is predictive analytics?

Business metrics do a great job summarizing the past. But if you want to predict how customers will respond in the future, there is one place to turn — predictive analytics. By learning from your abundant historical data, predictive analytics provides the marketer something beyond standard business reports and sales forecasts: actionable predictions for each customer. These predictions encompass all channels, both online and off, foreseeing which customers will buy, click, respond, convert or cancel. If you predict it, you own it.
The customer predictions generated by predictive analytics deliver more relevant content to each customer, improving response rates, click rates, buying behavior, retention and overall profit. For online applications such as e-marketing and customer care recommendations, predictive analytics acts in real-time, dynamically selecting the ad, web content or cross-sell product each visitor is most likely to click on or respond to, according to that visitor's profile. This is AB selection, rather than just AB testing.
Predictive Analytics for Business, Marketing and Web is a concentrated training program that includes interactive breakout sessions and a brief hands-on exercise. In two days we cover:

• The techniques, tips and pointers you need in order to run a successful predictive analytics and data mining initiative
• How to strategically position and tactically deploy predictive analytics and data mining at your company
• How to bridge the prevalent gap between technical understanding and practical use
• How a predictive model works, how it's created and how much revenue it generates
• Several detailed case studies that demonstrate predictive analytics in action and make the concepts concrete

• NEW TOPIC: Five Ways to Lower Costs with Predictive Analytics

No background in statistics or modeling is required. The only specific knowledge assumed for this training program is moderate experience with Microsoft Excel or equivalent.

Who this seminar is for:

Managers. Project leaders, directors, CXOs, vice presidents, investors and decision makers of any kind involved with analytics, direct marketing or online marketing activities.
Marketers. Personnel running or supporting direct marketing, response modeling, or online marketing who wish to improve response rates and increase campaign ROI for retention, upsell and cross-sell.
Technology experts. Analysts, BI directors, developers, DBAs, data warehousers, web analysts, and consultants who wish to extend their expertise to predictive analytics.

In order to meet the unique training needs of business decision makers and analytics practitioners, this training program is:

• Business-focused. Unlike other training programs that also cover scientific, engineering and medical applications of data mining and analytics, this seminar focuses squarely on solving business and marketing problems with these methods.
• Comprehensive across business needs. Within this realm, however, we step beyond the standard application of response modeling for direct marketing to solve the wider range of business problems listed below.
• Vendor-neutral and method-neutral. This training program, which is not run by an analytics software vendor, provides a balanced view across analytics tools and methods.

Topics covered:

1. Solving business problems with predictive analytics Predictive analytics solves many business problems, offering solutions such as:
   
   • Increased customer retention by predicting defection
   • Increased online conversions and ad takes by predicting clicks
   • Increased sales and acquisition rates by predicting cross-sell opportunities
   • Personalized web and email content by predicting online response
   • Greater relevancy by predicting customer needs
   • Increased direct marketing response with response modeling
   • Decreased campaign spending by predicting non-responders
   • Increased fundraising profit by predicting donations
   • Higher-valued acquisitions by predicting customer lifetime value
   In other words, customer prediction drives business actions, which deliver business results. We cover case studies across this range of applications, with detailed examples running through both days of the training program.
2. Creating predictive models Data is your most valuable asset. It represents the entire history of your organization and its interactions with customers. Predictive analytics taps this rich vein of experience, mining it to produce predictive models. Where multi-channel data is available, predictive analytics discovers interactions across customer touch points, such as key online behavior that may predict which customers will respond to direct mail.
   Whatever the application, the core methodology of predictive modeling is the same. We will uncover, in concrete terms, how modeling transforms your data into actionable customer predictions. To this end, we will see exactly what a model is, taking a look inside to see how it works and how it is created. Then we will:
   
   • Explore several example models in action
   • Turn the knobs that tweak and control modeling
   • Compare and contrast modeling methods intuitively, visualizing their differences so it all makes sense:
     • Decision trees
     • Business rules
     • Naive Bayes
     • Linear regression
     • Logistic regression
     • Neural networks
     • Other more recent advanced modeling techniques
   Live demos of predictive analytics software. We will include detailed demonstrations of a general-purpose tool that implements multiple predictive modeling methods, as well as CART (Salford Systems), a tool specialized for decision trees. Its friendly GUI-based capabilities make the predictive model transparent so we can drill down and really see the inner workings of specific examples.
   In addition to the products demonstrated, we will discuss the full spectrum of today's predictive analytics software, including free tools, cheap tools, and complete software suites.
3. Measuring how well predictive models work Once you've got a predictive model, how do you know how good it is? We cover methods to evaluate models, which fall into two groups:
   

   Forecasting: How large a boost in revenue, sales or profit will the model produce?
   Accuracy: How well does it predict, how often is it correct, and how much better is it than standard segmentation such as RFM?

   Deploying a predictive model is playing a numbers game that puts the odds in your favor and improves the effectiveness of campaigns, operations and web behavior. We create profit curves, ROI calculations and bottom-line analyses and talk through exactly what they're telling us. And we prepare for performance gotchas that sneak up on you.
4. Management and project leadership for predictive analytics Although predictive analytics is technical at its core, it must be run as a business activity in order to generate customer predictions that have a business impact. This requires a wholly collaborative process driven by business needs and marketing expertise. This ensures that customer predictions are actionable within your company's operational framework, and that they have the greatest impact within your company's business model.
   Referencing the industry standard data mining process model (called CRISP-DM), we break down the requirements of a predictive analytics business initiative. We explore this process, by which analysts and managers collaborate to strategically position predictive analytics, sustain universal buy-in and understanding, and avoid common roadblocks and unforeseen hazards.

Interactive breakout sessions

Like sky-diving and SCUBA diving, after a few hours of learning predictive analytics, it's a good time to dive right in. To this end, the training program includes breakout sessions, which are integrated with the conceptual flow of topics covered. You will join a small team and actively collaborate to design deployment strategies for predictive analytics. Working together to solve specific business problems, you will design strategic processes that avert organizational challenges, and you will design a broad technical approach, including the data discovery, data preparation and evaluatory metrics needed to direct a predictive analytics initiative.
These engaging breakout sessions are conducive to exercising the concepts you've learned, making them more intuitive and ingrained, and also provide an opportunity to learn from colleagues.
You will also "get your hands dirty" by digging through some data with a hands-on exercise during the second day. Optionally working with a buddy for this short exercise of about 20 minutes, you will bring a predictive model to life and see it improve before your eyes.

Course information and registration

Attendees receive a course materials book and an official Prediction Impact certificate of completion at the conclusion of the Predictive Analytics for Business, Marketing and Web training program.
       (Click to zoom)
Course materials book            Certificate of completion
See training seminar registration for course venue information, registration, and the $100 early-bird discount.
Feel free to contact Prediction Impact with any questions about this training program.

Start learning right now

The following short, published articles, written by the instructor, are a great place to get started. Note that these articles are not required reading; the material therein will be covered during the training program.

Predictive Analytics with Data Mining: How It Works
Get a handle on the functional value of predictive analytics for marketing, sales and product direction. DM Review's DM Direct
Driven with Business Expertise, Analytics Produces Actionable Predictions
Run data mining as a business activity to generate customer predictions that will have a business impact. CRM Magazine's DestinationCRM.
Predictive Analytics' Killer App: Retaining New Customers
Predictively targeted discounts convert new customers who would otherwise never return to become loyal customers. DM Review's Extended Edition.

Sneak preview video. View the 13-minute video overview of our online training program, which is largely descriptive of this in-person training seminar as well.

About the instructor

Eric Siegel, Ph.D., is a seasoned consultant in data mining and analytics, an acclaimed industry instructor, and an award-winning teacher of graduate-level courses in these areas. Eric served as a computer science professor at Columbia University, where he developed data mining technology in the realms of machine learning performance optimization, integrating historical databases, text mining, and data visualization. The conference chair of Predictive Analytics World, Eric has authored 11 peer-reviewed research publications and ran an MIT-hosted symposium on data mining. He also co-founded two New York City-based software companies for customer/user profiling and data mining. With data mining, Eric has solved problems in CRM analytics, computer security, fraud detection, text mining and information retrieval.
Eric has taught industry programs through Prediction Impact, The Modeling Agency and Salford Systems. In addition, he taught many semesters of university courses, including data mining-related graduate courses as well as introductory lecture series for non-technical audiences. Two of these courses have been in syndication through the Columbia University Video Network. Eric also published three peer-reviewed papers on computer science education.

Google

A Paris court condemned Google and Eric Schmidt, CEO of search engine, for defamation, arguing that when the name of the person who made the complaint has been lodged for the search results presented words like "rapist" and "Satanist" .
The court ruled that Google will pay a symbolic one euro and take measures to ensure that mistakes are not repeated, informs AFP.
The applicant was sentenced to three years in prison for corruption of minors, but the sentence was not final when he made the discovery.
The Court concluded that it is considering defamation as search engine slanderous words about the applicant's name.
The company also was required to pay 5,000 euros costs.
Google representatives have said that Google Suggest reflects the most popular searches, according to previous searches.
"Google makes no such suggestions," said a spokesman for the search engine.

Listen

Read phonetically

Password

A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource (example: an access code is a type of password). The password should be kept secret from those not allowed access.
The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword. Sentries would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user may require passwords for many purposes: logging in to computer accounts, retrieving e-mail from servers, accessing programs, databases, networks, web sites, and even reading the morning newspaper online.
Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase. The term passcode is sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.
For the purposes of more compellingly authenticating the identity of one computing device to another, passwords have significant disadvantages (they may be stolen, spoofed, forgotten, etc.) over authentications systems relying on cryptographic protocols, which are more difficult to circumvent.
The easier a password is for the owner to remember generally means it will be easier for an attacker to guess.^[1] Passwords which are difficult to remember will reduce the security of a system because (a) users might need to write down or electronically store the password, (b) users will need frequent password resets and (c) users are more likely to re-use the same password. Similarly, the more stringent requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly," the greater the degree to which users will subvert the system.^[2]
In The Memorability and Security of Passwords,^[3] Jeff Yan et al. examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "algorithm" for generating obscure passwords is another good method.
However, asking users to remember a password consisting of a “mix of uppercase and lowercase characters” is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalises the first letter). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' --> '3' and 'I' --> '1', substitutions which are well known to attackers. Similarly typing the password one keyboard row higher is a common trick known to attackers.
The security of a password-protected system depends on several factors. The overall system must, of course, be designed for sound security, with protection against computer viruses, man-in-the-middle attacks and the like. Physical security issues are also a concern, from deterring shoulder surfing to more sophisticated physical threats such as video cameras and keyboard sniffers. And, of course, passwords should be chosen so that they are hard for an attacker to guess and hard for an attacker to discover using any (and all) of the available automatic attack schemes. See password strength, computer security, and computer insecurity.
Nowadays it is a common practice for computer systems to hide passwords as they are typed. The purpose of this measure is to avoid bystanders reading the password. However, some argue that such practice may lead to mistakes and stress, encouraging users to choose weak passwords. As an alternative, users should have the option to show or hide passwords as they type them.^[4]
Effective access control provisions may force extreme measures on criminals seeking to acquire a password or biometric token.^[5] Less extreme measures include extortion, rubber hose cryptanalysis, and side channel attack.
Here are some specific password management issues that must be considered in thinking about, choosing, and handling, a password.
Some computer systems store user passwords as cleartext, against which to compare user log on attempts. If an attacker gains access to such an internal password store, all passwords—and so all user accounts—will be compromised. If some users employ the same password for accounts on different systems, those will be compromised as well.
More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible.
A common approach stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a hash function (for maximum resistance to attack this should be a cryptographic hash function) to a string consisting of the submitted password and, usually, another value known as a salt. The salt prevents attackers from easily building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions.
A modified version of the DES algorithm was used for this purpose in early Unix systems. The UNIX DES function was iterated to make the hash function equivalent slow, further frustrating automated guessing attacks, and used the password candidate as a key to encrypt a fixed value, thus blocking yet another attack on the password shrouding system. More recent Unix or Unix like systems (e.g., Linux or the various BSD systems) use what most believe to be still more effective protective mechanisms based on MD5, SHA1, Blowfish, Twofish, or any of several other algorithms to prevent or frustrate attacks on stored password files.^[7]
If the hash function is well designed, it will be computationally infeasible to reverse it to directly find a plaintext password. However, many systems do not protect their hashed passwords adequately, and if an attacker can gain access to the hashed values he can use widely available tools which compare the encrypted outcome of every word from some list, such as a dictionary (many are available on the Internet). Large lists of possible passwords in many languages are widely available on the Internet, as are software programs to try common variations. The existence of these dictionary attack tools constrains user password choices which are intended to resist easy attacks; they must not be findable on such lists. Obviously, words on such lists should be avoided as passwords. Use of a key stretching hash such as PBKDF2 is designed to reduce this risk.
A poorly designed hash function can make attacks feasible even if a strong password is chosen. See LM hash for a widely deployed, and insecure, example.^[8]
Passwords are vulnerable to interception (i.e., "snooping") while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by wiretapping methods. If it is carried as packetized data over the Internet, anyone able to watch the packets containing the logon information can snoop with a very low probability of detection.
Email is sometimes used to distribute passwords. Since most email is sent as cleartext, it is available without effort during transport to any eavesdropper. Further, the email will be stored on at least two computers as cleartext—the sender's and the recipient's. If it passes through intermediate systems during its travels, it will probably be stored on those as well, at least for some time. Attempts to delete an email from all these vulnerabilities may, or may not, succeed; backups or history files or caches on any of several systems may still contain the email. Indeed merely identifying every one of those systems may be difficult. Emailed passwords are generally an insecure method of distribution.
An example of cleartext transmission of passwords is the original Wikipedia website. When you logged into your Wikipedia account, your username and password are sent from your computer's browser through the Internet as cleartext. In principle, anyone could read them in transit and thereafter log into your account as you; Wikipedia's servers have no way of distinguishing such an attacker from you. In practice, an unknowably larger number could do so as well (e.g., employees at your Internet Service Provider, at any of the systems through which the traffic passes, etc.). More recently, Wikipedia has offered a secure login option, which, like many e-commerce sites, uses the SSL / (TLS) cryptographically based protocol to eliminate the cleartext transmission. But, because anyone can gain access to Wikipedia (without logging in at all), and then edit essentially all articles, it can be argued that there is little need to encrypt these transmissions as there's little being protected. Other websites (e.g., banks and financial institutions) have quite different security requirements, and cleartext transmission of anything is clearly insecure in those contexts.
Using client-side encryption will only protect transmission from the mail handling system server to the client machine. Previous or subsequent relays of the email will not be protected and the email will probably be stored on multiple computers, certainly on the originating and receiving computers, most often in cleartext.
The numerous ways in which permanent or semi-permanent passwords can be compromised has prompted the development of other techniques. Unfortunately, some are inadequate in practice, and in any case few have become universally available for users seeking a more secure alternative.^{[citation needed]}

