FFIEC: Two-Factor Authentication Big Focus

Risk Assessments Another Area to Improve Online Banking
FFIEC: Two-Factor Authentication Big Focus
Editor's Note: This piece summarizes the key elements of the three major releases by the FFIEC related to online authentication: The original 2005 authentication guidance, 2006 FAQ and the 2010 draft supplement. To read the entire guidance documents, please follow the links in the appropriate sections below.

2005 Authentication in an Electronic Banking Environment

In 2005, the Federal Financial Institutions Examination Council released an update to its 2001 online authentication guidance entitled "Authentication in an Electronic Banking Environment."

The FFIEC's 2005 update became the industry standard for online banking authentication and risk assessments, highlighting regulators' desire for financial institutions to conduct risk-based assessments, evaluate customer awareness programs, and develop security measures that reliably authenticate customers who remotely accessing Internet-based financial services.

In 2005, the agencies noted that single-factor authentication, as the only control mechanism, could no longer be considered adequate for high-risk transactions - those involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services, the agencies recommended, should use effective methods to authenticate the identity of their customers. Account fraud and identity theft, regulators contended, frequently result from single-factor [e.g., ID/password] authentication exploitation. "Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security or other controls reasonably calculated to mitigate those risks," the 2005 update notes.

Consistent with the "FFIEC Information Technology Examination Handbook," Information Security Booklet, which was published in December 2002, regulators also said in the 2005 guidance that financial institutions should periodically ensure their information security programs:

  • Identify and assess the risks associated with Internet-based products and services;
  • Identify risk mitigation actions, including appropriate authentication strength;
  • Measure and evaluates customer awareness efforts;
  • Adjust, as appropriate, their information security programs in light of any relevant changes in technology, the sensitivity of customer information and internal or external threats to information;
  • Implement appropriate risk mitigation strategies.

2006 FAQ

In 2006, the FFIEC published a list of frequently asked questions about the 2005 update.

The list of FAQs aimed to clarify the authentication guidance issued in 2005, addressing the need for:

  • Risk-based assessments;
  • Customer awareness;
  • Enhanced security measures to authenticate customers that process high-risk transactions.

Over the next four to five years, as industry threats continued to evolve, regulators noted that a majority of U.S. financial institutions had taken few steps to adequately detect and stave off new and emerging cyber risks and attacks. Increasing incidents in 2009 and 2010 of ACH and wire fraud, resulting from phishing attacks often perpetrated by Zeus on small to mid-sized commercial bank customers, led regulators to begin evaluating steps to address new and emerging fraud threats.

2010 Interagency Supplement to Authentication in an Internet Banking Environment

In December 2010, a draft of updated online authentication guidance from the FFIEC, entitled "Interagency Supplement to Authentication in an Internet Banking Environment," was accidently disclosed and widely circulated throughout the industry.

In the draft, regulators clearly note that financial institutions have not done sufficient jobs of maintaining authentication standards that resist new online threats posed by malware. Regulators also note that financial institutions have fallen short when it comes to conducting internal risk assessments.

The five key recommendations emphasized in the 2010 FFIEC draft:

  • Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
  • Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;
  • Layered security controls to detect and effectively respond to suspicious or anomalous activity;
  • More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;
  • Heightened customer education initiatives, particularly for commercial accounts.

This draft is currently under review by the FFIEC member agencies, and no date has been set for its ultimate issuance.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network