The Federal Financial Institutions Examination Council released new guidance for financial institutions on online customer authentication to accounts. The council first releases guidance in 2005 recommending a risk-based approach and telling institutions to provide periodic assessments in response to new threats.
The latest report reinforces those expectations. “Financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks,” the supplement states. “It establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program.”
It was 2005 that saw financial institution begin to use different authentication mechanism, such as pictures to reinforce that a customer was on a correct Web site or requiring a secure cookie be present on a computer before enabling a login.
The new guidance recognizes the emergence of malware and new, more sophisticated man in the middle and man in the browser attacks. The attacks can circumvent one-time pass code tokens and the report recommends anti-malware software, transaction monitoring, out-of-band authentication and secure USB devices.
Lacking from the report is any guidance on how financial institutions should do authentication on mobile devices.
The guidance can be downloaded here.