• Single-use passwords. Having passwords which are only valid once makes many potential attacks ineffective. Most users find single use passwords extremely inconvenient. They have, however, been widely implemented in personal online banking, where they are known as Transaction Authentication Numbers (TANs). As most home users only perform a small number of transactions each week, the single use issue has not led to intolerable customer dissatisfaction in this case.
• Time-synchronized one-time passwords are similar in some ways to single-use passwords, but the value to be entered is displayed on a small (generally pocketable) item and changes every minute or so.
• PassWindow one-time passwords are used as single-use passwords, but the dynamic characters to be entered are visible only when a user superimposes a unique printed visual key over a server generated challenge image shown on the user's screen.
• Access controls based on public key cryptography e.g. ssh. The necessary keys are usually too large to memorize (but see proposal Passmaze) and must be stored on a local computer, security token or portable memory device, such as a USB flash drive or even floppy disk.
• Biometric methods promise authentication based on unalterable personal characteristics, but currently (2008) have high error rates and require additional hardware to scan, for example, fingerprints, irises, etc. They have proven easy to spoof in some famous incidents testing commercially available systems, for example, the gummie fingerprint spoof demonstration,^[25] and, because these characteristics are unalterable, they cannot be changed if compromised; this is a highly important consideration in access control as a compromised access token is necessarily insecure.
• Single sign-on technology is claimed to eliminate the need for having multiple passwords. Such schemes do not relieve user and administrators from choosing reasonable single passwords, nor system designers or administrators from ensuring that private access control information passed among systems enabling single sign-on is secure against attack. As yet, no satisfactory standard has been developed.
• Envaulting technology is a password-free way to secure data on e.g. removable storage devices such as USB flash drives. Instead of user passwords, access control is based on the user's access to a network resource.
• Non-text-based passwords, such as graphical passwords or mouse-movement based passwords.^[26] Another system requires users to select a series of faces as a password, utilizing the human brain's ability to recall faces easily.^[27] So far, these are promising, but are not widely used. Studies on this subject have been made to determine its usability in the real world.

• Graphical passwords are an alternative means of authentication for log-in intended to be used in place of conventional password; they use images, graphics or colours instead of letters, digits or special characters. In some implementations the user is required to pick from a series of images in the correct sequence in order to gain access.^[28] While some believe that graphical passwords would be harder to crack, others suggest that people will be just as likely to pick common images or sequences as they are to pick common passwords.^{[citation needed]}
• 2D Key (2-Dimensional Key)^[29] is a 2D matrix-like key input method having the key styles of multiline passphrase, crossword, ASCII/Unicode art, with optional textual semantic noises, to create big password/key beyond 128 bits to realize the MePKC (Memorizable Public-Key Cryptography)^[30] using fully memorizable private key upon the current private key management technologies like encrypted private key, split private key, and roaming private key.
• Cognitive passwords use question and answer cue/response pairs to verify identity.
• Passwords are used on websites to authenticate users and are usually maintained on the Web server, meaning the browser on a remote system sends a password to the server (by HTTP POST), the server checks the password and sends back the relevant content (or an access denied message). This process eliminates the possibility of local reverse engineering as the code used to authenticate the password does not reside on the local machine.
  Transmission of the password, via the browser, in plaintext means it can be intercepted along its journey to the server. Many web authentication systems use SSL to establish an encrypted session between the browser and the server, and is usually the underlying meaning of claims to have a "secure Web site". This is done automatically by the browser and increases integrity of the session, assuming neither end has been compromised and that the SSL/TLS implementations used are high quality ones.
  So-called website password and membership management systems often involve the use of Java or JavaScript code existing on the client side (meaning the visitor's web browser) HTML source code (for example, AuthPro). Drawbacks to such systems are the relative ease in bypassing or circumventing the protection by switching off JavaScript and Meta redirects in the browser, thereby gaining access to the protected web page. Others take advantage of server-side scripting languages such as ASP or PHP to authenticate users on the server before delivering the source code to the browser.
  

  [edit] History of passwords

  Passwords or watchwords have been used since ancient times. Polybius describes the system for distribution watchwords in the Roman military as follows:
  

  The way in which they secure the passing round of the watchword for the night is as follows: from the tenth maniple of each class of infantry and cavalry, the maniple which is encamped at the lower end of the street, a man is chosen who is relieved from guard duty, and he attends every day at sunset at the tent of the tribune, and receiving from him the watchword - that is a wooden tablet with the word inscribed on it - takes his leave, and on returning to his quarters passes on the watchword and tablet before witnesses to the commander of the next maniple, who in turn passes it to the one next him. All do the same until it reaches the first maniples, those encamped near the tents of the tribunes. These latter are obliged to deliver the tablet to the tribunes before dark. So that if all those issued are returned, the tribune knows that the watchword has been given to all the maniples, and has passed through all on its way back to him. If any one of them is missing, he makes inquiry at once, as he knows by the marks from what quarter the tablet has not returned, and whoever is responsible for the stoppage meets with the punishment he merits.^[31]

  Passwords in military use evolved to include not just a password, but a password and a counterpassword; for example in the opening days of the Battle of Normandy, paratroopers of the U.S. 101st Airborne Division used a password - "thunder" - which was presented as a challenge, and answered with the correct response - "flash". The challenge and response were changed periodically. American paratroopers also famously used a device known as a "cricket" on D-Day in place of a password system as a temporarily unique method of identification; one metallic click given by the device in lieu of a password was to be met by two clicks in reply.^[32]
  Passwords have been used with computers since the earliest days of computing. MIT's CTSS, one of the first time sharing systems, was introduced in 1961. It had a LOGIN command that requested a user password. "After typing PASSWORD, the system turns off the printing mechanism, if possible, so that the user may type in his password with privacy."^[33] Robert Morris invented the idea of storing login passwords in a hashed form as part of the Unix operating system. His algorithm, know as crypt(3), used a 12-bit salt and invoked a modified form of the DES algorithm 25 times to reduce the risk of pre-computed dictionary attacks.

International Financial Reporting Standards

International Financial Reporting Standards

International Financial Reporting Standards (IFRS known by the acronym derived from the name in English International Financial Reporting Standards) is a set of accounting standards. Now they are issued by the International Accounting Standards Board (IASB). Many of the standards forming part of IFRS are known by its old name of International Accounting Standards (IAS).
IAS were issued between 1973 and 2001 by the International Accounting Standards Committee (IASC). In April 2001 the IASB adopted all IAS, then continuing their development. The new standards, however, bears the name of IFRS.
Although currently there are no longer issued IAS standards, existing ones are still in force until replaced or amended by issuing new IFRS standards.Content[Hide]

