Banks' security for online accounts hasn't kept pace with the threat landscape, regulators say, and sources say the FFIEC may soon update its 1995 guidance on securing online banking transactions.
The FFIEC is expected to issue an update that will call on banks to perform at least annual risk assessments and inform consumers and corporate customers about risks and coverages in case of losses. The guidance-at least in its draft form-also dings simple device identification and simple security questions as no longer adequate forms of authentication to meet current threats.
The timing of the FFIEC's update to the 1995 "Authentication in an Internet Banking Environment" isn't known, but an early draft of the new guidance obtained by Bank Technology News is dated mid-December, and regulatory watchers have been anticipating its release since January. The draft document emphasizes banks' responsibility to perform risk assessments of their online transaction environments at least annually, when new products are released or when the threat environment changes.
The agencies underscore the importance of layered security, but make distinctions between relatively low-risk retail accounts and high-risk corporate accounts. When it comes to corporate accounts, the agencies call not only for layered security, but also multifactor authentication, and note that transaction anomaly detection could have prevented much the wave of ACH fraud that plagues banking. Out-of-band authentication or alerting is also recommended as an acceptable control.
Bank security experts who have seen the document offer mixed reviews. Avivah Litan, vp at Gartner who participated in an FFIEC subcommittee meeting regarding the new guidance, particularly likes the portion of the drafted guidance that lays out definite disclosure requirements. "One of the best things in it is that banks have to disclose very transparently to customers their rights if their accounts are raided, what the reimbursement processes are or are not," Litan says. "If banks have to be really clear about the protections then businesses will take their business elsewhere if they think they're not protected."
But Tom Hinkel, director of compliance at Safe Systems, wishes the agencies would be more proscriptive in updates.
"There really is no major takeaway from this," says Hinkel. "There's a lot of, 'Do more risk assessments, have more layered security,' but there's no big takeaway that institutions are just going to be able to run with."
Amir Orad, CEO of Actimize, which provides fraud detection technology to many of the industry's big banks, doesn't sugar-coat his assessment of the threat landscape. "The level of sophistication and targetization of some of the attacks I've seen is amazing. Authentication is practically irrelevant to those attacks," says Orad, who doesn't stop there. "More and more and more you'll see authentication outside the PC. The PC is dead as far as authentication."
The FFIEC and FDIC did not return calls for comment on the guidance or its release date.