The FFIEC Wants You to Know…

The Federal Financial Institutions Examination Council recently released a supplement to the guide it issued in 2005, on authentication in an Internet banking environment. One of the FFIEC’s key recommendations for eliminating fraud is consumer awareness and education.

At some level, you may be aware that financial institutions have a layered security approach in place. Those layers include multi-authentication, which may mean requiring users to punch in a second security code or carry a key fob, as well as due diligence in identifying customers as real people whose identities haven’t been stolen, and consumer education.

Consumers are largely oblivious to the multiple layers of security put in place by financial institutions in order to protect them and their bank accounts. All consumers really care about are ease and convenience. However, a better understanding of what goes on behind the scenes can help consumers adapt to new technologies that affect their lives.

I recently came across a blog post written by a financial institution’s bank manager, “Nerdy Nate,” attempting to educate the bank’s customers in response to the FFIEC’s guidance. Nate’s message is useful for all bank customers, and should be a model for other financial institutions.

“Currently, [this institution] employs a combination of a secure browser connection, customer number, password, and our enhanced login security system. We recently added the ability for you to use email, voice and text to receive a one-time passcode needed when we do not recognize your computer. We do realize that having to use a one-time passcode is inconvenient at times. Please be assured that SIS will research other options to make this more convenient. However, at this time, using a one-time passcode is considered the best practice in authenticating you as a user when you login into SIS Online Banking. This method is also compliant with the FFIEC guidance issued to SIS.

We are also working with our Online Banking provider on other security efforts in response to the FFIEC guidance.

·      Enhanced Device Identification – We will enhance the security of the multifactor authentication enrollment cookie, where it is in use, by adding device fingerprinting. This means that if the cookie is present on a system whose device fingerprint differs from what is on record, the cookie will not be honored and an additional authentication step will be required.

·      Removal of Challenge Questions – In the near future, we will no longer allow the use of a Challenge Question to authenticate you. Instead you will need to use one of the three passcode methods available; text, voice call and email.

·      Web Fraud Detection, Behavior Monitoring – We are evaluating different options to monitor your online access for fraud. Once we have a solution in place, we will notify you on how it might affect you as a user.

·      Malware Prevention & Detection – We are evaluating different options to monitor the use of malware to “hack” your online access. Once we have a solution in place, we will notify you on how it might affect you as a user.

We remain committed to providing you with the best and most secure Online Banking experience possible. With the ever-changing landscape of online fraud, this is proving to be more difficult every day. We are confident that with your help and some hard work on our side, we can achieve our goal.”

Great stuff. Nowadays, education on the “threatscape” is essential. Enhanced device identification is also essential. The FFIEC suggests complex device identification. While complex device identification is more sophisticated than previous techniques, take one step instead of two and incorporate  device reputation management.

This proven strategy not only has advanced methods to identify devices connecting to your bank, but also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect your financial institution against cyber fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Financial Institutions Can Protect Their Clients Using “Defense in Depth”

Back in 2005, the Federal Financial Institutions Examination Council (FFIEC) made security recommendations for banks and financial institutions in response to the increase of cybercrime. Since then, banks have implemented most, if not all, of these guidelines, and cyber criminals have responded by challenging each layer of security, by exploiting different technologies or coming up with new hacking techniques.

The latest security recommendations strongly suggest a layered or “defense-in-depth” approach, which the National Security Agency defines as a practical strategy for achieving Information Assurance in today’s highly networked environments. It is a “best practices” strategy in that it relies on the intelligent application of techniques and technologies that exist today. The strategy strikes a balance between the protection capability and cost, performance, and operational considerations.

The FFIEC recommends that financial institutions replace simple device identification with complex device identification, which most banks had already implemented long ago. Therefore, the next evolution of security is device reputation management, incorporating geolocation, velocity, anomalies, proxy busting, browser language, associations, fraud histories, and time zone differences. iovation, an Oregon-based security firm, offers this service and more.

The FFIEC also recommends that financial institutions replace challenge questions, which are often fact-based questions, and can be easy to figure out with the use social networking data, with “Out of Wallet” (OOW) questions that don’t rely on publicly available information.

Challenge questions include, “What’s your mother’s maiden name?” “What’s your Social Security Number?” “What are your kids’ names?” or “When were you born?” OOW questions are generally opinion-based, such as, “What is your favorite vacation spot?” “What is your favorite flavor of ice cream?” or “What is your favorite book?”

Keir Breitenfeld, Senior Director of Experian Decision Analytics recently joined Device Reputation pioneer and leader, iovation, for a webinar presentation addressing the FFIEC guidelines.  You can listen to his presentation on applying proportional treatment to risk-based authentication efforts and dynamically managing credit and non-credit data questions to mitigate fraud via the webinar.

Ultimately, financial institutions must implement a layered approach to security. iovation’s device reputation service is a must-have layer that contributes greatly to a defense-in-depth approach, assessing risk throughout multiple points on an institution’s website.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

15 Social Media Security Tips

1. Realize that you can become a victim at any time. Not a day goes by when we don’t hear about a new hack. With 55,000 new pieces of malware a day, security never sleeps.

2. Think before you post. Status updates, photos, and comments can reveal more about you than you intended to disclose. You could end up feeling like some silly politician as you struggle to explain yourself.

3. Nothing good comes from filling out a “25 Most Amazing Things About You” survey. Avoid publicly answering questionnaires with details like your middle name, as this is the type of information financial institutions may use to verify your identity.