    * Applicability of IFRS 1
          a European Union 1.1
          a 1.2 Convergence with U.S. GAAP
    * IFRS 2 Structure
          a list IFRS 2.1
    * 3 Grades
[Edit] Applicability of IFRS
IFRS are used in many countries around the world including in the Member States of the European Union (EU), Hong Kong, Australia, Russia, South Africa, Singapore and Pakistan. Approximately 100 countries require or allow use of IFRS or convergence policy to them. [1]
For the situation to date, see the list of states that have adopted IFRS IAS Plus website.[Edit] European Union
All EU listed companies are currently required to prepare consolidated financial statements in accordance with IFRS.
To be approved for use in the EU, standards must be approved by the Accounting Regulatory Committee (ARC), composed of representatives of member governments and is advised by an expert group called the European Financial Reporting Advisory Group (EFRAG ).
Two sections of IAS 39 Financial Instruments: Recognition and evaluation have not been approved by the ARC and in this respect, applied IFRS in the EU are different from those issued by the IASB. Currently, the IASB cooperates with the EU to find an acceptable way to address this anomaly.
As IFRS are now part of European legislation, approved standards and all amendments thereto subsequently agreed to be published in the Official Journal of the European Union. On October 13, 2003, the first publication of the standards has been included in PB L 261. Amendments to IAS and IFRS standards published in the past can be monitored using the website of the European Union's Internal Market Directorate on implementation of IAS in the European Union.[Edit] Convergence with U.S. GAAP
In a meeting held in 2002 in Norwalk, Connecticut, the IASB and the Financial Accounting Standards Board in the United States of America (FASB) have agreed to harmonize their agendas and work together to reduce differences between IFRS and U.S. Generally Accepted Accounting Principles (U.S. GAAP). In February 2006, the FASB and IASB have signed a Memorandum of Understanding which contains a schedule of matters to which the two organizations intend to achieve convergence by 2008.
Securities and Exchanges Commission in the U.S. (SEC) currently requires all foreign companies listed on U.S. exchanges to prepare financial statements either in accordance with U.S. GAAP or in accordance with their local accounting standards, accompanied by a note to reconcile standards local U.S. GAAP. This requirement creates significant costs for listed companies while the U.S. and other countries. The SEC has proposed to amend this rule to eliminate the obligation to make a reconciliation to U.S. GAAP for foreign companies that prepare their financial statements in accordance with IFRS, in principle since 2009. [2] Companies based in the U.S. will still be required to report in accordance with U.S. GAAP.[Edit] Structure IFRS
IFRS are considered to be a set of standards "based on principles", as laid down general rules, but require specific accounting and certain treatments.
International Financial Reporting Standards include:

    * International Financial Reporting Standards (IFRS) - standards issued after 2001
    * International Accounting Standards (IAS) - standards issued before 2001
    * Interpretations of the International Committee on Financial Reporting Interpretations Committee (IFRIC) - issued after 2001
    * Interpretations of the Standing Interpretations Committee (SIC) - issued before 2001
There is also a General Framework for the Preparation and Presentation of Financial Statements, which describes some of the principles underlying IFRS.[Edit] List IFRS
The following standards are currently in force:

    * IFRS 1 First-time Adoption of International Financial Reporting Standards
    * IFRS 2 Share-based Payment
    * IFRS 3 Business Combinations
    * IFRS 4 Insurance Contracts
    * IFRS 5 Non-current Assets Held for Sale and Discontinued Operations
    * IFRS 6 Exploration for and Evaluation of Mineral Resources
    * IFRS 7 Financial Instruments: Disclosures
    * IFRS 8 Operating Segments

    * IAS 1 Presentation of Financial Statements
    * IAS 2: Inventories
    * IAS 7: Cash flow statement
    * IAS 8 Accounting Policies, Changes in Accounting Estimates and Errors
    * IAS 10 Events after the Reporting Period
    * IAS 11: Construction Contracts
    * IAS 12: Income Taxes
    * IAS 16: Property, plant and equipment
    * IAS 17: Leases
    * IAS 18: Revenue
    * IAS 19: Employee Benefits
    * IAS 20: Accounting for Government Grants and Disclosure of Government Assistance
    * IAS 21 The Effects of Changes in Foreign Exchange Rates
    * IAS 23: Borrowing Costs
    * IAS 24: Related Party Disclosures
    * IAS 26: Accounting and Reporting by Retirement Benefit Plans
    * IAS 27: Consolidated and Separate Financial Statements
    * IAS 28: Investments in Associates
    * IAS 29: Financial reporting in hyperinflationary economies
    * IAS 31: Interests in Joint Ventures
    * IAS 32: Financial Instruments: Presentation
    * IAS 33: Earnings per share
    * IAS 34: Interim Financial Reporting
    * IAS 36 Impairment of Assets
    * IAS 37: Provisions, Contingent Liabilities and Contingent Assets
    * IAS 38: Intangible Assets
    * IAS 39: Financial Instruments: Recognition and Measurement
    * IAS 40 Investment Property
    * IAS 41: Agriculture

Trojans

| SubSeven | = One of the most famous Trojans. This program almost completely controls the victims computer. Among the additional facilities of an IP scanner and found a book where you can keep victims IPs.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Undetected | = undetected is a trojan that became known as the most comprehensive program of its kind available on a large scale.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Infector | = This Trojan provides access to multiple operations such as upload / download, show / hide image, desktop preview, shut down / log off / reboot / power off, open the browser, open / close cd rom, webcam and TV view card etc.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Bionet | = Bionet trojan is believed to be unique pioneering the convenience. It is far superior to other programs such as source code or writing from scratch is that there is no similarity with other programs. One of the most important features is the method of compressing files that can be downloaded from the victim's computer, thanks to higher compression algorithm that is up to 98% more effective.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~
| Asylum | = Trojan Another useful due to its friendly interface.
This program runs on the following operating systems: Win9x/Me/NT/2000/XP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~

Protection

There is only one proven method that can be used against a virus, never start a program that was not already on your computer and never use someone else's CD. Unfortunately this practice is still so, these things go used are:
¤ Backups - made frequent backups of files on your hard drive. Remember that at one time you could lose the entire hard drive contents. Have you made backups of all your important files? Things like passwords and phone numbers from an electronic book are the most difficult to recover. So be prepared for the worst.
¤ Rescue Disk - many programs such as Norton Utilities and TBAV and will allow you to create a "rescue disk" which is actually a floppy disk that you can boot in an emergency. This disk will contain a copy of important system information such as partition table, Master Boot Table (MBR), CMOS settings, and other important information.
Also on this disk, you should store tools that can be used in identifying, cleaning and removing viruses from harddisk. This disk should be write-protected, and updated each time you change the system.
¤ Anti-Virus Software - There are many anti-virus programs available on the electronic market. Generally the best but there are shareware and some freeware. But be careful what software to use in fighting viruses as some are not very effective.
¤ Information - Try to get some information about how the virus works, find out what new ones have appeared and how you can defend them. Most computer users ignore information on how to drive a virus. Reading this article you've just made a big step in protecting your computer from virus attack.

O OCC BULLETIN

Comptroller of the Currency

Administrator of National Banks

Subject:

Banking Environment

Authentication in an InternetDescription: Interagency Guidance

TO:

Technology Service Providers, Department and Division Heads, and All Examining

Personnel

The Federal Financial Institutions Examination Council (FFIEC) has issued the attached

guidance, “Authentication in an Internet Banking Environment.” This updated interagency

guidance, which replaces the FFIEC’s

Chief Executive Officers of All National Banks, Federal Branches and Agencies,Authentication in an Electronic Banking Environment,

issued in 2001, specifically addresses the need for risk-based assessment, customer awareness,

and security measures to authenticate customers using a financial institution’s Internet-based

services.

This guidance applies to both retail and commercial customers and does not endorse any

particular technology. National banks should use this guidance when evaluating and

implementing authentication systems and practices whether they are provided internally or by a

technology service provider. Although this guidance is focused on the risks and risk

management techniques associated with the Internet delivery channel, the principles are

applicable to all forms of electronic banking activities.

Consistent with the

Security Booklet December 2002, financial institutions should periodically:

FFIEC Information Technology Examination Handbook, Information

•

– Identifies and assesses the risks associated with Internet-based products and services;

– Identifies risk mitigation actions, including appropriate authentication strength; and

– Measures and evaluates customer awareness efforts;

Ensure that their information security program:

•

technology, the sensitivity of their customer information, and internal or external threats to

information; and

Adjust, as appropriate, their information security program in light of any relevant changes in

•

Examiners should begin to assess national banks’ progress in meeting the expectations outlined

in the guidance and, thereafter, monitor ongoing conformance as needed during the risk-based

supervisory process. Banks are expected to have achieved conformance with the guidance by

year-end 2006.

For questions concerning the guidance, contact Bank Information Technology at (202) 874-4740.

