New FFIEC guidance falls short on requirements for stronger online ID
Attacks on financial service providers, like the one that claimed more than 210,000 names and account numbers from Citi Corp., are no longer the exception. Hackers are continuing attacks to gain account information to commit fraud.
Businesses and consumers need to be aware of the sites they are accessing, and steadfastly guard user names and passwords. In recent years, financial institutions have taken steps to protect customers but with the recent spate of attacks and new malicious software keeping up is difficult.
These problems aren’t new. In 2005 the Federal Financial Institutions Examination Council (FFIEC) released guidance recommending a risk-based approach to online account security, requesting that institutions provide periodic assessments in response to new threats. This led banks to offer different authentication mechanisms. Pictures and images were used to reinforce that a customer was on a legitimate bank Web site; secure browser cookies were required before enabling a login; one-time pass code generators were deployed.
A supplement to the guidance was released in June, reinforcing the previous guidance. “Financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks,” the supplement states.
Many were disappointed that the new guidance didn’t spell out stronger forms of authentication banks should deploy for access to financial accounts. The guidance does establish minimum controls for certain online banking activities, and it identifies controls that are less effective in the current threat environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program. But it is virtually silent on specific recommended methods for strong authentication.
The FFIEC recognizes the emergence of malware and newer, more sophisticated man-in-the-middle and man-in-the-browser attacks that can circumvent one-time pass code tokens. The report recommends anti-malware software, transaction monitoring, out-of-band authentication and secure USB devices.
Corporate accounts remain particularly vulnerable
The guidance is focused largely on corporate accounts. “They’re a bit more vulnerable in that money can be moved around more quickly,” says Adam Dolby, director and eBanking manager for the Americas at Gemalto.
Corporate accounts also lack the same protections enjoyed by consumer accounts. If a consumer’s account is hacked it’s protected and the money will be returned, but recent lawsuits have not upheld that same protection for corporations. If a corporate customer does something to give up information about the account and funds are stolen, the bank may not be responsible.
This is not always the case, however, particularly if the bank has not put into place real and substantive protections. A recent lawsuit found in favor of a corporate account owner who was phished and lost more than half a million dollars, says Kevin Bocek, director of product marketing at IronKey. Though the bank had security measures in place, the court determined it had not met its good faith obligations and found in favor of the customer.
Bank reaction up in air
Bocek and Dolby have differing views of how financial institutions will react to the latest FFIEC guidance. Bocek believes banks will show good faith and go beyond the recommendations, but Dolby feels banks will require more prodding before voluntarily increasing security.
Banks will see that offering increased security is a differentiator for them, Bocek says. “Business customers are becoming more aware that they are liable and that means they want higher security,” he says.
IronKey provides secure browsing via a USB token, one of the technologies specifically cited in the FFIEC recommendations. Its banking product has been available since July 2010 and has drawn a lot of interest from banks, Bocek says.
“Banks have gotten the message by the fraud and by the litigation,” Bocek says. “Compliance isn’t enough … banks are being proactive with security. They are also worried about reputation and that will drive action too.”
Because basic compliance is the easiest path, Dolby thinks that is the route most institutions will choose. “Instead of focusing on protecting the customer they look at what they can do to get an examiner off their back,” he says.
The FFIEC guidance released in June was supplemental to information released in 2005. Prior to that the FFIEC had released guidance in 2002. The 2005 guidance was stricter than its predecessor because most banks had failed to take action. “The FFIEC was hoping the banks would self regulate,” Dolby says. “If a critical mass moved in the direction of true security, the rest would follow.”
That didn’t happen though and instead banks just went the compliance route, Dolby says. If banks don’t move to stronger authentication he predicts that the FFIEC will push for new regulations covering online access to accounts.
The problem is banks don’t want to spend money on authentication. “Fraud losses have become an accepted cost of doing business, sort of like bad loans,” Dolby says.
And changing existing systems could lead to more problems in the short term. Consumers are used to seeing that picture that tells them they’re at the correct site and changing it may cause problems. “People may think just because something is different it is not safe,” Dolby adds.
“Part of the problem is when we rolled out Internet banking we educated people and told them it was safe, protected behind firewalls and secure socket layers,” Dolby says. “And now everyone thinks it’s safe.”
As the customer base ages this will change, however, Dolby says. “As the 20 to 30-year-old group become the 30 to 40-year-old group they will demand stronger security,” he says. “You need keys to start your car … you need something stronger to access your online bank account.”
FFIEC suggestions for layered-security program controls
- Fraud detection and monitoring systems that include customer history and behavior and enable a timely and effective institution response
- Dual customer authorization through different access devices
- Out-of-band verification for transactions
- “Positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account
- Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day
- Internet protocol reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities