United States

FFIEC issues new guidance on internet banking authentication


Anyone who follows the internet banking industry knows that fraud related to on-line account access has been on the upswing in recent years. So it's not surprising that the FFIEC (Federal Financial Institutions Examination Council) would issue a supplement to its original guidance on the subject of internet banking security. In fact, many may wonder what took them so long. It's been nearly six years since the first document, Authentication in an Internet Banking Environment, was released in October 2005.

Since then, electronic banking has grown in volume, scale and features, while cybercrime targeting bank customers has become more sophisticated. These factors have increased risks for financial institutions and their customers, and substantial losses have resulted. These events underscore the critical need for more effective security to safeguard customer funds, reduce fraudulent account activity and prevent theft of sensitive customer information.

This may be what prompted the FFIEC (the federal entity that prescribes uniform standards for the federal examination of financial institutions) to issue the Supplement on June 28 of last year. The release does not contain any startlingly new information; rather, it generally affirms many of the issues from the 2005 release, while also providing additional insight into higher risk transaction authentication. The Supplement articulates its purpose is "to update the FFIEC member agencies' supervisory expectations regarding customer authentication, layered security, and other controls in the increasingly hostile online environment."

First of all, to understand what types of crimes the Supplement may be addressing, (although the Supplement itself does not discuss specific criminal activities) let's briefly review four classical fraud schemes perpetuated by online banking criminals:

  • Phishing is generally considered the most serious threat. It involves sending emails purporting to be from the users' banks and enticing them to enter their personal information on a phony website that is disguised as a legitimate bank site.
  • Trojan horses are usually covert installations of malicious software that automatically install on the victims' hard drives when they click on a link or attachment in an email. The Trojan horse is able to capture their password and ID when they log on to a legitimate bank site.
  • Classical identity theft involves the perpetrator posing as the account holder over the telephone or in person. He may already have stolen the victim's ID and password, but strong challenge questions and other measures can thwart this type of crime.
  • Over the shoulder scheme is theft the old-fashioned way: by personal observation, such as an offender watching a user ("standing over his shoulder") make financial transactions on his computer and jotting down the user's confidential ID and password.

The Supplement deals with several types of bank security, including telephone banking (if the transactions are deemed high risk) and online banking systems by personal computer or mobile device. Special attention was given to the security needs of business and commercial accounts. The short list of these security measures is as follows:

  • Enhanced risk assessments
  • Layered security controls
  • Fraud detection and monitoring
  • Dual authorization
  • Out of band transaction confirmation
  • More effective authentication techniques
  • Heightened education initiatives

Now, for a more detailed discussion about each of these recommendations:

  • Enhanced risk assessments: The Supplement recommends updating and enhancing risk assessments at least annually, but more frequently if new products or services are added, or if there are changes in the internal or external environment. This could include additions of new electronic banking services or upgrades to existing services.
  • And of course, anytime there is an actual incident of fraud, identity theft or security breach, the bank should take a fresh look at its risk assessment policies and practices.
  • Layered security controls: Banks should not rely on static challenge questions to protect customer data. Layered security measures should be implemented based on the dollar amount and complexity of the transaction. Examiners can be expected to look for such security measures as anomaly detection at initial customer login and again at initiation of funds transfer activities.
  • Fraud detection and monitoring: Fraud detection measures can be manual or electronic. People, processes or platforms can be used to detect anomalies in customer behavior or account activity. In terms of human monitoring, customer callbacks after a questionable transaction is one method, while staff trained in the account's typical behavior are also useful in detecting unusual activity.
  • Dual authorization: This would provide additional security by requiring the involvement of two people at the payee to establish a transaction with the bank, rather than one person. The bank could manually call the payee or someone different from the party that initiated the request.
  • Out of band transaction confirmation: This provides an additional layer of security by having the authorization come from outside the channel where the transaction originated. For instance, if the transaction is requested via email, alternative channels could include voice, fax or Short Message Service (text messaging over fixed or mobile phones).
  • More effective authentication techniques: Since the issue of password complexity was covered in the original Guidance, the issue was purposely not included in the Supplement. However, other authentication measures were discussed, including recommendations for device ID identification and stronger challenge questions. A device ID is a vendor-defined identification string that is unique to a piece of computer hardware.
  • Heightened education initiatives: Many security breaches can be avoided simply by educating the relevant parties in how to prevent and detect security breaches. This applies to several parties, including system administrators, relevant account service staff and internet banking customers.

Special attention was given to customer education, including these suggestions:

  • Advising customers of what, if any, circumstances would cause the bank to contact them on an unsolicited basis and by what method of communication
  • Recommending that commercial online customers perform their own risk assessment periodically
  • Providing customers with a list of resources that provide information about risk control mechanisms and practices

Other policy recommendations

The Supplement offered some additional guidance on policy guidelines, including:

  • Policies that address customer devices identified as potentially compromised
  • Policies for identifying customers who may be facilitating fraud
  • Policies for monitoring suspicious customer activities
  • Policies for monitoring bank administration changes

For more information

For more information about IT security services and solutions, please contact your financial services representative or Loras Even, principal, McGladrey & Pullen, LLP at 319.274.8541 or Carla Brinker, manager, McGladrey and Pullen, LLP at 319.274.8540..