__________________________________________

Mark L. O’Dell

Deputy Comptroller for Operational Risk

Attachment: Authentication Guidance

[http://www.ffiec.gov/pdf/authentication_guidance.pdf]

FFIEC Press Release

[http://www.ffiec.gov/press/pr101205.htm]

Implement appropriate risk mitigation strategies.

Date:

October 12, 2005 Page 2 of 2

Federal Financial Institutions Examination Council

3501 Fairfax Drive

• Room 3086 • Arlington, VA 22226-3550 • (703) 516-5588 • FAX (703) 516-5487 • http://www.ffiec.gov

Authentication in an Internet Banking Environment

Purpose

On August 8, 2001, the FFIEC agencies

an Electronic Banking Environment

management controls necessary to authenticate the identity of retail and commercial customers

accessing Internet-based financial services. Since 2001, there have been significant legal and

technological changes with respect to the protection of customer information;

incidents of fraud, including identity theft; and the introduction of improved authentication

technologies. This updated guidance replaces the 2001 Guidance and specifically addresses

why financial institutions regulated by the agencies should conduct risk-based assessments,

evaluate customer awareness programs, and develop security measures to reliably authenticate

customers remotely accessing their Internet-based financial services.

This guidance applies to both retail and commercial customers and does not endorse any

particular technology. Financial institutions should use this guidance when evaluating and

implementing authentication systems and practices whether they are provided internally or by

a service provider. Although this guidance is focused on the risks and risk management

techniques associated with the Internet delivery channel, the principles are applicable to all

forms of electronic banking activities.

1 (agencies) issued guidance entitled Authentication in(2001 Guidance). The 2001 Guidance focused on risk2 increasing

Summary of Key Points

The agencies consider single-factor authentication, as the only control mechanism, to be

inadequate for high-risk transactions involving access to customer information or the

movement of funds to other parties. Financial institutions offering Internet-based products and

services to their customers should use effective methods to authenticate the identity of

customers using those products and services. The authentication techniques employed by the

financial institution should be appropriate to the risks associated with those products and

services. Account fraud and identity theft are frequently the result of single-factor (e.g.,

ID/password) authentication exploitation. Where risk assessments indicate that the use of

1

Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.

Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit

2

Interagency Guidelines Establishing Information Security Standards at section I.C.2. 12 CFR Part 30, app. B

(OCC); 12 CFR Part 208, app. D-2 and Part 225, app. F (FRB); 12 CFR Part 364, app. B (FDIC); 12 CFR Part

570, app. B (OTS); and 12 CFR Part 748, app. A (NCUA).

Customer information means any record containing nonpublic personal information as defined in the

2

single-factor authentication is inadequate, financial institutions should implement multifactor

authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Consistent with the

Security Booklet, December 2002, financial institutions should periodically:

FFIEC Information Technology Examination Handbook, Information

•

– Identifies and assesses the risks associated with Internet-based products and services,

– Identifies risk mitigation actions, including appropriate authentication strength, and

– Measures and evaluates customer awareness efforts;

Ensure that their information security program:

•

in technology, the sensitivity of its customer information, and internal or external threats

to information; and

Adjust, as appropriate, their information security program in light of any relevant changes

•

Implement appropriate risk mitigation strategies.

Background

Financial institutions engaging in any form of Internet banking should have effective and

reliable methods to authenticate customers. An effective authentication system is necessary for

compliance with requirements to safeguard customer information,

laundering and terrorist financing,

legal enforceability of their electronic agreements and transactions. The risks of doing business

with unauthorized or incorrectly identified persons in an Internet banking environment can

result in financial loss and reputation damage through fraud, disclosure of customer

information, corruption of data, or unenforceable agreements.

There are a variety of technologies and methodologies financial institutions can use to

authenticate customers. These methods include the use of customer passwords, personal

identification numbers (PINs), digital certificates using a public key infrastructure (PKI),

physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types

of “tokens”, transaction profile scripts, biometric identification, and others. (The appendix to

this guidance contains a more detailed discussion of authentication techniques.) The level of

risk protection afforded by each of these techniques varies. The selection and use of

authentication technologies and methods should depend upon the results of the financial

institution’s risk assessment process.

3 to prevent money4 to reduce fraud, to inhibit identity theft, and to promote the

3

Gramm–Leach–Bliley Act, 15 USC 6801, require banks and savings associations to safeguard the information of

persons who obtain or have obtained a financial product or service to be used primarily for personal, family or

household purposes, with whom the institution has a continuing relationship. Credit unions are subject to a

similar rule.

The Interagency Guidelines Establishing Information Security Standards that implement section 501(b) of the

4

associations and credit unions to verify the identity of customers opening new accounts. See 31 CFR 103.121; 12

CFR 21.21 (OCC); 12 CFR 563.177 (OTS); 12 CFR 326.8 (FDIC); 12 CFR 208.63 (state member banks), 12

CFR 211.5(m) (Edge or agreement corporation or any branch or subsidiary thereof), 12 CFR 211.24(j) (uninsured

branch, an agency, or a representative office of a foreign financial institution operating in the United States

(FRB); and 12 CFR Part 748.2 (NCUA).

The regulations implementing section 326 of the USA PATRIOT Act, 31 USC § 5318(l), require banks, savings

3

Existing authentication methodologies involve three basic “factors”:

•

Something the user knows (e.g., password, PIN);

•

Something the user has (e.g., ATM card, smart card); and

•

Authentication methods that depend on more than one factor are more difficult to compromise

than single-factor methods. Accordingly, properly designed and implemented multifactor

authentication methods are more reliable and stronger fraud deterrents. For example, the use

of a logon ID/password is single-factor authentication (i.e., something the user knows);

whereas, an ATM transaction requires multifactor authentication: something the user possesses

(i.e., the card) combined with something the user knows (i.e., PIN). A multifactor

authentication methodology may also include “out–of–band”

The success of a particular authentication method depends on more than the technology. It

also depends on appropriate policies, procedures, and controls. An effective authentication

method should have customer acceptance, reliable performance, scalability to accommodate

growth, and interoperability with existing systems and future plans.

Something the user is (e.g., biometric characteristic, such as a fingerprint).5 controls for risk mitigation.

Risk Assessment

The implementation of appropriate authentication methodologies should start with an

assessment of the risk posed by the institution’s Internet banking systems. The risk should be

evaluated in light of the type of customer (e.g., retail or commercial); the customer

transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity of

customer information being communicated to both the institution and the customer; the ease of

using the communication method; and the volume of transactions. Prior agency guidance has

elaborated on this risk-based and “layered” approach to information security.

6

An effective authentication program should be implemented to ensure that controls and

authentication tools are appropriate for all of the financial institution’s Internet-based products

and services. Authentication processes should be designed to maximize interoperability and

should be consistent with the financial institution’s overall strategy for Internet banking and

electronic commerce customer services. The level of authentication used by a financial

institution in a particular application should be appropriate to the level of risk in that

application.

A comprehensive approach to authentication requires development of, and adherence to, the

institution’s information security standards, integration of authentication processes within the

5

transaction. Callback (voice) verification, e-mail approval or notification, and cell–phone based challenge/

response processes are some examples.

Out–of–band generally refers to additional steps or actions taken beyond the technology boundaries of a typical

6

Information Technology Examination Handbook,

FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002; FFIECE-Banking Booklet, August 2003.

4

overall information security framework, risk assessments within lines of businesses supporting

selection of authentication tools, and central authority for oversight and risk monitoring. This

authentication process should be consistent with and support the financial institution’s overall

security and risk management programs.

The method of authentication used in a specific Internet application should be appropriate and

reasonable, from a business perspective, in light of the reasonably foreseeable risks in that

application. Because the standards for implementing a commercially reasonable system may

change over time as technology and other procedures develop, financial institutions and

technology service providers should develop an ongoing process to review authentication

technology and ensure appropriate changes are implemented.

