The FFIEC has yet to formally unveil its long-awaited update to 2005's authentication guidance, but a December 2010 draft document entitled "Interagency Supplement to Authentication in an Internet Banking Environment" was reportedly distributed to the FFIEC's member agencies -- the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision -- for review and comment. Copies of this draft have circulated recently within the banking and security communities, and two were sent separately and anonymously to Information Security Media Group.
While it's likely that this draft will be amended before the final release of the new FFIEC guidance, the current document calls for five key areas of improvement:
- Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
- Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;
- Layered security controls to detect and effectively respond to suspicious or anomalous activity;
- More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;
- Heightened customer education initiatives, particularly for commercial accounts.
Building on 2005The proposed updates remain closely aligned with recommendations made in the existing 2005 guidance.
"The Supplement reiterates and reinforces the expectations described in the 2005 Guidance that financial institutions should perform periodic risk assessments and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks, including consideration of new and evolving threats to customers' online accounts," the draft reads. It identifies certain controls that should no longer be considered effective, specifies minimum control expectations for certain online activities, and sets forth two minimum components of an effective layered security program. It also identifies specific minimum elements that should be part of an institution's customer awareness and education program.
In issuing the supplement, the regulatory agencies acknowledge the evolution of online threats, as well as institutions' failure to abide by all aspects of the 2005 guidance - including periodic risk assessments and updates to control mechanisms.
The five areas singled out in the supplement under specific supervisory expectations include:
1. Risk AssessmentsRisk assessments are addressed first in the draft, leveling some criticism at banking institutions for not being diligent about regular assessments.
"Examiners have noted that some institutions that were initially responsive in conforming with the 2005 Guidance have not updated their risk assessments and consequently not upgraded their authentication or other control techniques in response to relevant changes in the threat environment," the draft states.
The document says risk assessments should include regular reviews of internal systems, analyzing their abilities to:
- Detect and thwart established threats, such as malware;
- Respond to changes related to customer adoption of electronic banking;
- Respond to changes in functionality offered through e-banking;
- Analyze actual incidents of security breaches, identity theft or fraud experienced by the institution;
- Respond to changes in the internal and external threat environment.
2. Authentication for High-Risk TransactionsThe FFIEC's definition of "high-risk transactions" remains unchanged. But the supplement does acknowledge that, since 2005, more consumers and businesses are conducting online transactions.
The draft distinguishes between consumer and commercial accounts when discussing potential high-risk transactions - a concession to recent commercial losses to ACH and wire fraud. Specific to commercial accounts, the document discusses online business transactions that generally involve ACH file origination and frequent interbank wire transfers. Because the frequency and dollar amounts of these transactions are generally higher, they pose a higher level of risk.
For these high-risk transactions, the FFIEC says: "Financial institutions should implement multifactor authentication and layered security, as described herein, consistent with the risk for covered business transactions."
3. Layered SecurityLayered security includes different controls at different points in a transaction process. If one control or point is compromised, another layer of controls is in place to thwart or detect fraud. Agencies say they expect security programs to include, at minimum:
- Processes designed to detect and effectively respond to suspicious or anomalous activity;
- Enhanced controls for users who are granted administrative privileges to set up users or change system configurations, such as defined users, users' privileges, and application configurations and/or limitations.
The supplement is critical of how institutions have handled layered security to this point. "Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring/anomaly detection could have prevented many of the frauds, since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer's established patterns of behavior."
Among recommendations for layered security: Out-of-band authentication, verification or alerting.
4. Effectiveness of Authentication TechniquesPart of the layered security approach, the draft suggests, should include stronger device identification, which could include use of "one-time" cookies to create a more complex digital fingerprint of the PC by looking at characteristics such as PC configuration, Internet protocol address and geo-location.
Although no device authentication method can mitigate all threats, the supplement says, "the Agencies consider complex device identification to be more secure and preferable to simple device identification."
The need for stronger challenge questions is also noted, as yet another layer institutions can use to authenticate and identify a device and a user. Too much basic information - birthdates, birthplaces, family names - is already available via social networks, so challenge questions built around those answers are no longer deemed effective. Instead, the draft guidance recommends more sophisticated queries such as asking the user to name or list previously owned vehicles or registered domain names - questions an imposter would find difficult to answer.
5. Customer Education and AwarenessAs part of the effort to educate consumer and commercial customers about fraud risks and security measures, the draft states financial institutions should explain what protections are and are not provided under Regulation E. The drafted guidance also suggests banking institutions offer:
- An explanation of under what circumstances and through what means the institution may contact a customer and request the customer's electronic banking credentials;
- A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;
- A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk;
- A listing of institutional contacts for customers' discretionary use in the event they notice suspicious account activity or experience customer information security-related events.
Stronger Fraud DetectionBeyond the supervisory expectations, the draft guidance includes an appendix that discusses the current threat landscape and compensating controls, including anti-malware software for customers, as well as transaction monitoring/anomaly detection software. "Similar to the manner in which the credit card industry detects and blocks fraudulent credit card transactions, systems are now available to monitor online banking systems for suspicious funds transfers," the draft notes.
The supplement also recommends out-of-band authentication for certain high value and/or anomalous transactions.
Beyond technology controls, the guidance says institutions can look to traditional and innovative business process controls to improve security over customers' online activities. Examples include:
- Setting and regularly reviewing transaction volume and value limitations for business customers and those customers' online users;
- Monitoring and alerting exception events, based on account activity;
- Requiring ACH transaction originators to notify the bank before a transaction is submitted;
- Ensuring business customers implement dual controls for "high-risk" online functions.
Putting more challenges and barriers in the faces of the fraudsters, the draft guidance suggests, will stave off fraud.
Again, these guidelines are drawn from a December 2010 draft of the update. It is likely that some or all of these items will be amended before the final release of the supplement.