SynerComm Blog

(or 10 Tips for Securing your Web Application)

The list below covers the most common weaknesses we find when conducting web application pen tests or vulnerability assessments. Click here to learn more about SynerComm’s AssureIT Penetration Testing and Assessment services or to request a quote.

Yesterday the FFIEC released their update to the 2005 Online Banking Guidance - titled "Supplement to Authentication in an Internet Banking Environment".  Below are some first impressions.

As expected, the guidance focuses on Commercial online banking services.  This is because the majority of online banking fraud has occurred through Commercial banking platforms, which allow for higher risk transactions such as ACH and Wire.  The guidance suggests that FI's "recognize and address the fact that not every online transaction poses the same level of risk.   Therefore, financial institutions should implement more robust controls as the risk level of the transaction increases.  They go on to suggest that layered security is appropriate for consumer access (I read into this that they do not seem to expect strong multifactor authentication for consumer access) but multifactor is recommended for Commercial platforms.

This blog posting will describe the evolution of authentication techniques commonly applied to online financial applications, including some of the benefits and drawbacks of the common methodologies.

User ID and Password

The most common authentication mechanism in use on the web today is a user ID and a password. This is considered “single factor authentication” because there is only one aspect (the password) that a bad-guy needs to compromise to break the authentication system.

In 2005 the FFIEC came out with a very strong guidance statement that said “The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.“ This caused financial institutions and their service providers to quickly begin to work to implement stronger controls.

There is a lot of information available on the Internet about Banking Trojans and the recent trend of online bank account attacks.  In this article we provide a brief overview and then focus on the points of failure that allow these fraud attacks to occur.

This blog posting is meant to help individuals who need to conduct or update their online banking risk assessment in compliance with the new FFIEC guidance that is expected to be released soon, and maybe need a framework or a place to start. This article will walk through how the FFIEC’s framework for an Information Security Risk Assessment, available from the FFIEC handbook at http://ithandbook.ffiec.gov/it-booklets/information-security/information-security-risk-assessment.aspx, could be used as a basis for an online banking risk assessment.

In 2001 the FFIEC issued guidance titled “Authentication in an Electronic Banking Environment” which provided banks an overview of risk and expectations for risk management controls in an Online Banking environment.  In 2005 the FFIEC issued an update to this guidance titled “Authentication in an Internet Banking Environment”.  The 2005 Guidance provided additional expectations, and in particular went as far as to specifically say that single factor authentication is inadequate for high risk transactions.

In the near future, the FFIEC is expected to release another update to this guidance for 2011.