The agencies consider single-factor authentication, as the only control mechanism, to be

inadequate for high-risk transactions involving access to customer information or the

movement of funds to other parties. Single-factor authentication tools, including passwords

and PINs, have been widely used for a variety of Internet banking and electronic commerce

activities, including account inquiry, bill payment, and account aggregation. However,

financial institutions should assess the adequacy of such authentication techniques in light of

new or changing risks such as phishing, pharming,

of compromise techniques. Where risk assessments indicate that the use of single-factor

authentication is inadequate, financial institutions should implement multifactor authentication,

layered security, or other controls reasonably calculated to mitigate those risks.

The risk assessment process should:

7 malware,8 and the evolving sophistication

•

products and services;

Identify all transactions and levels of access associated with Internet-based customer

•

employed for each transaction type and level of access; and

Identify and assess the risk mitigation techniques, including authentication methodologies,

•

changing risk factors for each transaction type and level of access.

Include the ability to gauge the effectiveness of risk mitigation techniques for current and

Account Origination and Customer Verification

With the growth in electronic banking and commerce, financial institutions should use reliable

methods of originating new customer accounts online. Moreover, customer identity

verification during account origination is required by section 326 of the USA PATRIOT Act

and is important in reducing the risk of identity theft, fraudulent account applications, and

unenforceable account agreements or transactions. Potentially significant risks arise when a

financial institution accepts new customers through the Internet or other electronic channels

7

Web sites where their information is captured, usually from a legitimate–looking form.

Similar in nature to e-mail phishing, pharming seeks to obtain personal information by directing users to spoofed

8

passwords, account numbers, and PINs.

Short for malicious software, such as software designed to capture and forward private information such as ID’s,

5

because of the absence of the physical cues that financial institutions traditionally use to

identify persons.

One method to verify a customer’s identity is a physical presentation of a proof of identity

credential such as a driver's license. Similarly, to establish the validity of a business and the

authority of persons to perform transactions on its behalf, financial institutions typically review

articles of incorporation, business credit reports, board resolutions identifying officers and

authorized signers, and other business credentials. However, in an Internet banking

environment, reliance on these traditional forms of paper-based verification decreases

substantially. Accordingly, financial institutions need to use reliable alternative methods.

(The appendix to this guidance describes verification processes in more detail.)

Monitoring and Reporting

Monitoring systems can determine if unauthorized access to computer systems and customer

accounts has occurred. A sound authentication system should include audit features that can

assist in the detection of fraud, money laundering, compromised passwords, or other

unauthorized activities. The activation and maintenance of audit logs can help institutions to

identify unauthorized activities, detect intrusions, reconstruct events, and promote employee

and user accountability. In addition, financial institutions should report suspicious activities to

appropriate regulatory and law enforcement agencies as required by the Bank Secrecy Act.

9

Financial institutions should rely on multiple layers of control to prevent fraud and safeguard

customer information. Much of this control is not based directly upon authentication. For

example, a financial institution can analyze the activities of its customers to identify suspicious

patterns. Financial institutions also can rely on other control methods, such as establishing

transaction dollar limits that require manual intervention to exceed a preset limit.

Adequate reporting mechanisms are needed to promptly inform security administrators when

users are no longer authorized to access a particular system and to permit the timely removal or

suspension of user account access. Furthermore, if critical systems or processes are outsourced

to third parties, management should ensure that the appropriate logging and monitoring

procedures are in place and that suspected unauthorized activities are communicated to the

institution in a timely manner. An independent party (e.g., internal or external auditor) should

review activity reports documenting the security administrators’ actions to provide the

necessary checks and balances for managing system security.

Customer Awareness

Financial institutions have made, and should continue to make, efforts to educate their

customers. Because customer awareness is a key defense against fraud and identity theft,

9

member banks]; 12 CFR 211.5 (k) [edge or agreement corporation, or any branch or subsidiary thereof]; 12 CFR

211.24 (f) [uninsured branch, an agency, or a representative office of a foreign financial institution operating in

the United States]; 12 CFR 225.4 (f) [bank holding company or any non bank subsidiary thereof] (FRB); and 12

CFR Part 748.1 and Part 748.2 (NCUA).

31 USC 5318; 12 CFR 21.11 (OCC); 12 CFR 563.180 (OTS); 12 CFR 353 (FDIC); 12 CFR 208.62 [state

6

financial institutions should evaluate their consumer education efforts to determine if

additional steps are necessary. Management should implement a customer awareness program

and periodically evaluate its effectiveness. Methods to evaluate a program’s effectiveness

include tracking the number of customers who report fraudulent attempts to obtain their

authentication credentials (e.g., ID/password), the number of clicks on information security

links on Web sites, the number of statement stuffers or other direct mail communications, the

dollar amount of losses relating to identity theft, etc.

Conclusion

Financial institutions offering Internet-based products and services should have reliable and

secure methods to authenticate their customers. The level of authentication used by the

financial institution should be appropriate to the risks associated with those products and

services. Financial institutions should conduct a risk assessment to identify the types and

levels of risk associated with their Internet banking applications. Where risk assessments

indicate that the use of single-factor authentication is inadequate, financial institutions should

implement multifactor authentication, layered security, or other controls reasonably calculated

to mitigate those risks. The agencies consider single-factor authentication, as the only control

mechanism, to be inadequate in the case of high-risk transactions involving access to customer

information or the movement of funds to other parties.

7

Appendix

10

Background

The term

identity of a person or entity. Within the realm of electronic banking systems, the

authentication process is one method used to control access to customer accounts and personal

information. Authentication is typically dependent upon customers providing valid

identification data followed by one or more authentication credentials (factors) to prove their

identity.

Customer identifiers may be a bankcard for ATM usage, or some form of user ID for remote

access. An authentication factor (e.g. PIN or password) is secret or unique information linked

to a specific customer identifier that is used to verify that identity.

Generally, the way to authenticate customers is to have them present some sort of factor to

prove their identity. Authentication factors include one or more of the following:

authentication, as used in this guidance, describes the process of verifying the

•

correct password or PIN, access is granted.

Something a person knows—commonly a password or PIN. If the user types in the

•

Tokens include self-contained devices that must be physically connected to a

computer or devices that have a small screen where a one-time password (OTP) is

displayed, which the user must enter to be authenticated.

Something a person has—most commonly a physical device referred to as a token.

•

voice pattern, hand geometry, or the pattern of veins in the user’s eye. This type of

authentication is referred to as “biometrics” and often requires the installation of specific

hardware on the system to be accessed.

Authentication methodologies are numerous and range from simple to complex. The level of

security provided varies based upon both the technique used and the manner in which it is

deployed. Single-factor authentication involves the use of one factor to verify customer

identity. The most common single-factor method is the use of a password. Two-factor

authentication is most widely used with ATMs. To withdraw money from an ATM, the

customer must present both an ATM card (

(

customer identity. Authentication methodologies based upon multiple factors can be more

difficult to compromise and should be considered for high-risk situations. The effectiveness of

a particular authentication technique is dependent upon the integrity of the selected product or

process and the manner in which it is implemented and managed.

Something a person is—most commonly a physical characteristic, such as a fingerprint,something the person has) and a password or PINsomething the person knows). Multifactor authentication utilizes two or more factors to verify

10

(December 14, 2004) and the FDIC Study Supplement (June 17, 2005).

This Appendix is based upon the FDIC Study – “Putting an End to Account-Hijacking Identity Theft”

8

Authentication Techniques, Processes, and Methodologies

Material provided in the following sections is for informational purposes only. The selection

and use of any technique should be based upon the assessed risk associated with a particular

electronic banking product or service.

