"While the guidance does not endorse any particular technology, it specifically addresses the need for risk-based assessment, customer awareness, and financial institutions' implementation of appropriate risk mitigation strategies, including security measures to reliably authenticate customers accessing their financial institutions' Internet-based services.
"The main portion of the guidance provides financial institutions with guidance on general supervisory expectations, which emphasizes that financial institutions should not rely on any one authentication method or security technique in authorizing high risk transactions, but rather institute a system of layered security."
“In addition to stressing the need for updated risk assessments, the Supplemental Guidance specifically sets the expectation that institutions should have a layered security program that at a minimum contains `processes designed to detect anomalies and effectively respond to suspicious or anomalous activity’ and also includes `enhanced controls for system administrators who are granted privileges to set up or change system configurations’… The first expectation for layered security set forth in the guidance is centered on login to logout anomaly detection for good reason; it is proven to detect account takeover and stop fraud…The agencies state in the guidance that transaction monitoring or anomaly detection and response could have prevented many of the frauds that have happened because the ACH/wire transfers originated by fraudsters were anomalous when compared with the customer’s established patterns of behavior.”
“The 2005 FFIEC Guidance pushed financial institutions to take important steps to protect their customers, but as threats have evolved, some financial institutions have failed to update their control mechanisms accordingly. As a result, many of the security measures in place today are outdated and ineffective. In response to today’s top threats, such as man-in-the-middle and keylogging, which were highlighted in the update, the FFIEC introduces the concept of layered security. The layered approach recommended by the FFIEC extends security controls beyond the initial login to include online banking transactions and administrative functions. The use of out-of-band verification for transactions was recommended as an effective control against these attacks. In addition, the update calls for an overall strengthening of authentication technologies. According to the update, out-of-band authentication has taken on a new level of importance given the preponderance of malware on customer PCs, which can defeat OTP tokens, device identification, challenge questions, and many other forms of strong authentication. In particular, closed-loop methods that complete the authentication in the out-of-band channel are seen as offering a greater level of security…The updated FFIEC Guidance presents a view of the current threat landscape and the security controls that are successful in preventing online banking fraud today These changes, particularly transaction-level security and out-of-band authentication, set a new standard for banks and financial institutions and will substantially impact the way they approach online banking security going forward.”
“Although no device authentication method can mitigate all threats, the agencies consider complex device identification to be more secure and preferable to simple device identification. Institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation technique.”
“The key theme for the entire guidance? Layered security. Basically, layered security uses different types of controls at different points in a transaction process. It’s analogous to having locks on the doors of your house to provide general protection against break-in, but then having a safe inside your house to protect the really valuable assets.
The new supplement “jumps right into the meat” by identifying the types of controls that should be considered in building an effective layered security program in a very concise and simply worded verbiage:
“Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
“The use of dual customer authorization through different access devices;
“The use of out-of-band verification for transactions;
“The use of ‘positive pay,’ debit blocks, and other techniques to appropriately limit the transactional use of the account;
“Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows (e.g., days and times);
“Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities;
“Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud;
“Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels; and
“Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.
“The good news for banks, credit unions, and all ranges of financial institutions is that there are commercial off-the-shelf software solutions available today.”
“Today, while cybercriminals, trojans, and botnets have radically evolved, many online bank accounts are still only protected by little more than a cookie and a simple hash of browser and IP attributes.”
“The forest—or the sound principles introduced by the 2005 Guidance–was lost for the trees—or the technical solutions that the appendix to the 2005 Guidance outlined, many of which fell flat on their face when it came to protecting customer bank accounts,” Avivah Litan, vice-president and distinguished analyst, wrote in a report.
“I’m afraid that could happen again this time since the FFIEC has not steered away from outlining technical measures and attack vectors that the banks will build their security to in the next few years. The cycle will likely repeat. The attacks will get more sophisticated, and will use new techniques that are not addressed in the details of the guidance.
“In the regulators’ defense, many of their constituents want them to suggest detailed solutions, so the regulators do have to balance that need with the reality that the threat landscape will continue to morph quickly and the ‘suggested’ solutions will get out of date.
“I think the industry would have been better off with a guidance document that stuck to the principles. Here the FFIEC Guidance did a really good job outlining the need for layered security measures, giving broad examples of layered security controls, specifying detection and response strategies, as well as offering sound advice on administrative controls, and customer awareness and education. It would have been advantageous if they had moved the details on device identification and challenge questions, and the appendix discussion on technical controls, to an entirely separate document that was updated on an (at least) annual basis.
“Still, in the end, it was good to see all five U.S. financial regulatory agencies get on board as they needed to.”