The Federal Financial Institutions Examination Council recently released a supplement to the guide it issued in 2005, on authentication in an Internet banking environment. One of the FFIEC’s key recommendations for eliminating fraud is consumer awareness and education.
At some level, you may be aware that financial institutions have a layered security approach in place. Those layers include multi-authentication, which may mean requiring users to punch in a second security code or carry a key fob, as well as due diligence in identifying customers as real people whose identities haven’t been stolen, and consumer education.
Consumers are largely oblivious to the multiple layers of security put in place by financial institutions in order to protect them and their bank accounts. All consumers really care about are ease and convenience. However, a better understanding of what goes on behind the scenes can help consumers adapt to new technologies that affect their lives.
I recently came across a blog post written by a financial institution’s bank manager, “Nerdy Nate,” attempting to educate the bank’s customers in response to the FFIEC’s guidance. Nate’s message is useful for all bank customers, and should be a model for other financial institutions.
“Currently, [this institution] employs a combination of a secure browser connection, customer number, password, and our enhanced login security system. We recently added the ability for you to use email, voice and text to receive a one-time passcode needed when we do not recognize your computer. We do realize that having to use a one-time passcode is inconvenient at times. Please be assured that SIS will research other options to make this more convenient. However, at this time, using a one-time passcode is considered the best practice in authenticating you as a user when you login into SIS Online Banking. This method is also compliant with the FFIEC guidance issued to SIS.
We are also working with our Online Banking provider on other security efforts in response to the FFIEC guidance.
· Enhanced Device Identification – We will enhance the security of the multifactor authentication enrollment cookie, where it is in use, by adding device fingerprinting. This means that if the cookie is present on a system whose device fingerprint differs from what is on record, the cookie will not be honored and an additional authentication step will be required.
· Removal of Challenge Questions – In the near future, we will no longer allow the use of a Challenge Question to authenticate you. Instead you will need to use one of the three passcode methods available; text, voice call and email.
· Web Fraud Detection, Behavior Monitoring – We are evaluating different options to monitor your online access for fraud. Once we have a solution in place, we will notify you on how it might affect you as a user.
· Malware Prevention & Detection – We are evaluating different options to monitor the use of malware to “hack” your online access. Once we have a solution in place, we will notify you on how it might affect you as a user.
We remain committed to providing you with the best and most secure Online Banking experience possible. With the ever-changing landscape of online fraud, this is proving to be more difficult every day. We are confident that with your help and some hard work on our side, we can achieve our goal.”
Great stuff. Nowadays, education on the “threatscape” is essential. Enhanced device identification is also essential. The FFIEC suggests complex device identification. While complex device identification is more sophisticated than previous techniques, take one step instead of two and incorporate device reputation management.
This proven strategy not only has advanced methods to identify devices connecting to your bank, but also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect your financial institution against cyber fraud.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- 5 FFIEC Compliance Tips For Banks
Experian’s Chris Ryan addressed five major questions about compliance with the FFIEC’s recent guidance on banking authentication. What follows are his responses, summarized: What does “layered security” actually mean? “‘Layered security’ refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses
- Why Complex Device Identification Isn’t Enough
“Simple device identification” relies on cookies or IP addresses to confirm that a customer is logging in from the same PC that was used to create the account. The Financial Federal Institutions Examination Council has explained the fallibility of this system: “Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing
- What The FFIEC Is Doing to Protect You and Your Bank
FFIEC is the Federal Financial Institutions Examination Council which is a government body empowered to prescribe uniform principles, standards and report forms for the federal examination of financial institutions by and for numerous other government, public, private and financial entities. If there is a “good” place for your tax dollars to head, it’s to the FFIEC.
- FFIEC Mandates “System Of Layered Security” to Combat Fraud
For any cave-dwelling, living-under-a-rock, head-in-the-sand, naïve, under-informed members of society who aren’t paying attention, we have serious cyber-security issues on our hands. Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They
- City Bank Account Hacked for 400K
KOMO reports “The city of Burlington (Washington) is warning its employees to check their bank accounts after finding out funds have been stolen. They believe computer hackers got access to the city bank account, which is used as a direct deposit to pay workers. It is unknown how much money was taken, but more than
Leave a Comment
You must be logged in to post a comment.