4. Think twice about applications that request permission to access your data. You would be allowing an unknown party to send you email, post to your wall, and access your information at any time, regardless of whether you’re using the application.

5. Don’t click on short links that don’t clearly show the link location. Criminals often post phony links that claim to show who has been viewing your profile. Test unknown links at by pasting the link into the “View a Site Report” form on the right-hand side of the page.

6. Beware of posts with subjects along the lines of, “LOL! Look at the video I found of you!”  When you click the link, you get a message saying that you need to upgrade your video player in order to see the clip, but when you attempt to download the “upgrade,” the malicious page will instead install malware that tracks and steals your data.

7. Be suspicious of anything that sounds unusual or feels odd. If one of your friends posts, “We’re stuck in Cambodia and need money,” it’s most likely a scam.

8. Understand your privacy settings. Select the most secure options and check periodically for changes that can open up your profile to the public.

9. Geolocation apps such as Foursquare share your exact location, which also lets criminals know that you aren’t home, so reconsider broadcasting that information.

10. Use an updated browser. Older browsers tend to have more security flaws.

11. Choose unique logins and passwords for each of the websites you use. I’m a big fan of password managers, which can create and store secure passwords for you.

12. Check the domain to be sure that you’re logging into a legitimate website. So if you’re visiting a Facebook page, look for the address.

13. Be cautious of any message, post, or link you find on Facebook that looks at all suspicious or requires an additional login.

14. Make sure your security suite is up to date and includes antivirus, anti-spyware, anti-spam, a firewall, and a website safety advisor.

15. Invest in identity theft protection. Regardless of how careful you may be or any security systems you put in place, there is always a chance that you can be compromised in some way. It’s nice to have identity theft protection watching your back.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss social media scammers on CNN. (Disclosures)


10 Social Media Security Considerations

Social media security issues involve identity theft, brand hijacking, privacy issues, online reputation management, and users’ physical security.

Social media provides opportunities for criminals to “friend” their potential victims, creating a false sense of trust they can use against their victims through phishing or other scams.

Register your full name on the most trafficked social media sites, and do the same for your spouse and kids. If your name is already taken, include your middle initial, a period, or a hyphen. You can do this manually or speed up the process by using

Get free alerts. Set up Google alerts for your name and kids’ names, and you’ll get an email every time one of your names pops up online. You should be aware if someone is using your name or talking about you.

Discuss social media with your kids. Make sure they aren’t sharing personal information that would compromise their own or your family’s security with their “friends.” Monitor what they do online. Don’t sit in the dark, hoping they are using the Internet appropriately. Be prepared not to like what you see.

Be discreet. What you say, do, and post online exists forever. There is no way to completely delete a digital post. Keep it professional, and be aware that someone is most likely monitoring you, possibly including your employer.

Maintain updated security. Make sure your hardware and your software are up to date. Update your antivirus definitions, your critical security patches, and so on.

Lock down settings. Most social networks have privacy settings. Don’t rely on the defaults. Instead, set these preferences as securely as possible. The main social media websites offer tutorials, which you should use.

Always delete messages from unfamiliar users. I get messages from scammers all the time, and I’m sure you do, too.

Don’t share personal information through games or applications. Nothing good can come from publishing “the 25 most amazing things about you.”

Always log off social media sites before walking away from the PC. If you ever use a friend’s or a public PC, this habit will save lots of aggravation.

Don’t use geolocation features, which literally track your every move in order to announce your location to the world. There’s no reason to allow anyone, anywhere, to stalk you. And don’t post status updates sharing the fact that your home is vacant.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses hackers hacking social media on Fox Boston. Disclosures

Dealing With Daily Digital Surveillance

Our everyday activities are being monitored, today, right now, either by self-imposed technology or the ever-present Big Brother.

Traditionally, documenting our existence went like this: You’re born, and you get a medical and a birth record. These documents follow you throughout your life, filed and viewed by many. You must present these records in order to be admitted to a school, to be hired, or to be issued insurance. You get a Social Security number shortly after birth, which serves as your national identification. These nine numbers connect you to every financial, criminal and insurance record that makes up who you are and what you’ve done. Beyond that, it’s all just paperwork.

But today, as reported by USA Today, “Digital sensors are watching us”:

“They are in laptop webcams, video-game motion sensors, smartphone cameras, utility meters, passports and employee ID cards. Step out your front door and you could be captured in a high-resolution photograph taken from the air or street by Google or Microsoft, as they update their respective mapping services. Drive down a city thoroughfare, cross a toll bridge, or park at certain shopping malls and your license plate will be recorded and time-stamped.”

Then, of course, there are geolocation technologies that work in tandem with social media status updates, applications that track you and leak that data, and cookies on websites.

All of these technologies have been around for a while in one form or another. The difference is that today, databases are collecting and sharing that information like never before.

On top of that, new facial recognition technologies will connect your social networking profiles to your face, and that issue will be compounded when you share photographs that are geotagged with your location.

Knowing this, and understanding technology’s impact on what you once considered privacy, ought to resign you to the fact that at this point, privacy is kind of a dead issue. If you want to participate in society you have no choice but to give up your privacy (but not your security), to a certain extent.

Your new focus should be security. Secure your financial identity, so nobody else can pose as you. Secure your online social media identity, so nobody else can pose as you. Secure your PC, so nobody can take over your accounts. And please, there’s no sense in telling the world what you are doing and where you are every minute of the day. When you do this, you aren’t just relinquishing privacy; you are compromising your personal security.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses Social Security numbers as national identification on Fox News. (Disclosures)