Experian’s Chris Ryan addressed five major questions about compliance with the FFIEC’s recent guidance on banking authentication. What follows are his responses, summarized:
- What does “layered security” actually mean?
“‘Layered security’ refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.”
- What does “multi-factor” authentication actually mean?
“A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.”
- Who does this guidance affect? And does it affect each type of credit grantor/ lender differently?
“The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment.”
- What will the regulation do to help mitigate fraud risk in the near-term and long-term?
“The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system. Fraud tactics evolve constantly and the tools that combat them have to evolve as well. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly.”
- How are organizations responding?
“Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations. Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions. Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, ‘layered’ approach that the guidance is seeking.”
To learn more, watch Experian and iovation’s webinar, titled Ensuring Optimal Efficacy and Balance with Out-of-Wallet Questions and Device Identification, dedicated to discussing the recent FFIEC guidance and taking a defense-in-depth approach to fraud prevention.
Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)
About the Author
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- The FFIEC Wants You to Know…
The Federal Financial Institutions Examination Council recently released a supplement to the guide it issued in 2005, on authentication in an Internet banking environment. One of the FFIEC’s key recommendations for eliminating fraud is consumer awareness and education.
At some level, you may be aware that financial institutions have a layered security approach in place. Those layers include
- The Benefits of Multifactor Authentication
The Federal Financial Institutions Examination Council (FFIEC), a formal government interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, recently issued a supplement to the 2005 document “Authentication in an Internet Banking Environment” effective January 2012. The FFIEC has acknowledged that cybercrime is increasing and financial
- Financial Institutions Can Protect Their Clients Using “Defense in Depth”
Back in 2005, the Federal Financial Institutions Examination Council (FFIEC) made security recommendations for banks and financial institutions in response to the increase of cybercrime. Since then, banks have implemented most, if not all, of these guidelines, and cyber criminals have responded by challenging each layer of security, by exploiting different technologies or coming up
- Why Complex Device Identification Isn’t Enough
“Simple device identification” relies on cookies or IP addresses to confirm that a customer is logging in from the same PC that was used to create the account.
The Financial Federal Institutions Examination Council has explained the fallibility of this system:
“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing
- FFIEC Mandates “System Of Layered Security” to Combat Fraud
For any cave-dwelling, living-under-a-rock, head-in-the-sand, naïve, under-informed members of society who aren’t paying attention, we have serious cyber-security issues on our hands.
Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They
Leave a Comment
You must be logged in to post a comment.