Posts

The FFIEC Wants You to Know…

The Federal Financial Institutions Examination Council recently released a supplement to the guide it issued in 2005, on authentication in an Internet banking environment. One of the FFIEC’s key recommendations for eliminating fraud is consumer awareness and education.

At some level, you may be aware that financial institutions have a layered security approach in place. Those layers include multi-authentication, which may mean requiring users to punch in a second security code or carry a key fob, as well as due diligence in identifying customers as real people whose identities haven’t been stolen, and consumer education.

Consumers are largely oblivious to the multiple layers of security put in place by financial institutions in order to protect them and their bank accounts. All consumers really care about are ease and convenience. However, a better understanding of what goes on behind the scenes can help consumers adapt to new technologies that affect their lives.

I recently came across a blog post written by a financial institution’s bank manager, “Nerdy Nate,” attempting to educate the bank’s customers in response to the FFIEC’s guidance. Nate’s message is useful for all bank customers, and should be a model for other financial institutions.

“Currently, [this institution] employs a combination of a secure browser connection, customer number, password, and our enhanced login security system. We recently added the ability for you to use email, voice and text to receive a one-time passcode needed when we do not recognize your computer. We do realize that having to use a one-time passcode is inconvenient at times. Please be assured that SIS will research other options to make this more convenient. However, at this time, using a one-time passcode is considered the best practice in authenticating you as a user when you login into SIS Online Banking. This method is also compliant with the FFIEC guidance issued to SIS.

We are also working with our Online Banking provider on other security efforts in response to the FFIEC guidance.

·      Enhanced Device Identification – We will enhance the security of the multifactor authentication enrollment cookie, where it is in use, by adding device fingerprinting. This means that if the cookie is present on a system whose device fingerprint differs from what is on record, the cookie will not be honored and an additional authentication step will be required.

·      Removal of Challenge Questions – In the near future, we will no longer allow the use of a Challenge Question to authenticate you. Instead you will need to use one of the three passcode methods available; text, voice call and email.

·      Web Fraud Detection, Behavior Monitoring – We are evaluating different options to monitor your online access for fraud. Once we have a solution in place, we will notify you on how it might affect you as a user.

·      Malware Prevention & Detection – We are evaluating different options to monitor the use of malware to “hack” your online access. Once we have a solution in place, we will notify you on how it might affect you as a user.

We remain committed to providing you with the best and most secure Online Banking experience possible. With the ever-changing landscape of online fraud, this is proving to be more difficult every day. We are confident that with your help and some hard work on our side, we can achieve our goal.”

Great stuff. Nowadays, education on the “threatscape” is essential. Enhanced device identification is also essential. The FFIEC suggests complex device identification. While complex device identification is more sophisticated than previous techniques, take one step instead of two and incorporate  device reputation management.

This proven strategy not only has advanced methods to identify devices connecting to your bank, but also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect your financial institution against cyber fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Financial Institutions Can Protect Their Clients Using “Defense in Depth”

Back in 2005, the Federal Financial Institutions Examination Council (FFIEC) made security recommendations for banks and financial institutions in response to the increase of cybercrime. Since then, banks have implemented most, if not all, of these guidelines, and cyber criminals have responded by challenging each layer of security, by exploiting different technologies or coming up with new hacking techniques.

The latest security recommendations strongly suggest a layered or “defense-in-depth” approach, which the National Security Agency defines as a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy strikes a balance between the protection capability and cost, performance, and operational considerations.

The FFIEC recommends that financial institutions replace simple device identification with complex device identification, which most banks had already implemented long ago. Therefore, the next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences. iovation, an Oregon-based security firm, offers this service and more.

The FFIEC also recommends that financial institutions replace challenge questions, which are often fact-based questions, and can be easy to figure out with the use social networking data, with “Out of Wallet” (OOW) questions that don’t rely on publicly available information.

Challenge questions include, “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” OOW questions are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Keir Breitenfeld, Senior Director of Experian Decision Analytics recently joined Device Reputation pioneer and leader, iovation, for a webinar presentation addressing the FFIEC guidelines.  You can listen to his presentation on applying proportional treatment to risk-based authentication efforts and dynamically managing credit and non-credit data questions to mitigate fraud via the webinar.

Ultimately, financial institutions must implement a layered approach to security. iovation’s device reputation service is a must-have layer that contributes greatly to a defense-in-depth approach, assessing risk throughout multiple points on an institution’s website.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures