FFIEC: Evaluating Vendors4 Recommendations for Choosing the Right Partners and Solutions
Banks and credit unions need to evaluate the risks, implement proper controls and invest in technology that helps them meet new demands outlined by the FFIEC.
Chris Beier, a financial-services and online information security consultant, has had the opportunity to examine hundreds of solutions from different vendors.
During an interview with BankInfoSecurity.com's Tracy Kitten [transcript below], Beier says banks and credit unions, in weighing their options, need to "look for solutions that have strong ease-of-use that can be deployed easily, but still provide the security."
When choosing a vendor, Beier says banking institutions should consider:
See Also: Beware the Other Virus
- If the vendor has the right expertise. Does that vendor really understand financial services, in addition to having solid technologies?
- Vendors that have been able to grow with the times. The threat landscape is always changing, so there's always going to be new guidance. Is the vendor ahead of the curve, or is it reacting to the changing environment? Institutions should look for vendors that are proactive.
- Is the vendor's solution addressing the risks you've identified in your assessment? If so, is the solution continually improving and evolving as risks change?
- Does the vendor have a variety of solutions?
Beier has advised some of the country's top 100 financial institutions, as well as several state government agencies regarding regulatory compliance and Internet site security. For the last five years, Beier has worked as a financial services industry insider for companies such as Corillian, CheckFree and Fiserv. He also spent the better part of his career working as an information technology specialist for the U.S. Navy.
Corporate and Retail Accounts
TRACY KITTEN: Corporate account takeovers have been the catalyst for change in the commercial account realm, but what about retail accounts?
CHRISTOPHER BEIER: There's certainly a difference between commercial accounts and retail accounts. Commercial accounts tend to have more money. They have larger transaction frequency as well. They tend to lack some of the protections. In fact, small businesses are considered an equal with the bank when it comes to who's responsible for their online security. What's the same about these types of accounts, however, is the sophistication of the user and how well they understand the Internet, and ultimately the Internet threats that we're all facing. It really comes down to you having to treat them differently but know that there are certain things like education that both types of users are going to require.
KITTEN: How should institutions go about delineating their authentication upgrade plans for commercial vs. retail accounts?
BEIER: The good news is the guidance itself does provide a couple of points in helping financial institutions delineate what they should do for retail accounts vs. what they should do for commercial accounts. They should look there first, at the guidance, and you'll see things like for commercial accounts that have tiered authority. You have to have different and unique authentication methods for those who can give authority to view an account, which retail accounts don't really have to deal with. There are some components of the guidance itself that specifically speak to how to delineate what you need to do for those accounts.
KITTEN: Sometimes we tend to overlook the most obvious. When it comes to commercial accounts, for instance, the volume and the size of transactions is just so much larger than what you would see on the retail side of things. How does that volume make certain authentication practices maybe less reliable or perhaps less effective when it comes to comparing those that you might apply to a retail account?
BEIER: I don't know if I would say less reliable or less effective. I think any process where you are authenticating somebody is going to be good. The problem is that process gets repetitive. If we always have to put in the password or supply the token for every check that goes out for business, it's going to be significantly monotonous and the user might feel that this is beyond what's really providing me some level of protection, and the bad guys can then figure out how to hide within that volume.
In looking at those types of things, there have to be some rules around that. In giving some options to the small business, "Challenge me when I have transactions more than "X" number of dollars or over "X" number of transactions within a time period," could certainly help break up that monotonous kind of process.
KITTEN: What recommendations can you offer institutions when it comes to weighing different vendor options?
BEIER: I've had the opportunity to examine dozens, if not hundreds, of solutions from different vendors. There are a couple of things I look for. First is, do they have expertise in your business? If we're talking about financial institution services, does that vendor really understand financial services in addition to having really good and solid technologies? Number two is, look for vendors who have been able to grow with the times. The threat landscape is always changing so there's going to be new guidance. Are they ahead of the curve or are they reacting just like everybody else? Look for those vendors who are a bit more proactive about their approach and their stand and what they say with the market.
KITTEN: How can institutions ensure that they're investing in the right types of technologies for now and into the future?