Shared Secrets

Shared secrets (

by both the customer and the authenticating entity. Passwords and PINs are the best known

shared secret techniques but some new and different types are now being used as well. Some

additional examples are:

something a person knows) are information elements that are known or shared

•

amount of the customer’s monthly mortgage payment.

Questions or queries that require specific customer knowledge to answer, e.g., the exact

•

The customer’s selection of a shared secret normally occurs during the initial enrollment

process or via an offline ancillary process. Passwords or PIN values can be chosen, questions

can be chosen and responses provided, and images may be uploaded or selected.

The security of shared secret processes can be enhanced with the requirement for periodic

change. Shared secrets that never change are described as “static” and the risk of compromise

increases over time. The use of multiple shared secrets also provides increased security

because more than one secret must be known to authenticate.

Shared secrets can also be used to authenticate the institution’s Web site to the customer. This

is discussed in the Mutual Authentication section.

Customer-selected images that must be identified or selected from a pool of images.

Tokens

Tokens are physical devices (

authentication scheme. Three types of tokens are discussed here: the USB token device, the

smart card, and the password-generating token.

USB Token Device

The USB token device is typically the size of a house key. It plugs directly into a computer’s

USB port and therefore does not require the installation of any special hardware on the user’s

computer. Once the USB token is recognized, the customer is prompted to enter his or her

password (the second authenticating factor) in order to gain access to the computer system.

USB tokens are one-piece, injection-molded devices. USB tokens are hard to duplicate and are

tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and

credentials. The device has the ability to store digital certificates that can be used in a public

key infrastructure (PKI) environment.

something the person has) and may be part of a multifactor

9

The USB token is generally considered to be user-friendly. Its small size makes it easy for the

user to carry and, as noted above, it plugs into an existing USB port; thus the need for

additional hardware is eliminated.

Smart Card

A smart card is the size of a credit card and contains a microprocessor that enables it to store

and process data. Inclusion of the microprocessor enables software developers to use more

robust authentication schemes. To be used, a smart card must be inserted into a compatible

reader attached to the customer’s computer. If the smart card is recognized as valid (first

factor), the customer is prompted to enter his or her password (second factor) to complete the

authentication process.

Smart cards are hard to duplicate and are tamper resistant; thus, they are a relatively secure

vehicle for storing sensitive data and credentials. Smart cards are easy to carry and easy to use.

Their primary disadvantage as a consumer authentication device is that they require the

installation of a hardware reader and associated software drivers on the consumer’s home

computer.

Password-Generating Token

A password-generating token produces a unique pass-code, also known as a one-time password

each time it is used. The token ensures that the same OTP is not used consecutively. The OTP

is displayed on a small screen on the token. The customer first enters his or her user name and

regular password (first factor), followed by the OTP generated by the token (second factor).

The customer is authenticated if (1) the regular password matches and (2) the OTP generated

by the token matches the password on the authentication server. A new OTP is typically

generated every 60 seconds—in some systems, every 30 seconds. This very brief period is the

life span of that password. OTP tokens generally last 4 to 5 years before they need to be

replaced.

Password-generating tokens are secure because of the time-sensitive, synchronized nature of

the authentication. The randomness, unpredictability, and uniqueness of the OTPs

substantially increase the difficulty of a cyber thief capturing and using OTPs gained from

keyboard logging.

Biometrics

Biometric technologies identify or authenticate the identity of a living person on the basis of a

physiological or physical characteristic (

include fingerprints, iris configuration, and facial structure. Physical characteristics include,

for example, the rate and flow of movements, such as the pattern of data entry on a computer

keyboard. The process of introducing people into a biometrics-based system is called

“enrollment.” In enrollment, samples of data are taken from one or more physiological or

physical characteristics; the samples are converted into a mathematical model, or template; and

the template is registered into a database on which a software application can perform analysis.

something a person is). Physiological characteristics

10

Once enrolled, customers interact with the live-scan process of the biometrics technology. The

live scan is used to identify and authenticate the customer. The results of a live scan, such as a

fingerprint, are compared with the registered templates stored in the system. If there is a

match, the customer is authenticated and granted access.

Biometric identifiers are most commonly used as part of a multifactor authentication system,

combined with a password (

Various biometric techniques and identifiers are being developed and tested, these include:

something a person knows) or a token (something a person has).

•

fingerprint recognition;

•

face recognition;

•

voice recognition;

•

keystroke recognition;

•

handwriting recognition;

•

finger and hand geometry;

•

retinal scan; and

•

Two biometric techniques that are increasingly gaining acceptance are fingerprint recognition

and face recognition.

Fingerprint Recognition

Fingerprint recognition technologies analyze global pattern schemata on the fingerprint, along

with small unique marks known as minutiae, which are the ridge endings and bifurcations or

branches in the fingerprint ridges. The data extracted from fingerprints are extremely dense

and the density explains why fingerprints are a very reliable means of identification.

Fingerprint recognition systems store only data describing the exact fingerprint minutiae;

images of actual fingerprints are not retained. Fingerprint scanners may be built into computer

keyboards or pointing devices (mice), or may be stand-alone scanning devices attached to a

computer.

Fingerprints are unique and complex enough to provide a robust template for authentication.

Using multiple fingerprints from the same individual affords a greater degree of accuracy.

Fingerprint identification technologies are among the most mature and accurate of the various

biometric methods of identification.

iris scan.11

Although end users should have little trouble using a fingerprint-scanning device, special

hardware and software must be installed on the user’s computer. Fingerprint recognition

implementation will vary according to the vendor and the degree of sophistication required.

This technology is not portable since a scanning device needs to be installed on each

participating user’s computer. However, fingerprint biometrics is generally considered easier

11

technologies to authenticate ATM users, are eliminating the need for an ATM card and the expense of replacing

lost or stolen cards.

Currently, some financial institutions, domestic and foreign, that use fingerprint recognition and other biometric

11

to install and use than other, more complex technologies, such as iris scanning. Enrollment can

be performed either at the financial institution’s customer service center or remotely by the

customer after he or she has received setup instructions and passwords. According to

fingerprint technology vendors, there are several scenarios for remote enrollment that provide

adequate security, but for large-dollar transaction accounts, the institution should consider

requiring that customers appear in person.

Face Recognition

Most face recognition systems focus on specific features on the face and make a twodimensional

map of the face. Newer systems make three-dimensional maps. The systems

capture facial images from video cameras and generate templates that are stored and used for

comparisons. Face recognition is a fairly young technology compared with other biometrics

like fingerprints.

Facial scans are only as good as the environment in which they are collected. The so-called

“mug shot” environment is ideal. The best scans are produced under controlled conditions

with proper lighting and proper placement of the video device. As part of a highly sensitive

security environment, there may be several cameras collecting image data from different

angles, producing a more exact scan. Certain facial scanning applications also include tests for

liveness, such as blinking eyes. Testing for liveness reduces the chance that the person

requesting access is using a photograph of an authorized individual.

Non-Hardware-Based One-Time-Password Scratch Card

Scratch cards (

generating tokens discussed previously. The card, similar to a bingo card or map location

look-up, usually contains numbers and letters arranged in a row-and-column format, i.e., a

grid. The size of the card determines the number of cells in the grid.

Used in a multifactor authentication process, the customer first enters his or her user name and

password in the established manner. Assuming the information is input correctly, the customer

will then be asked to input, as a second authentication factor, the characters contained in a

randomly chosen cell in the grid. The customer will respond by typing in the data contained in

the grid cell element that corresponds to the challenge coordinates.

Conventional OTP hardware tokens rely on electronics that can fail through physical abuse or

defects, but placing the grid on a wallet-sized plastic card makes it durable and easy to carry.

