In 2001 the FFIEC issued guidance titled “Authentication in an Electronic Banking Environment” which provided banks an overview of risk and expectations for risk management controls in an Online Banking environment. In 2005 the FFIEC issued an update to this guidance titled “Authentication in an Internet Banking Environment”. The 2005 Guidance provided additional expectations, and in particular went as far as to specifically say that single factor authentication is inadequate for high risk transactions.
In the near future, the FFIEC is expected to release another update to this guidance for 2011.
A sense of the content of this new guidance has been made available through draft versions that circulated in late 2010. It seems likely that the new guidance will go much further than the prior guidance in the scope of expectations for institutions providing Internet access to financial information and transactions. SynerComm is creating and sharing this series of blog posts to provide some of the options and industry best practices for each of the elements that we anticipate will be included in the upcoming guidance.
The new guidance will likely once again highlight Risk Assessment as a core component of a Financial Institutions program for securing Online Banking services. In part 1 of this series of blog posts we outline some of the resources available to conduct an online banking/multifactor risk assessment, including the different factors and risks that an organization should consider including.
A key driver for the updated guidance is the wave of commercial online banking fraud that has occurred over the past few years. The FBI has reported that over $500 million in fraud losses occurred in 2009 as a result of commercial online banking account takeover. An institution’s risk assessment and response activities should account for the vulnerabilities and techniques that have been used by fraudsters to commit these frauds. In part two of this series we will provide an overview of a typical commercial online banking account takeover fraud scenario and discuss the vulnerabilities and exploits used by the fraudsters.
Coverage in the new guidance on authentication techniques and expectations will likely be much greater than in the prior versions. In part 3 we will cover currently available strong authentication systems and their benefits, weaknesses, and where they may be a good fit. We will also discuss high risk transactions and additional options for augmenting the service’s authentication mechanism.
Earlier guidance made references to some security controls in addition to authentication, such as monitoring and reporting, but the new guidance will likely go much further toward advocating layered security controls around online banking products. Layered security involves implementing multiple levels of controls to prevent or detect an attack, so that an attacker who finds and exploits a single vulnerability is not able to penetrate the system. Part 4 of our series of blog postings will drill into many of the layered security controls that could be implemented by banks or retail or commercial bank customers to reduce the risk of online banking fraud attacks.
Another new focus expected to be in the new guidance is Fraud Detection. This focus also stems directly from the recent wave of commercial online banking fraud incidents. Fraudsters were able to initiate transactions because authentication systems were lacking, but they were able to complete these transactions and profit because the systems to detect, alert, or block fraud were also lacking. In Part 5 of our series we will outline some of the techniques, services, and vendors available to improve fraud detection for online banking services.
Finally, the new guidance will likely also go into more depth around Consumer Education. The majority of the recent online banking fraud occurred because attackers were able to infect computers used for online banking and commercial online cash management services with Trojans or other malware, generally with the ability to capture passwords, steal documents and cookies, and remote control the infected machine. The first layer of defense is to educate clients on practices that will keep their systems from becoming infected. Our last blog posting in this series will provide some tips and resources for educating clients to protect themselves from online banking fraud.