BEIER: That's a great question, one that many struggle with including myself in terms of what's going to be appropriate for your institution. The risk assessment is different. Your customer base is different. The types of accounts you may be offering are different. You have to look at the vendors and the investments that you're making in the same way. Are they meeting the risks that you've identified in your assessments? And if so, are those solutions continuing to improve at the same time that you're continually reassessing the risks to your users and your account? If that's the correct solution for you, then by all means you should look at it.
One of the things that I point people to is to make sure that they have a variety of solutions, because that's what's going to confuse and confound the fraudsters more than anything else, not labeling or pinning down all your accounts with the same type of solution. Make it difficult. Make mass attacks ineffective because you have more than one solution available.
KITTEN: I'm glad that you brought that up, talking about different types of solutions, because I did want to ask about out-of-band authentication and how it might be applied in different ways to retail accounts vs. commercial accounts.
BEIER: Out-of-band is a great processing solution to be thinking about because most of the attacks that we've seen so far really are depending upon getting on the user's machine and utilizing that user's machine as if they were the user. Out-of-band takes us off of that and gives us a different channel that hasn't been as compromised as the PC has been.
Now the difference between commercial and retail is really going to come down to the sophistication of the user. We can expect more from businesses than we could the general population. So in looking at out-of-band solutions, we need to look at those solutions that make it easy for the general population to use. There are, certainly, some very sophisticated authentication techniques that can be done from a smartphone, but even with the proliferation of smartphones and the growing popularity of these devices, there are still a great number of folks out there running the regular, normal "run-of-the-mill" dial-up cell phone where some of the smartphone authentication techniques are not appropriate yet. But businesses are already on the smartphone bandwagon with the BlackBerries, Androids and so on, so you can expect more from them, but you need to provide the training that they need.
KITTEN: What are some of the challenges affecting the retail account space that don't necessarily effect commercial accounts, or are there any?
BEIER: I don't know if there are any challenges per say that retail has that's different than commercial accounts, other than the fact that you're dealing with a larger volume of users, and the sophistication of that user certainly is important to consider, how well they understand the process. And this is why the guidance, or supplemental guidance, really pushed education programs as a process that's going to be a requirement. It's going to be necessary to be compliant.
Different Account Challenges
KITTEN: Then what about the opposite scenario? What challenges do you see facing commercial accounts that don't face retail?
BEIER: That's where it gets interesting because of the fact that small businesses and banks are considered on equal footing. The small businesses don't have the consumer protections that the retail accounts have, and the small business can delegate access to their accounts to folks that may be completely unknown to the financial institution. I can be an employee and access a corporate account without ever even having an account, a personal account, at that particular bank. There's really not confusion but there's a lot of consideration as a bank is looking at how do they implement their security posture and process for a business as compared to a retail person, because of that ambiguity or the inability to know exactly who's accessing the account.
KITTEN: When it comes to overall security and making investments in technology for fraud prevention, how can institutions balance the two? How can they ensure that they're investing in technology that makes sense without having cost go out the roof?
BEIER: That's certainly been a question that a lot of businesses or financial institutions are having to tackle. I have a unique perspective on that. Don't consider the security investment that you're making a cost of doing business, but as a solution that will allow you to grow your business. Look for solutions that have strong ease-of-use that can be deployed easily, but still provide the security that you're looking for. And put it into a program where you're providing some differentiation to the financial institution and gaining and retaining the customer base that you have, growing the business, so it becomes less of an investment in a cost and more of an investment into making your members and customers more profitable.
KITTEN: Before we close, what final thoughts would you like to share with our audience?
BEIER: In general, get started now. Look at your best practices, find layers that you can add additional security components to and add something. Put something in and make sure that the technology that you're putting in is something that's going to differentiate your financial institution from somebody else. In fact, Javelin did a study recently that showed that a good majority, half of the customers surveyed, were looking at security technologies, particularly authentication or robust authentication, as critical factors to deciding whether they would open an account at a financial institution. So take that into account. Share what you're doing within reason and market security as a differentiator.