This type of authentication requires no training and, if the card is lost, replacement is relatively

easy and inexpensive.

something a person has) are less-expensive, “low-tech” versions of the OTP

Out-of-Band Authentication

Out-of-band authentication includes any technique that allows the identity of the individual

originating a transaction to be verified through a channel different from the one the customer is

using to initiate the transaction. This type of layered authentication has been used in the

commercial banking/brokerage business for many years. For example, funds transfer requests,

12

purchase authorizations, or other monetary transactions are sent to the financial institution by

the customer either by telephone or by fax. After the institution receives the request, a

telephone call is usually made to another party within the company (if a business-generated

transaction) or back to the originating individual. The telephoned party is asked for a

predetermined word, phrase, or number that verifies that the transaction was legitimate and

confirms the dollar amount. This layering approach precludes unauthorized transactions and

identifies dollar amount errors, such as when a $1,000.00 order was intended but the decimal

point was misplaced and the amount came back as $100,000.00.

In today’s environment, the methods of origination and authentication are more varied. For

example, when a customer initiates an online transaction, a computer or network-based server

can generate a telephone call, an e-mail, or a text message. When the proper response (a

verbal confirmation or an accepted-transaction affirmation) is received, the transaction is

consummated.

Internet Protocol Address (IPA) Location and Geo-Location

One technique to filter an online transaction is to know who is assigned to the requesting

Internet Protocol Address. Each computer on the Internet has an IPA, which is assigned either

by an Internet Service Provider or as part of the user’s network. If all users were issued a

unique IPA that was constantly maintained on an official register, authentication by IPA would

simply be a matter of collecting IPAs and cross-referencing them to their owners. However,

IPAs are not owned, may change frequently, and in some cases can be “spoofed.”

Additionally, there is no single source for associating an IPA with its current owner, and in

some cases matching the two may be impossible.

Some vendors have begun offering software products that identify several data elements,

including location, anonymous proxies, domain name, and other identifying attributes referred

to as “IP Intelligence.” The software analyzes this information in a real-time environment and

checks it against multiple data sources and profiles to prevent unauthorized access. If the

user’s IPA and the profiled characteristics of past sessions match information stored for

identification purposes, the user is authenticated. In some instances the software will detect

out-of-character details of the access attempt and quickly conclude that the user should not be

authenticated.

Geo-location technology is another technique to limit Internet users by determining where they

are or, conversely, where they are not. Geo-location software inspects and analyzes the small

bits of time required for Internet communications to move through the network. These

electronic travel times are converted into cyberspace distances. After these cyberspace

distances have been determined for a user, they are compared with cyberspace distances for

known locations. If the comparison is considered reasonable, the user's location can be

authenticated. If the distance is considered unreasonable or for some reason is not calculable,

the user will not be authenticated.

IPA verification or geo-location may prove beneficial as one factor in a multifactor

authentication strategy. However, since geo-location software currently produces usable

13

results only for land-based or wired communications, it may not be suitable for some wireless

networks that can also access the Internet such as cellular/digital telephones.

Mutual Authentication

Mutual authentication is a process whereby customer identity is authenticated and the target

Web site is authenticated to the customer. Currently, most financial institutions do not

authenticate their Web sites to the customer before collecting sensitive information. One

reason phishing attacks are successful is that unsuspecting customers cannot determine they

are being directed to spoofed Web sites during the collection stage of an attack. The spoofed

sites are so well constructed that casual users cannot tell they are not legitimate. Financial

institutions can aid customers in differentiating legitimate sites from spoofed sites by

authenticating their Web site to the customer.

Techniques for authenticating a Web site are varied. The use of digital certificates coupled

with encrypted communications (e.g. Secure Socket Layer, or SSL) is one; the use of shared

secrets such as digital images is another. Digital certificate authentication is generally

considered one of the stronger authentication technologies, and mutual authentication provides

a defense against phishing and similar attacks.

Customer Verification Techniques

Customer verification is a related but separate process from that of authentication. Customer

verification complements the authentication process and should occur during account

origination. Verification of personal information may be achieved in three ways:

•

information available from trusted third party sources. More specifically, a financial

institution can verify a potential customer's identity by comparing the applicant's answers

to a series of detailed questions against information in a trusted database (e.g., a reliable

credit report) to see if the information supplied by the applicant matches information in the

database. As the questions become more specific and detailed, correct answers provide

the financial institution with an increasing level of confidence that the applicant is who

they say they are.

Positive verification to ensure that material information provided by an applicant matches

•

telephone area code, ZIP code, and street address match).

Logical verification to ensure that information provided is logically consistent (e.g., do the

•

associated with fraudulent activity. For example, applicant information can be compared

against fraud databases to determine whether any of the information is associated with

known incidents of fraudulent behavior. In the case of commercial customers, however,

the sole reliance on online electronic database comparison techniques is not adequate since

certain documents (e.g., bylaws) needed to establish an individual's right to act on a

company's behalf are not available from databases. Institutions still must rely on

traditional forms of personal identification and document validation combined with

electronic verification tools.

Negative verification to ensure that information provided has not previously been

14

Another authentication method consists of the financial institution relying on a third party to

verify the identity of the applicant. The third party would issue the applicant an electronic

credential, such as a digital certificate, that can be used by the applicant to prove his/her

identity. The financial institution is responsible for ensuring that the third party uses the same

level of authentication that the financial institution would use itself.

Press Releases

Federal Financial Institutions Examination Council

Press Release

For Immediate Release

October 12, 2005

FFIEC Releases Guidance on Authentication in Internet Banking Environment

The Federal Financial Institutions Examination Council (FFIEC) today released updated guidance on the

risks and risk management controls necessary to authenticate the identity of customers accessing Internetbased

financial services. The guidance,

reflect the many significant legal and technological changes with respect to the protection of customer

information, increasing incidents of identity theft and fraud, and the introduction of improved authentication

technologies and other risk mitigation strategies.

The continued growth of Internet banking and other forms of electronic banking activities and the increased

sophistication of threats to those environments have resulted in higher risks for financial institutions and their

customers. An effective authentication system is necessary for financial institutions’ compliance with

requirements to safeguard customer information; to prevent money laundering and terrorist financing; to

reduce fraud and the theft of sensitive customer information, often the precursor to identity theft; and to

promote legal enforceability of financial institutions’ electronic agreements and transactions.

This guidance, which replaces the FFIEC’s

2001, does not endorse any particular technology. This guidance specifically addresses the need for riskbased

assessment, customer awareness, and financial institutions’ implementation of appropriate risk

mitigation strategies including security measures to reliably authenticate customers accessing their financial

institutions’ Internet-based services.

The guidance is divided into two parts. The main portion of the guidance provides financial institutions with

guidance on authentication and discusses appropriate risk assessments, customer authentication, verification

of new customers, and monitoring and reporting. An appendix provides more detail about various

authentication technologies.

The agencies’ transmittal documents accompanying the guidance contain a consistent timeframe for financial

institutions to achieve conformance. In light of the catastrophic events associated with recent natural

disasters, namely Hurricanes Katrina and Rita, affected financial institutions will face many challenges

during the recovery process. These challenges may affect their ability to conform to the guidance within the

specified time frame. Affected financial institutions will be afforded an extension, when circumstances

warrant, for achieving conformance with the guidance.

A copy of the guidance is attached (PDF).

Authentication in an Internet Banking Environment, was issued toAuthentication in an Electronic Banking Environment issued in

Media Contacts:

Federal Reserve Andrew Williams (202) 452-2955

FDIC David Barr (202) 898-6992

NCUA Cherie Umbel (703) 518-6330

OCC Dean DeBuck (202) 874-5770

OTS Erin Hickman (202) 906-6677